Major Incidents or Breaches

  • The US National Nuclear Security Administration was breached via exploitation of a Microsoft SharePoint zero-day vulnerability chain. At least three Chinese nation-state cyber-espionage groups are implicated in targeting older, on-premises SharePoint instances after a flawed patch attempt.
  • Clorox has filed a $380M lawsuit against Cognizant, alleging gross negligence after hackers successfully impersonated an employee and convinced the help desk to reset credentials, enabling a major August 2023 cyberattack.
  • Ongoing phishing campaigns are mimicking the US Department of Education’s G5 grant portal, exploiting recent layoffs and political turmoil to target users.
  • The npm package ‘is’, with 2.8 million weekly downloads, was compromised in a supply chain attack, injecting backdoor malware that gave attackers full device access.
  • npm accidentally removed the Stylus package, breaking builds and pipelines globally that depend on the library.
  • Ukraine arrested the suspected administrator of the Russian-language cybercrime forum XSS.is at the request of French authorities.

Newly Discovered Vulnerabilities

  • Sophos patched five critical vulnerabilities in Sophos Firewall that allowed for remote code execution by unauthenticated attackers.
  • CISA issued an alert regarding active exploitation of two vulnerabilities in SysAid ITSM software, which attackers are using to hijack administrator accounts.
  • Cisco reported active exploitation attempts of critical Cisco Identity Services Engine (ISE) vulnerabilities, which could lead to unauthenticated remote code execution.
  • Multiple high-severity memory safety vulnerabilities were patched in both Chrome and Firefox browsers.
  • Persistent exploitation of known Ivanti remote code execution vulnerabilities continues, particularly affecting Japanese organizations due to patching complications.

Notable Threat Actor Activity

  • Threat actor “Mimo” has shifted tactics to target Magento CMS and misconfigured Docker instances for crypto mining and proxyware deployment, expanding from previous campaigns against Craft CMS.
  • Chinese threat actors continue to exploit Ivanti RCE vulnerabilities in targeted attacks.
  • The Lumma Stealer malware re-emerged and resumed activity after a prior law enforcement takedown.
  • The Interlock ransomware group is actively targeting organizations through drive-by download attacks, prompting a government alert.
  • Hackers are using stolen credit cards and loyalty points to book travel for clients, with risks extending to remote workers, SMBs, and travel brands.

Trends, Tools, or Tactics of Interest

  • Researchers identified a new stealthy WordPress backdoor hidden in the “mu-plugins” directory, enabling persistent administrative access and evading standard detection.
  • The Coyote banking trojan is the first known malware to abuse the Windows UI Automation (UIA) accessibility framework to steal banking credentials, with attacks observed against banks and crypto exchanges in Brazil.
  • Kerberoasting attacks remain effective due to weaknesses in current detection methods; new approaches to detection and Active Directory hardening are being discussed.
  • Increased exploitation of SharePoint vulnerabilities is observed, with multiple exploit attempts and scanning activity detected shortly after public disclosure.
  • File integrity monitoring receives renewed focus with the release of the ficheck.py tool for forensic analysis.
  • Google launched the OSS Rebuild initiative to enhance security in open-source package ecosystems and address software supply chain attack risks.
  • Brave browser implemented a feature to block Windows Recall from capturing screenshots of browser activity by default.
  • Proton launched “Lumo,” a privacy-focused encrypted AI assistant that does not log user conversations or use prompts for training.
  • OpenAI is rolling out new ChatGPT features, including “personality” toggles and a “Study together” mode for exam preparation.
  • AI bot traffic is increasingly impacting website performance, with new mitigation strategies under discussion.
  • OpenAI CEO Sam Altman warned of the rising threat of AI voice fraud in banking, stating that voice clones are becoming indistinguishable from real voices and require new verification methods.

Regulatory or Policy Developments

  • The UK is considering a ban on ransomware payments, with debate over potential unintended consequences such as victims hiding incidents or attackers shifting tactics.
  • ISO 42001, a new international standard for AI governance, is being highlighted as a framework for responsible AI development and deployment.