Major Incidents or Breaches

  • ConnectWise, the developer of ScreenConnect remote access software, disclosed a cyberattack attributed to a suspected nation-state threat actor. The breach impacted a limited number of ScreenConnect customers.
  • Victoria’s Secret took its website and some store services offline following a security incident. The company has engaged third-party experts to investigate.
  • LexisNexis Risk Solutions reported a data breach affecting over 364,000 individuals, resulting from a December 2024 incident. The breach involved third-party access to customer data, but LexisNexis systems were not directly compromised.
  • A Managed Service Provider’s SimpleHelp RMM tool was compromised by the DragonForce ransomware group, who exfiltrated data and deployed ransomware across customer endpoints.
  • SentinelOne experienced a global outage affecting 10 commercial customer consoles, including Singularity Endpoint, XDR, Cloud Security, and related services. Services have since been restored.

Newly Discovered Vulnerabilities

  • A new Windows Remote Access Trojan (RAT) was identified using corrupted DOS and PE headers to evade detection for weeks.
  • A vulnerability in Apple Safari enables fullscreen browser-in-the-middle attacks, allowing threat actors to steal account credentials.
  • Thousands of ASUS routers have been infected and backdoored as part of a large-scale botnet campaign, with the ORB network also affecting Linksys, D-Link, QNAP, and Araknis Network devices.
  • Microsoft confirmed that some Windows 11 systems may fail to start after installing the KB5058405 security update.
  • Mozilla released an emergency update (Firefox 139.0.1) to address graphical artifacts on NVIDIA GPUs caused by the previous release.

Notable Threat Actor Activity

  • Meta disrupted three coordinated influence operations originating from Iran, China, and Romania, which used fake personas to target Romania, Azerbaijan, and Taiwan.
  • The DragonForce ransomware group exploited flaws in SimpleHelp RMM to deploy ransomware and exfiltrate data from an MSP’s customers.
  • APT41 (Double Dragon), a Chinese state-sponsored group, used Google Calendar events as command-and-control infrastructure in a recent campaign.
  • The ‘Everest Group’ is conducting extortion attacks against global organisations by stealing data from SAP SuccessFactors HR tools, targeting entities in multiple countries.
  • Cybercriminals are distributing malware and ransomware, including CyberLock and Lucky_Gh0$t, via fake installers for popular AI tools such as ChatGPT and InVideo AI.
  • Threat actors are abusing Google Apps Script to host phishing pages, leveraging the platform’s legitimacy to evade detection.
  • The ‘Haozi’ gang is selling turnkey phishing-as-a-service kits via Telegram, providing infrastructure and support for low-skilled actors.
  • PumaBot is targeting Linux devices in a new botnet campaign, employing semi-automated tactics.

Trends, Tools, or Tactics of Interest

  • Scammers are exploiting uncertainty around US tariff policy to launch phishing and social engineering attacks.
  • Active credential harvesting phishing campaigns are targeting Capital One customers.
  • Attackers are increasingly mapping organisational attack surfaces using automated reconnaissance tools, mirroring defender efforts.
  • Cybercriminals are capitalising on AI tool popularity, using fake installers as lures to spread malware and ransomware.
  • Usage of the “passwd” command is being tracked in honeypots, indicating ongoing brute-force and credential access attempts.
  • The deprecation of Microsoft Authenticator’s password autofill feature is prompting migration to Microsoft Edge.
  • Zscaler’s acquisition of Red Canary highlights the growing importance of telemetry and managed detection and response (MDR) in security operations.

Regulatory or Policy Developments Affecting the Security Industry

  • The US Treasury Department sanctioned Funnull Technology, a Philippines-based cloud provider, for supporting hundreds of thousands of scam websites involved in “pig butchering” and other cyber fraud schemes linked to over $200 million in losses.
  • US Customs and Border Protection is storing the DNA of migrant children in a criminal database managed by the FBI, raising privacy and data protection concerns.