Major Incidents or Breaches

  • Dell confirmed that the “World Leaks” extortion group breached one of its product demonstration/test lab platforms. The group is attempting to extort Dell for ransom.
  • Dior has begun notifying U.S. customers of a May cybersecurity incident that compromised their personal information.
  • Cierant Corporation and law firm Zumpano Patricios disclosed separate data breaches, each affecting over 200,000 individuals.
  • The Alcohol & Drug Testing Service (TADTS) reported a ransomware attack in July 2024 that exposed personal information of 750,000 people.
  • Over 1,000 CrushFTP servers are currently exposed online and vulnerable to hijack attacks exploiting a critical security bug that provides admin access via HTTPS.
  • Louis Vuitton suffered a cyberattack, as reported in recent threat intelligence bulletins.
  • Ring users reported a surge in unauthorized device logins on May 28. Ring (Amazon) attributed the incident to a backend update bug and denied an external breach.

Newly Discovered Vulnerabilities

  • Microsoft released emergency patches for two actively exploited SharePoint zero-days, CVE-2025-53770 (“ToolShell”) and CVE-2025-53771. These vulnerabilities have been used in ongoing attacks against US government agencies and other organizations.
  • A zero-day vulnerability in CrushFTP is being exploited to gain administrative privileges on exposed servers. Over 1,000 instances remain vulnerable.
  • ExpressVPN fixed a flaw in its Windows client that caused Remote Desktop Protocol (RDP) traffic to bypass the VPN tunnel, exposing users’ real IP addresses during remote sessions.
  • Wireshark 4.4.8 was released, addressing nine bugs.
  • WinRAR 7.10 does not propagate all Mark-of-the-Web (MOTW) data when extracting files, potentially impacting security controls.

Notable Threat Actor Activity

  • APT41, a China-linked cyber espionage group, launched a targeted campaign against government IT services in Africa, using hardcoded internal server names and advanced techniques to evade detection.
  • Iranian APT MuddyWater deployed new variants of the DCHSpy Android spyware, masquerading as VPN apps to target dissidents and Android users, particularly since the escalation of conflict with Israel.
  • The Russian cybercrime group NoName057(16) has been disrupted by Europol, with seven arrest warrants issued. The group is known for recruiting followers to conduct DDoS attacks on perceived adversaries.
  • A surveillance firm was found bypassing SS7 protections to obtain user location data from wireless carriers.

Trends, Tools, or Tactics of Interest

  • Attackers continue to gain access in well-secured environments by leveraging weak system configurations, outdated encryption, and trusted but unprotected tools, rather than relying solely on novel exploits.
  • Research is emerging on malicious implants targeting AI components and applications, indicating a new vector for stealthy attacks against AI-powered systems.
  • The propagation of Mark-of-the-Web (MOTW) data by WinRAR has changed, which may impact the effectiveness of MOTW-based security mechanisms.
  • Zero Trust security, now seen as a foundational requirement, is increasingly incorporating AI to enhance detection and response capabilities.

Regulatory or Policy Developments Affecting the Security Industry

  • Intel announced the end of the Clear Linux OS project, archiving its GitHub repositories and ceasing further development.
  • Veeam warned that recent changes to Recovery Orchestrator’s multi-factor authentication (MFA) rollout are preventing users from logging into the Web UI.