Major Incidents or Breaches

  • Adidas has disclosed a data breach following a compromise at a customer service provider, resulting in the theft of data from individuals who contacted the company’s customer service help desk. Payment or financial information was not affected.
  • MathWorks, the developer of MATLAB, has confirmed a ransomware attack that caused ongoing service outages. The specific ransomware group involved and whether data was exfiltrated remain unclear.
  • Commvault’s Metallic SaaS service has been targeted by threat actors who gained access to Microsoft 365 environments of a small number of customers, according to a CISA alert.
  • DragonForce ransomware successfully breached a managed service provider (MSP) and used the SimpleHelp remote monitoring and management (RMM) platform to steal data and deploy ransomware encryptors on downstream customer networks.
  • Apple reported it prevented over $9 billion in fraudulent transactions via the App Store over the past five years, including $2 billion in 2024, amid rising threats targeting the platform.

Newly Discovered Vulnerabilities

  • Microsoft has released an emergency update for Windows Server 2022 to address a known issue causing Hyper-V virtual machines to freeze or restart unexpectedly.
  • Misconfigured Docker API instances are being exploited by new self-spreading malware that transforms them into Dero cryptocurrency mining botnets.

Notable Threat Actor Activity

  • Russian threat group Void Blizzard (also known as Laundry Bear) has been linked to breaches of over 20 NGOs using Evilginx phishing via fake Microsoft Entra pages. The group has also been connected to the September 2024 Dutch police security breach.
  • Cybercriminals are cloning legitimate antivirus websites (specifically Bitdefender) to distribute the Venom remote access trojan (RAT) and steal cryptocurrency wallets.
  • The Luna Moth (Silent Ransom Group) is conducting stealth phishing campaigns, including vishing (voice phishing) attacks, to extort law firms, as highlighted in a recent FBI alert.
  • A novel campaign is using search engine optimization (SEO) poisoning to trick employees searching for payroll portals into payroll fraud, targeting mobile devices.
  • The Danabot botnet infrastructure has been seized in the US and key operators indicted, disrupting a major Russian cybercrime operation.
  • An Iranian national has pleaded guilty to involvement in RobbinHood ransomware attacks that targeted US cities and organisations.

Trends, Tools, or Tactics of Interest

  • Threat actors are increasingly using AI-generated audio to impersonate senior US officials in phishing attacks, according to an FBI warning.
  • Attackers are leveraging the SimpleHelp RMM platform in supply chain ransomware attacks, specifically in the DragonForce incident.
  • SEO poisoning is being used to redirect employees searching for payroll portals to malicious sites, facilitating payroll diversion fraud.
  • Self-spreading malware targeting Docker containers is automating the creation of cryptocurrency mining botnets.
  • There is a trend of cybercriminals cloning legitimate software vendor websites to distribute malware such as Venom RAT.
  • Law enforcement and industry partnerships are achieving significant disruption of cybercrime infrastructure, as demonstrated by the Danabot takedown.

Regulatory or Policy Developments Affecting the Security Industry

  • The FBI has issued multiple alerts regarding evolving social engineering and extortion tactics, including the use of AI-generated media and vishing campaigns.
  • CISA has published an advisory on attacks targeting Commvault’s SaaS environment, urging increased vigilance for SaaS providers and their customers.