Major Incidents or Breaches

  • Connex Credit Union disclosed a data breach affecting 172,000 members, with attackers stealing personal and financial information after breaching its systems.
  • The Netherlands’ National Cyber Security Centre (NCSC) reported exploitation of Citrix NetScaler vulnerability CVE-2025-6543 to breach critical organisations in the country.
  • Air France experienced a data breach resulting in the leak of frequent flyer data (as per Check Point’s weekly threat bulletin).
  • A major automaker’s dealership platform used by over 1,000 US dealerships was found to be vulnerable, allowing car hacking and personal data theft, including the ability for unauthorised remote vehicle unlocking.
  • Two hackers reportedly breached North Korean state-sponsored group Kimsuky, stealing and leaking internal data.
  • Law enforcement, in collaboration with international partners, took down infrastructure and seized over $1 million associated with the BlackSuit (Royal) ransomware group.
  • Over 29,000 Microsoft Exchange servers remain unpatched against a high-severity vulnerability, leaving them exposed to lateral movement and cloud environment compromise.

Newly Discovered Vulnerabilities

  • Researchers identified new security flaws in the TETRA (Terrestrial Trunked Radio) communications protocol, including weaknesses in its proprietary end-to-end encryption, impacting law enforcement and critical infrastructure communications.
  • A critical vulnerability in the OPC UA industrial protocol was disclosed, exposing utilities and factories to risk despite the protocol’s use of complex cryptography.
  • A sandbox escape with remote code execution was discovered in Google Chrome, earning a $250,000 bug bounty.
  • A path traversal vulnerability in WinRAR (CVE-2025-8088) was exploited as a zero-day by the Russian ‘RomCom’ group, targeting financial, defence, manufacturing, and logistics sectors in Europe and Canada.
  • A BadUSB attack technique, dubbed BadCam, was demonstrated against Lenovo Linux webcams, allowing persistent compromise via malicious USB devices.
  • Flaws in a major automaker’s dealership portal exposed customer and vehicle data and enabled unauthorised remote access to vehicles.

Notable Threat Actor Activity

  • The Russian-linked ‘RomCom’ hacking group exploited the WinRAR CVE-2025-8088 zero-day in targeted attacks on organisations in Europe and Canada.
  • North Korean Kimsuky hackers were themselves compromised, with internal data reportedly leaked by adversarial actors.
  • US authorities charged four Ghanaian nationals for their involvement in a $100 million fraud ring involving romance scams and business email compromise attacks.
  • The BlackSuit (Royal) ransomware gang suffered infrastructure seizures and asset forfeiture following coordinated law enforcement action.
  • An affiliate of the REvil ransomware group accused the Russian government of orchestrating the 2021 Kaseya supply chain attack.
  • Malicious actors have been actively exploiting a critical Erlang/OTP SSH vulnerability, with 70% of detected attacks targeting operational technology (OT) firewalls.

Trends, Tools, or Tactics of Interest

  • Surge in exploitation of Erlang/OTP SSH vulnerabilities, with a focus on OT firewall targets.
  • Increase in “native phishing” campaigns, where attackers abuse Microsoft 365 apps such as OneNote and OneDrive to deliver internal phishing lures.
  • Jailbreaking techniques for GPT-5 were demonstrated using “echo chamber” prompts and storytelling, bypassing safeguards without using inappropriate language.
  • The DarkBit ransomware (linked to MuddyWater) encryption was cracked by researchers, enabling free victim data recovery.
  • Exposure of persistent threats via USB-based attacks (BadCam) targeting Linux webcams.
  • Ongoing risk from large numbers of unpatched Exchange servers, facilitating potential lateral movement and cloud compromise.

Regulatory or Policy Developments

  • The Netherlands’ NCSC issued a public warning regarding active exploitation of Citrix NetScaler CVE-2025-6543, urging immediate remediation for critical infrastructure.