Major Incidents or Breaches

  • The House of Commons of Canada is investigating a data breach after a cyberattack resulted in the theft of employee information.
  • Pro-Russian hackers have been blamed for taking control of critical operation systems at a Norwegian water dam and opening outflow valves, according to the Norwegian Police Security Service.
  • Over $300 million in cryptocurrency linked to cybercrime and fraud schemes has been seized through two joint law enforcement and private sector operations.
  • The US Courts records system suffered a breach, with details about the exposure and responsible party still unclear.
  • Cybercriminals are auctioning live police and government email credentials on the dark web, offering access to sensitive systems and confidential intelligence.
  • Four individuals from Ghana have been charged with stealing over $100 million via romance scams and business email compromise (BEC) schemes.

Newly Discovered Vulnerabilities

  • The “MadeYouReset” vulnerability in multiple HTTP/2 implementations enables large-scale denial-of-service (DoS) attacks by exploiting how HTTP/2 handles stream resets. This vulnerability is comparable to the Rapid Reset attack vector.
  • Two vulnerabilities (CVE-2025-8875 and CVE-2025-8876) in N-able N-central remote monitoring and management (RMM) platform are being actively exploited as zero-days. These allow local code execution and command injection after authentication.
  • Xerox FreeFlow Core print orchestration software contained path traversal and XML external entity (XXE) injection flaws enabling unauthenticated remote code execution. Patches have been released.
  • Researchers demonstrated that passkey (FIDO/WebAuthn) authentication can be bypassed via manipulation of the WebAuthn process, allowing attackers to impersonate users.
  • A downgrade attack technique has been shown to allow phishing kits to bypass FIDO authentication, enabling credential theft even with strong authentication mechanisms.

Notable Threat Actor Activity

  • The Crypto24 ransomware group is targeting large organisations using custom utilities for endpoint detection and response (EDR) evasion, data exfiltration, and file encryption.
  • Threat actors are using the CrossC2 command-and-control framework to expand Cobalt Strike Beacon capabilities to Linux and macOS environments, as observed by JPCERT/CC.
  • A new Android banking trojan, PhantomCard, is abusing NFC relay attacks, call hijacking, and root exploits to conduct fraudulent transactions.
  • A phishing campaign is distributing malware by leveraging a Japanese hiragana character (“ん”) in URLs to impersonate Booking.com, making malicious links appear legitimate.
  • Scammers are targeting jobseekers with fake Netflix job offers to steal Facebook login credentials.

Trends, Tools, or Tactics of Interest

  • The Picus Blue Report 2025 notes that only 3% of data exfiltration attempts are stopped, indicating a trend toward stealthy ransomware and infostealer operations focused on data theft rather than encryption.
  • MailSniper, a PowerShell tool for Exchange, is being used in red team operations to search mailboxes for credentials, network intelligence, and usernames.
  • SNI5GECT research demonstrates the ability to sniff and inject traffic in 5G networks without rogue base stations, highlighting risks to 5G infrastructure.
  • Budget constraints are impacting cybersecurity teams, particularly in healthcare, professional services, retail, and hospitality, while financial services, insurance, and tech sectors see budget growth above 5%.
  • Google Chrome Enterprise is enhancing browser security for enterprise environments, with a focus on extending protections from browser to operating system.

Regulatory or Policy Developments

  • State and local leaders in the US are lobbying Congress for increased cybersecurity resources following federal funding cuts to the Multi-State Information Sharing and Analysis Center (MS-ISAC), potentially affecting over 18,000 organisations’ access to basic cybersecurity services.