Major Incidents or Breaches

  • Four individuals were arrested in the UK for cyberattacks targeting major retailers Marks & Spencer, Co-op, and Harrods. The suspects are believed to be connected to the Scattered Spider group, which has also targeted airlines and other sectors.
  • Qantas confirmed a data breach affecting 5.7 million customers. Exposed information includes names, addresses, email addresses, phone numbers, and other personal data.
  • Nippon Steel’s NS Solutions subsidiary suffered a breach exposing customer and employee data. There is currently no evidence of the data being leaked on dark web sites.
  • Ingram Micro experienced a ransomware attack that disrupted online ordering for customers. The company has since restored operations.
  • McDonald’s suffered a data exposure incident involving its AI-powered job application bot, which allowed access to applicant data using a weak default password.

Newly Discovered Vulnerabilities

  • CISA added CVE-2025-5777, a critical vulnerability in Citrix NetScaler ADC and Gateway, to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation.
  • A critical remote code execution vulnerability was discovered in the open-source mcp-remote project, affecting over 437,000 downloads.
  • Multiple critical vulnerabilities, dubbed “PerfektBlue,” were identified in the BlueSDK Bluetooth stack used by Mercedes, Volkswagen, and Skoda vehicles. These flaws could allow remote code execution and potential access to critical vehicle systems.
  • A high-severity flaw, CVE-2025-3648, was disclosed in the ServiceNow platform. Exploitation could lead to data exposure via misconfigured access control lists (ACLs).
  • AMD disclosed a new class of vulnerabilities called Transient Scheduler Attacks, impacting a wide range of its CPUs and potentially allowing information disclosure.
  • A 6-year-old Oracle vulnerability affecting eSIM technology was disclosed, enabling potential spying and device takeover across millions of phones.
  • The Model Context Protocol (MCP) ecosystem, widely adopted for integrating AI models with external data, was found to have critical security vulnerabilities opening new attack vectors.

Notable Threat Actor Activity

  • Scattered Spider, a data theft and extortion group, has shifted its targeting to the aviation and transportation sectors, according to warnings from the FBI and cybersecurity experts.
  • Kaspersky identified malicious open-source packages for Cursor AI that deploy the Quasar backdoor and a cryptocurrency stealer.
  • Ongoing social engineering campaigns are using fake gaming and AI startup firms on Telegram and Discord to distribute malware targeting cryptocurrency users.
  • A new ZuRu malware variant is propagating via trojanized versions of the Termius macOS app, targeting developers.
  • Deepfake attacks are being used to impersonate high-profile political figures, such as Marco Rubio, to attempt to extract government secrets.
  • A Russian professional basketball player was arrested in France at the request of the US for allegedly acting as a negotiator for a ransomware gang.

Trends, Tools, or Tactics of Interest

  • AI-driven attacks are becoming more sophisticated, faster, and pervasive, with increased use of generative AI in offensive operations.
  • SSH tunneling, specifically direct-tcp requests, is highlighted as an active technique.
  • Force Push Scanner is a new tool for red teams to identify leaked secrets in ephemeral GitHub commits.
  • Anubis, an open-source self-hosted firewall, is being used to block AI bots from scraping website content.
  • SIM swap fraud is reportedly increasing, highlighting ongoing risks to mobile-based authentication.
  • Microsoft replaced the default JScript engine with JScript9Legacy in Windows 11 version 24H2 and later, aiming to improve scripting security.

Regulatory or Policy Developments

  • The FBI issued guidance on CJIS (Criminal Justice Information Services) compliance, emphasizing password hygiene, multi-factor authentication, and access control for law enforcement data handlers.
  • The U.S. Department of Homeland Security is advising law enforcement to treat certain protest activities as violent tactics, including livestreaming and skateboarding, potentially affecting policing and surveillance practices.
  • CISA’s update to the KEV catalog with Citrix NetScaler CVE-2025-5777 signals heightened regulatory attention to actively exploited enterprise vulnerabilities.