Major Incidents or Breaches

  • Louis Vuitton has notified customers in the UK, South Korea, Turkey, and possibly other countries of a data breach affecting their personal information.
  • McDonald’s has suffered a data breach resulting in the exposure of customer data.
  • Two versions of the Gravity Forms WordPress plugin, distributed via the official download page, were compromised in a supply chain attack, with malware injected into the plugin.
  • A malicious Visual Studio Code extension for the Cursor AI IDE led to the theft of $500,000 in cryptocurrency from a Russian crypto firm, after infecting devices with remote access tools and infostealers.
  • India’s Central Bureau of Investigation (CBI) dismantled a transnational cybercrime syndicate responsible for a £390,000 UK tech support scam, arresting key operatives at a Noida call center.

Newly Discovered Vulnerabilities

  • Multiple Gigabyte motherboard models have UEFI firmware vulnerabilities that allow attackers to bypass Secure Boot and install persistent bootkit malware invisible to the operating system and capable of surviving OS reinstalls.
  • Vulnerabilities in Gigabyte firmware could allow attackers to disable Secure Boot and execute code during the early boot phase, facilitating backdoor deployment.
  • A vulnerability in train End-of-Train and Head-of-Train radio systems allows remote attackers to trigger train brakes; this issue has been known in the industry for 20 years.
  • CISA has added the recently disclosed CitrixBleed 2 vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, designating it as an unacceptable risk.
  • Google Gemini AI assistant is vulnerable to prompt-injection attacks, allowing attackers to craft invisible, malicious prompts that can be used to display phishing messages, including when summarising emails in Google Workspace.

Notable Threat Actor Activity

  • The Interlock ransomware group is distributing a new PHP-based variant of its remote access trojan (RAT) using a delivery mechanism called FileFix, in campaigns targeting multiple industries. The group is leveraging the KongTuke Traffic Distribution System (TDS) and legitimate websites for web-inject campaigns to gain control of victim devices.
  • Cybercriminals are impersonating major news outlets (CNN, BBC, CNBC) via sponsored ads and fake news websites to lure victims into investment scams.
  • Scattered Spider threat actor arrests have been reported, indicating law enforcement action against this group.
  • Exposed Git repositories continue to be a source of sensitive data leaks across enterprises, representing a persistent but often overlooked risk.

Trends, Tools, or Tactics of Interest

  • There is a reported increase in honeypot log volumes, indicating a rise in scanning and malicious activity observed on internet-facing systems.
  • The UserAssist Windows artifact, including previously undocumented binary data structures, has been detailed for forensic and incident response purposes, with a new parsing tool released.
  • Attackers are increasingly targeting supply chains, as evidenced by the compromise of the Gravity Forms WordPress plugin.
  • The use of prompt-injection attacks against AI assistants is an emerging tactic for phishing and social engineering.

Regulatory or Policy Developments Affecting the Security Industry

  • The UK National Cyber Security Centre (NCSC) has launched the Vulnerability Research Initiative (VRI), a new programme to strengthen collaboration with external cybersecurity experts for vulnerability discovery and reporting.