Major Incidents or Breaches

  • The Play ransomware gang has breached approximately 900 organizations globally as of May 2025, including critical infrastructure and government entities, according to an FBI advisory.
  • Media giant Lee Enterprises has disclosed a data breach affecting nearly 40,000 individuals, resulting from a February 2025 ransomware attack.
  • Ukrainian police arrested a hacker who compromised 5,000 accounts at an international hosting company to mine cryptocurrency, causing $4.5 million in damages.
  • Ukrainian intelligence claims to have hacked Russian aerospace and defense company Tupolev, developers of strategic bombers.
  • Multiple domains of the BidenCash carding market, a dark web marketplace for stolen credit cards and personal data, have been seized in an international law enforcement operation.

Newly Discovered Vulnerabilities

  • Cisco released patches for a critical authentication bypass vulnerability (CVE-2025-20120) in Identity Services Engine (ISE), affecting cloud deployments on AWS, Azure, and OCI. Public exploit code is available.
  • Additional Cisco advisories address vulnerabilities in both ISE and Customer Collaboration Platform (CCP), with public exploit code circulating.
  • Over 35,000 solar energy devices, primarily in Europe, are exposed online and vulnerable to potential hijacking attacks.
  • Qualcomm has patched three security flaws that have been exploited in the wild; device manufacturers must still apply these updates to their products.
  • Thousands of Asus routers have been compromised and are being leveraged as part of a botnet.
  • Researchers have demonstrated that deepfake audio detection models can be bypassed via replay attacks, allowing rerecorded deepfake audio to evade current detection mechanisms.

Notable Threat Actor Activity

  • Google exposed a financially motivated threat group tracked as UNC6040, specializing in vishing (voice phishing) campaigns targeting Salesforce users. Attackers use fake Data Loader apps to steal Salesforce credentials and data.
  • Hackers, including those claiming to be the ShinyHunters group, are conducting social engineering and extortion attacks against multinational organizations via Salesforce platform compromise.
  • Ongoing open-source supply chain attacks involve malicious packages on PyPI, npm, and RubyGems. These packages drain cryptocurrency wallets, exfiltrate sensitive data, or wipe codebases after installation. Some RubyGems impersonate legitimate plugins for the Fastlane development platform in geopolitically motivated campaigns.
  • A hacker is distributing backdoored GitHub code, targeting other hackers, gamers, and researchers with exploits and game cheats containing hidden remote access backdoors.
  • Attackers are exploiting device code authentication flows (such as those used by Microsoft Teams and IoT devices) to phish for access tokens, bypassing multi-factor authentication (MFA).
  • The FBI has issued a warning about NFT airdrop scams on the Hedera Hashgraph network, where cybercriminals use fraudulent airdrops to steal cryptocurrency from wallets.

Trends, Tools, or Tactics of Interest

  • A new Chaos RAT variant is targeting both Windows and Linux systems through fake network tool downloads.
  • Traditional Data Loss Prevention (DLP) tools are being outpaced by the growth of SaaS applications, resulting in increased risk of SaaS data leakage.
  • AS-REP roasting attacks against Kerberos/Active Directory are resurging, exploiting accounts without Kerberos pre-authentication to obtain password hashes.
  • Phishing campaigns are using techniques to hide malicious links from Outlook users, evading detection.
  • Increased GPS jamming and spoofing attacks are raising concerns about the resilience of global navigation systems.
  • The use of AI for code generation at scale is emerging as a threat, with potential for advanced automated cyberattacks (“vibe hacking”).
  • Cybersecurity training initiatives in Africa are being expanded by international organizations to increase the number of skilled professionals and disrupt cybercrime recruitment pipelines.

Regulatory or Policy Developments Affecting the Security Industry

  • The U.S. Department of State is offering up to $10 million for information on state-sponsored hackers linked to the RedLine infostealer malware operation.
  • Microsoft has launched a new European Security Program, providing free cybersecurity resources and support to European governments.
  • Law enforcement has undertaken international action to disrupt dark web markets, as evidenced by the BidenCash domain seizures.