Major Incidents or Breaches

  • Zscaler experienced a data breach after threat actors accessed its Salesforce instance via compromised third-party platforms (Salesloft and Drift), resulting in the exposure of customer information, including support case contents.
  • The breach at AI chatbot maker Salesloft continues to have repercussions, with mass theft of authentication tokens affecting numerous organisations that integrate Salesloft with Salesforce.
  • Amazon researchers disrupted an operation by Russian state-sponsored threat group Midnight Blizzard (APT29), who were targeting Microsoft 365 accounts and data.
  • American consumer credit reporting agency TransUnion was listed among the week’s top attacks and breaches.

Newly Discovered Vulnerabilities

  • WhatsApp patched a vulnerability that enabled zero-click attacks, which was exploited in conjunction with an Apple vulnerability.

Notable Threat Actor Activity

  • North Korea-linked group ScarCruft (APT37) is conducting a phishing campaign targeting South Korean academics, delivering RokRAT malware.
  • Russian APT29 (Midnight Blizzard) was actively targeting Microsoft 365 environments before their operation was disrupted by Amazon.
  • Sextortion campaigns continue at scale, with analysis of 1,900 messages and 205 Bitcoin addresses over four years providing insights into threat actor behaviour and tactics.

Trends, Tools, or Tactics of Interest

  • A malicious npm package, nodejs-smtp, was discovered mimicking Nodemailer and targeting cryptocurrency wallets (Atomic and Exodus) by injecting malicious code into desktop applications.
  • Android malware droppers are shifting from delivering primarily banking trojans to distributing a broader range of threats, including SMS stealers and spyware.
  • Over 80% of security incidents now originate from web applications, with browsers increasingly becoming a primary attack surface for enterprise environments.
  • Ongoing scams are targeting travellers to the UK, with fraudsters offering fake Electronic Travel Authorisation (ETA) documents for inflated prices or to harvest personal and financial data.

Regulatory or Policy Developments Affecting the Security Industry

  • No significant regulatory or policy developments were reported in the covered period.