Major Incidents or Breaches

  • Ribbon Communications, a US telecom company, disclosed a breach attributed to suspected nation-state actors, with initial access dating back to December of the previous year. The company has not confirmed whether sensitive data was accessed.
  • The University of Pennsylvania experienced a cybersecurity incident in which students and alumni received offensive emails from compromised university addresses, with threats to leak data.
  • Open VSX (Eclipse Foundation) revoked a small number of leaked tokens after discovery by Wiz. The incident was contained, and the foundation downplayed the impact, stating it was not a self-replicating worm.
  • Australian authorities issued warnings regarding ongoing attacks on unpatched Cisco IOS XE devices, with routers being compromised via the BadCandy webshell.

Newly Discovered Vulnerabilities

  • A critical zero-day vulnerability in Motex Lanscope Endpoint Manager (CVE-2025-xxxx) is being actively exploited by the China-linked Tick group for cyber espionage and system hijacking.
  • An unpatched Windows shortcut vulnerability is being exploited by China-affiliated threat actors, including UNC6384 and Mustang Panda, to target European diplomatic and government entities. Attacks use spear-phishing with European Commission and NATO-themed lures to deliver malware, including PlugX.
  • CISA confirmed active exploitation of a high-severity Linux kernel privilege escalation flaw by ransomware groups.
  • Broadcom updated its advisory to confirm in-the-wild exploitation of a VMware vulnerability (CVE-2025-41244), now added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
  • Google released a Chrome update addressing 20 security issues, including seven serious flaws that could allow remote code execution via malicious web pages.

Notable Threat Actor Activity

  • Nation-state threat actors are distributing new malware named Airstalk as part of a suspected supply chain attack, according to Palo Alto Networks Unit 42.
  • China-linked UNC6384 and Mustang Panda are conducting targeted attacks against European diplomatic entities, exploiting unpatched Windows vulnerabilities.
  • The China-linked Tick group is exploiting a Lanscope zero-day for corporate system compromise.
  • Russian authorities arrested three individuals believed to be administrators of the Meduza Stealer malware operation after attacks on Russian organizations.
  • A Ukrainian national was extradited from Ireland to the US on charges related to participation in the Conti ransomware group.

Trends, Tools, or Tactics of Interest

  • OpenAI announced Aardvark, an agentic security researcher powered by GPT-5, designed to autonomously identify and remediate code flaws.
  • Microsoft Edge introduced a new scareware sensor to enhance scam detection capabilities and improve Defender SmartScreen response times.
  • Ongoing exploitation of unpatched networking devices (notably Cisco IOS XE) continues to be leveraged for webshell deployment and persistent access.
  • The use of spear-phishing with themed lures (European Commission, NATO) remains prevalent in targeted attacks on diplomatic sectors.
  • MSPs are facing increased client expectations for cybersecurity and compliance, amid evolving threats and regulatory demands.

Regulatory or Policy Developments

  • The United Nations adopted a new Convention Against Cybercrime, establishing an international framework for cross-border cybercrime cooperation.
  • CISA and NSA, in coordination with Australian and Canadian partners, issued urgent guidance to secure on-premises WSUS and Microsoft Exchange servers.
  • Japan released comprehensive OT security guidance for semiconductor factories, available in both Japanese and English.
  • CISA added exploited XWiki and VMware vulnerabilities to the Known Exploited Vulnerabilities catalog.