Major Incidents or Breaches

  • Jaguar Land Rover (JLR) confirmed a data breach following a recent cyberattack that forced system shutdowns and operational disruptions. Some company data was stolen in the incident.
  • The New York Blood Center began notifying affected individuals about a data breach resulting from a ransomware attack, confirming user data was stolen.
  • Plex, a media streaming platform, reported a data breach and advised users to reset their passwords.
  • The largest known supply-chain attack in the NPM ecosystem impacted approximately 10% of all cloud environments. Despite the scale, attackers reportedly gained little financial benefit.
  • An open-source developer known as “qix” disclosed a compromise of their GitHub account after being socially engineered to surrender access credentials.
  • A DDoS mitigation service provider in Europe was targeted by a distributed denial-of-service attack peaking at 1.5 billion packets per second.

Newly Discovered Vulnerabilities

  • Microsoft released patches for 80 vulnerabilities, including a publicly disclosed flaw, an SMB privilege escalation vulnerability, and Azure bugs rated CVSS 10.0.
  • Fortinet, Ivanti, and Nvidia issued security updates addressing high-severity vulnerabilities that could allow remote code execution, privilege escalation, information disclosure, and configuration tampering.
  • Rockwell Automation published eight security advisories as part of ICS Patch Tuesday, with additional advisories from Siemens, Schneider Electric, Phoenix Contact, and CISA.
  • A weakness in the Cursor AI code editor was identified, allowing repositories to automatically execute malicious code on a developer’s device when opened.

Notable Threat Actor Activity

  • Chinese APT groups have been linked to multiple high-profile incidents:
    • A Chinese APT deployed the previously undocumented EggStreme fileless malware framework to compromise a Philippines-based military company.
    • APT41, a China-linked group, is conducting ongoing cyber espionage campaigns targeting U.S. trade officials amid 2025 negotiations, as formally warned by the U.S. House Select Committee on China.
    • Chinese state-backed actors have been observed posing as a U.S. congressman in spear-phishing attacks.
  • AsyncRAT is being distributed via compromised ConnectWise ScreenConnect installations to steal credentials and cryptocurrency.
  • Hacktivist and APT groups targeting Russian organizations have been analyzed and classified into three clusters based on their tactics, techniques, and procedures (TTPs).
  • The U.S. announced a $10 million reward for information leading to the arrest of Volodymyr Tymoshchuk, accused of deploying LockerGoga, MegaCortex, and Nefilim ransomware against hundreds of organizations.

Trends, Tools, or Tactics of Interest

  • The use of “shadow AI”—unauthorized or unmanaged AI tools by employees—is highlighted as an increasing security risk for organizations.
  • A new Phishing-as-a-Service kit, Salty2FA, has emerged, targeting U.S. and EU enterprises and focusing on bypassing two-factor authentication.
  • Two new malware families were identified:
    • CHILLYHELL, a modular macOS backdoor with multiple persistence mechanisms, password brute-forcing, payload dropping, and multi-protocol communication.
    • ZynorRAT, a Go-based remote access trojan capable of targeting macOS, Windows, and Linux systems.
  • BASE64 encoding over DNS is being used as a data exfiltration technique by certain backdoors.
  • Google is implementing C2PA Content Credentials in the Pixel 10 camera and Google Photos to verify image authenticity and counter AI-generated fakes.
  • Students are increasingly posing insider threats within the education sector, often unintentionally but at a scale challenging for security teams.
  • Social engineering remains a significant vector, as demonstrated by the Scattered Spider group breaching Clorox through phone-based help desk manipulation, leading to $380 million in damages.

Regulatory or Policy Developments Affecting the Security Industry

  • CISA presented its vision for the Common Vulnerabilities and Exposures (CVE) program, indicating ongoing evolution in vulnerability management and disclosure processes.
  • Apple introduced Memory Integrity Enforcement (MIE) in new iPhone models, providing always-on memory safety protections for the kernel and over 70 userland processes.
  • The U.S. is increasing scrutiny and financial incentives related to ransomware operators, exemplified by the $10 million reward targeting a Ukrainian ransomware actor.
  • The number of U.S. investors in commercial spyware companies increased sharply in 2024, with new countries identified as linked to the proliferation of such tools.