Major Incidents or Breaches

  • Volvo and two other international vehicle manufacturers suffered supply chain cyberattacks in the past month, resulting in the theft of Volvo employee Social Security Numbers in a ransomware attack.
  • Hackers stole data on 8,000 nursery children and contacted their parents directly, demanding ransom payments under threat of leaking the children’s information.
  • A South Korean credit card company was hacked, and the Maryland Transit Administration experienced a ransomware attack. The UK’s Co-op lost £206 million due to a cyberattack.
  • Flo Health and Google agreed to pay $56 million to settle lawsuits over the period-tracking app Flo sharing sensitive users’ health data for advertising purposes.
  • Neon Mobile, a popular US app, pays users to record their phone calls and then sells this data for AI training.

Newly Discovered Vulnerabilities

  • A critical vulnerability (CVE-2025-10035, CVSS 10) in Fortra’s GoAnywhere Managed File Transfer (MFT) software was exploited as a zero-day at least eight days prior to public disclosure, allowing unauthenticated remote command injection and the creation of backdoor admin accounts.
  • Multiple vulnerabilities in Cognex industrial cameras allow for remote hacking; no patches are available, and customers are advised to migrate to newer models.
  • Google Project Zero highlighted the risk of pointer leaks through pointer-keyed data structures, which can undermine ASLR protections and facilitate remote exploitation.

Notable Threat Actor Activity

  • The Russian APT group COLDRIVER launched a new campaign using ClickFix-style attacks to deliver two new lightweight malware families.
  • Iranian APTs, including the Charming Kitten offshoot Subtle Snail, have been observed signing malware with valid code-signing certificates issued by SSL.com.
  • North Korean threat actors are posing as recruiters to steal developers’ identities and provide these to fraudulent IT workers.
  • A phishing campaign impersonating Ukrainian government agencies is distributing CountLoader, which subsequently deploys Amatera Stealer and PureMiner malware. PureRAT phishing threats are also targeting Vietnam.
  • LockBit 5.0 ransomware activity continues to be reported.

Trends, Tools, or Tactics of Interest

  • The XCSSET macOS malware has a new variant with a four-stage infection chain, an additional persistence mechanism, and new targeting of Firefox browser data, including cryptocurrency transaction hijacking.
  • Microsoft Edge will introduce a feature to block malicious sideloaded browser extensions.
  • Generative AI deployments are increasingly recognised as introducing new cyber risks, including phishing, fraud, and model manipulation.
  • North Korean threat actors are leveraging social engineering by masquerading as recruiters to facilitate identity theft for use by IT worker proxies.
  • Interpol arrested 260 suspects in Africa involved in online romance scams that used relationship-building to extort or blackmail victims.
  • A new tool, convert-ts-bash-history.py, has been released to facilitate quick timeline analysis from bash histories.
  • Breach and Attack Simulation (BAS) is highlighted as an effective method for validating security controls beyond theoretical design.
  • The Neon Mobile app’s business model of incentivising users to record and sell their phone call data for AI training is drawing privacy concerns.

Regulatory or Policy Developments Affecting the Security Industry

  • Microsoft has restricted access to cloud and AI products for a unit within the Israeli military, following an internal review linking these services to mass surveillance activities in Gaza.
  • U.S. President Donald Trump signed an executive order approving the restructuring of TikTok’s U.S. operations to address national security concerns, transferring control to U.S. investors.
  • Google and Flo Health face regulatory enforcement, agreeing to a $56 million settlement over improper sharing of sensitive health data.
  • Cognex is recommending customers transition to newer products due to unpatched vulnerabilities in its industrial cameras.