Major Incidents or Breaches

  • F5 disclosed a cyber attack, reportedly carried out by threat actors who maintained long-term, undetected access to internal systems.
  • Retailer Muji suspended online sales after a ransomware attack on its delivery partner, Askul, caused a logistics outage.
  • Envoy Air, an American Airlines subsidiary, confirmed a breach resulting in the theft of business information following an Oracle-related hack.
  • A European telecommunications organization was breached using Snappybee malware and a Citrix vulnerability, attributed to the China-linked Salt Typhoon group.
  • AWS suffered a significant outage, disrupting Amazon.com, Prime Video, Fortnite, Perplexity AI, Canva, and other major services for approximately two hours.
  • A phishing campaign impersonating Home Depot used fake giveaways and tracking pixels to lure victims and compromise data.
  • Over 75,000 WatchGuard Firebox security appliances remain exposed online and vulnerable to a critical remote code execution flaw (CVE-2025-9242).
  • 131 malicious Chrome extensions, cloned from a WhatsApp Web automation tool, were used to hijack WhatsApp Web sessions and conduct large-scale spam campaigns, primarily targeting Brazilian users.
  • A self-propagating malware named GlassWorm targeted the OpenVSX and Visual Studio Code extension registries, infecting an estimated 36,000 developer systems and acting as a criminal proxy network.

Newly Discovered Vulnerabilities

  • U.S. CISA added five new exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including flaws in Oracle and Microsoft products.
  • A high-severity Windows SMB privilege escalation vulnerability is now being actively exploited in the wild, allowing attackers to gain SYSTEM privileges on unpatched systems.
  • A critical flaw (CVE-2025-9242) in WatchGuard Firebox appliances remains unpatched in tens of thousands of devices, enabling remote code execution.
  • ConnectWise patched a critical vulnerability in its Automate RMM tool that could allow attackers to intercept and tamper with communications in certain configurations.
  • A vulnerability in Dolby Decoder on Android allows for zero-click attacks via out-of-bounds writes during media file processing.
  • Microsoft released fixes for Windows Server Active Directory sync issues and addressed smart card authentication problems caused by recent security updates.
  • October Windows security updates introduced issues with USB input devices (mice and keyboards) in the Windows Recovery Environment (WinRE).
  • Oracle E-Business Suite customers were exposed to risk due to conflicting vendor guidance on deploying a recent zero-day patch.

Notable Threat Actor Activity

  • The Russia-linked COLDRIVER (a.k.a. ColdRiver) group developed and deployed three new malware families, demonstrating increased operational tempo and rapid adaptation.
  • The China-linked Salt Typhoon group used Snappybee malware and a Citrix flaw to conduct cyber espionage against a European telecom operator.
  • The Lumma Stealer group saw a significant drop in activity after the core members’ identities were exposed in an underground doxxing campaign.
  • Chinese cybercriminal gangs utilized US SIM farms and money mules to run large-scale text message scams targeting Americans, generating over $1 billion in illicit proceeds.
  • Law enforcement dismantled a major SIM box criminal network in Europe, arresting seven individuals and disrupting a cybercrime-as-a-service platform responsible for €5 million in losses.

Trends, Tools, or Tactics of Interest

  • Long-term, stealthy breaches are increasingly common, as evidenced by the F5 incident and recent rootkit discoveries in Linux environments.
  • ClickFix and similar browser-based copy/paste attacks are a growing cause of security breaches, exploiting user interaction with malicious scripts.
  • Malicious OAuth applications are being used to infiltrate Microsoft 365 tenants; tools like Cazadora are being deployed to detect hidden rogue apps.
  • The GlassWorm malware campaign highlights the ongoing risk of supply-chain attacks against developer ecosystems, with self-spreading malware targeting code extension marketplaces.
  • SIM farms and SIM box infrastructure continue to enable cybercrime-as-a-service offerings, facilitating large-scale fraud and spam operations.
  • New microchip technology (“FD-SOI”) is being developed to protect vehicles from laser-based hardware attacks, with implications for regulatory compliance in the automotive sector.
  • BYOD risks are expanding to include vehicles, with researchers demonstrating that attacks on connected cars can potentially bridge to corporate networks via employee devices.

Regulatory or Policy Developments

  • The DNS0.EU non-profit public DNS service for European users announced an immediate shutdown due to sustainability issues, impacting privacy-focused DNS options in the region.
  • A U.S. judge ordered NSO Group to cease hacking WhatsApp but reduced damages from $167 million to $4 million.
  • South Korea is intensifying efforts to prosecute online scam suspects repatriated from Cambodia, responding to public pressure over overseas cybercrime.
  • Anthropic, in partnership with the U.S. government, introduced a filter to prevent its Claude AI from providing information relevant to nuclear weapon construction, reflecting ongoing policy attention to AI misuse.