Major Incidents or Breaches

  • SonicWall Cloud Backup Breach: SonicWall confirmed that all customers using its cloud backup service had their firewall configuration backup files accessed by an unauthorized party. The files included encrypted credentials and other sensitive configuration data.
  • Oracle E-Business Suite Exploitation: A zero-day vulnerability in Oracle’s E-Business Suite has been exploited since August 2025 by threat actors linked to the CL0P ransomware group, impacting dozens of organizations.
  • Discord Data Breach: Discord disclosed that 70,000 users had government-issued IDs exposed in a recent data breach, with attackers claiming theft of over 2 million ID photos submitted for age verification.
  • Law Firm Williams & Connolly Breach: Chinese threat actors exploited a zero-day vulnerability to breach the US law firm Williams & Connolly. The firm reports no evidence of client data theft.
  • Microsoft Azure Outage: An outage affecting Azure Front Door CDN disrupted access to Microsoft 365 services and admin portals.
  • University Payroll Hijacking: The cybercrime group Storm-2657 has been targeting US university HR employees since March 2025 in “payroll pirate” attacks, rerouting salary payments.
  • Fake Android Apps and Banking Trojan: Malware campaigns using fake VPN and streaming apps (e.g., Mobdro Pro IP TV + VPN) are distributing the Klopatra Android trojan, which steals banking credentials.

Newly Discovered Vulnerabilities

  • Oracle EBS Zero-Day: Actively exploited by CL0P-linked actors, affecting Oracle E-Business Suite installations.
  • GitHub Copilot Chat Flaw: A vulnerability in GitHub Copilot Chat allowed hidden comments to manipulate responses and leak sensitive information, including data from private repositories.
  • HTTP/1.1 Desync Attacks: New HTTP desynchronisation techniques targeting HTTP/1.1 were demonstrated, exposing critical web infrastructure to novel attack vectors.
  • RondoDox Botnet Targeting N-Day Flaws: The RondoDox botnet is exploiting 56 known vulnerabilities across more than 30 device types, including those disclosed at Pwn2Own competitions.

Notable Threat Actor Activity

  • CL0P Ransomware Group: Exploiting Oracle EBS zero-day to breach multiple organizations.
  • UTA0388 (China-Aligned): Conducting spear-phishing campaigns across North America, Asia, and Europe, deploying a Go-based malware implant known as GOVERSHELL.
  • Storm-2657: Targeting US university payroll systems to hijack salary payments.
  • Russian Threat Actors: Increasing use of AI to enhance phishing and malware campaigns against Ukrainian targets.
  • Pro-Russian Hacktivist Group TwoNet: Shifting from DDoS to targeting critical infrastructure, including decoy industrial plants.
  • Android Spyware Campaigns: ClayRat spyware is distributed via fake WhatsApp, TikTok, Google Photos, and YouTube apps, primarily targeting Russian users via phishing sites and Telegram channels.
  • Ransomware Actors Using Velociraptor: LockBit and Babuk ransomware operators are leveraging the Velociraptor DFIR tool for post-exploitation and lateral movement.

Trends, Tools, or Tactics of Interest

  • Surge in Vishing: Voice-based phishing (vishing) incidents are increasing, highlighting the need for robust human risk management.
  • Multitasking and Phishing: Employees who multitask are more susceptible to phishing attacks, according to recent academic research.
  • SaaS Token Theft: OAuth and API token theft is a leading cause of SaaS breaches, with attackers exploiting poor token hygiene.
  • AI in Cyber Attacks: Russian actors are leveraging AI for more effective phishing and malware delivery.
  • Velociraptor in Ransomware: Increased use of legitimate DFIR tools like Velociraptor by ransomware operators for stealth and persistence.
  • Chaos Ransomware Evolution: The Chaos ransomware-as-a-service has introduced a new C++ variant with enhanced encryption, wiper, and cryptocurrency-stealing capabilities.
  • Risks with AI Notetakers: Security and compliance risks are emerging as AI-powered transcription tools become common in online meetings.
  • Exfiltration via AI Coding Assistants: Proof-of-concept attacks demonstrate data exfiltration from GitHub Copilot using hidden prompts (“CamoLeak”).
  • PureRAT Campaign Evolution: Attackers are escalating from simple infostealers to deploying full-featured remote access trojans with advanced evasion and secure C2 channels.

Regulatory or Policy Developments Affecting the Security Industry

  • California Privacy and AI Laws: California enacted 14 new privacy and AI-related laws, granting users greater control over personal data and setting new standards for data handling and AI transparency.
  • Microsoft Defender False Positive: Microsoft is addressing an issue where Defender for Endpoint incorrectly flags SQL Server as end-of-life, potentially affecting compliance and patch management processes.
  • Apple App Store Enforcement: Apple removed ICE-tracking apps from the App Store, raising questions about platform policy and developer recourse.