Major Incidents or Breaches

  • Akira ransomware has been observed exploiting SonicWall SSL VPN devices in a surge of attacks since late July 2025, reportedly targeting fully-patched devices and suggesting exploitation of a likely zero-day vulnerability.
  • Pi-hole disclosed a data breach resulting from exploitation of a vulnerability in the GiveWP WordPress donation plugin, exposing donor names and email addresses.
  • A malicious npm package, @kodane/patch-manager, generated using AI, was identified and removed after it was used to drain Solana cryptocurrency funds from over 1,500 victims.
  • Microsoft is investigating whether the ToolShell exploit was leaked via the Microsoft Active Protections Program (MAPP).
  • Russian state-sponsored APT group Secret Blizzard (Nobelium) conducted adversary-in-the-middle (AitM) attacks at the ISP level targeting foreign embassies in Moscow, leading to malware infections on diplomatic devices.
  • An Apple ID phishing scam in Ohio led to an in-person theft of $27,000 from a victim.

Newly Discovered Vulnerabilities

  • A high-severity remote code execution vulnerability, dubbed CurXecute, affecting almost all versions of the AI-powered Cursor code editor, has been patched. The flaw allowed attackers to execute commands via prompt injection.
  • SonicWall SSL VPN devices are reportedly being exploited via a previously unknown (zero-day) vulnerability in ongoing Akira ransomware attacks.
  • Recent vulnerabilities in Microsoft SharePoint Server have been exploited by threat actors to deploy bespoke command-and-control frameworks.

Notable Threat Actor Activity

  • Akira ransomware operators are actively exploiting SonicWall SSL VPN devices, with evidence suggesting the use of a zero-day vulnerability.
  • Threat actors are using fake Microsoft OAuth applications, leveraging the Tycoon Kit, to breach Microsoft 365 accounts and facilitate credential harvesting.
  • The threat actor Storm-2603 is exploiting Microsoft SharePoint vulnerabilities to deploy a DNS-controlled backdoor using a custom C2 framework (AK47 C2) as part of Warlock and LockBit ransomware campaigns.
  • Russian APT Secret Blizzard is conducting sophisticated AitM attacks against foreign diplomatic targets in Moscow.

Trends, Tools, or Tactics of Interest

  • Increased use of AI by attackers, including the creation of malicious npm packages for cryptocurrency theft.
  • Prompt injection remains a practical and exploitable attack vector against AI-powered developer tools.
  • Only about half of the code generated by large language models (LLMs) is considered secure, raising ongoing concerns about the security of AI-generated code.
  • The SIEM market is undergoing transformation as XDR platforms and generative AI impact security analytics.
  • New malware techniques such as “Shade BIOS” allow malware to persist and operate independently of the operating system, evading traditional detection and remediation.
  • Cybercriminals are increasingly targeting Gen Z, recognising young, digitally native workers as a distinct and vulnerable attack surface.

Regulatory or Policy Developments Affecting the Security Industry

  • The US Department of Homeland Security (DHS) has launched over $100 million in funding to strengthen community cyber defences.
  • A bipartisan US Senate bill has been introduced to create a national strategy for quantum cybersecurity migration, aimed at preparing federal agencies for quantum computing threats.
  • ISC2 has launched a new security certificate programme focused on AI expertise, covering AI fundamentals, ethics, and associated risks.
  • Microsoft has increased the maximum reward for its .NET bug bounty programme to $40,000 for valid reports of remote code execution or privilege escalation vulnerabilities.
  • Meta is sponsoring the upcoming Pwn2Own Ireland 2025 hacking contest, with a $1 million reward for a demonstrated zero-click WhatsApp exploit.