Major Incidents or Breaches

  • Erie Insurance and Erie Indemnity Company confirmed a cyberattack that caused recent business disruptions and platform outages.
  • INTERPOL’s Operation Secure dismantled over 20,000 malicious IP addresses or domains linked to 69 infostealer malware variants, resulting in 32 arrests, the seizure of 117 command-and-control servers, and disruption of infrastructure in 26 countries.
  • Over 80,000 Microsoft Entra ID (formerly Azure AD) accounts were targeted in an account takeover campaign using the open-source TeamFiltration tool.
  • Coordinated brute-force attacks involving 295 malicious IPs targeted Apache Tomcat Manager interfaces exposed online.

Newly Discovered Vulnerabilities

  • Microsoft released patches for 67 vulnerabilities, including a WebDAV remote code execution zero-day (CVE-2025-25099) actively exploited in the wild. The zero-day was leveraged by the Stealth Falcon APT group to drop malware targeting defense and government organizations in Turkey, Qatar, Egypt, and the UAE.
  • A zero-click vulnerability named “EchoLeak” was identified in Microsoft 365 Copilot, allowing exfiltration of sensitive data from a user’s context without user interaction.
  • Two vulnerabilities in SinoTrack GPS devices were disclosed, enabling remote control of certain vehicle functions and tracking via default passwords.
  • A bug in Google’s password-recovery page allowed brute-forcing of any user’s phone number, exposing contact information and enabling phishing and SIM-swapping attacks.
  • Mirai botnets were observed exploiting a vulnerability in the Wazuh security platform, highlighting rapid exploitation of newly published CVEs.

Notable Threat Actor Activity

  • A new malicious implant, BrowserVenom, was discovered mimicking DeepSeek. The malware enables a proxy in Chrome and Mozilla browsers and spreads via phishing websites.
  • Former Black Basta ransomware members used email bombing and Microsoft Teams phishing, along with Python scripts, to establish persistent access in recent attacks.
  • Stealth Falcon APT exploited the Windows WebDAV zero-day for malware delivery in targeted attacks.
  • TeamFiltration, an open-source penetration testing tool, was repurposed for large-scale account takeover campaigns against Microsoft Entra ID accounts.

Trends, Tools, or Tactics of Interest

  • Threat actors are increasingly leveraging AI tools, as highlighted in OpenAI’s report, to assist in social engineering attacks and influence operations.
  • “SmartAttack” is a new technique using smartwatches as covert ultrasonic receivers to exfiltrate data from air-gapped systems.
  • Brute-force campaigns targeting web management panels, such as Apache Tomcat Manager, are being conducted via large numbers of distributed IP addresses.
  • Botnet operators are reducing time-to-exploit for new CVEs, as evidenced by recent Mirai botnet campaigns.
  • DNS security is being emphasized as a critical but often overlooked defense layer.
  • Increased adoption and discussion of agentic AI security products at industry events, such as Gartner’s Security & Risk Management Summit.
  • Microsoft issued revised updates for Windows 11 24H2 on incompatible PCs and fixed Windows Server domain controller issues stemming from earlier updates.

Regulatory or Policy Developments

  • ConnectWise announced plans to rotate code-signing certificates based on third-party researcher recommendations, unrelated to a recent nation-state attack.
  • Google introduced new enterprise-scale security protections for Android devices.
  • INTERPOL’s Operation Secure represents a significant multinational law enforcement action against infostealer malware infrastructure.