Major Incidents or Breaches

  • DoorDash disclosed a data breach in October affecting user information across the US, Canada, Australia, and New Zealand.
  • The Washington Post is notifying nearly 10,000 employees and contractors of personal and financial data exposure following the Oracle data theft attack.
  • Synnovis confirmed patient information was stolen in a ransomware attack that disrupted pathology services at several London hospitals.
  • The NHS is investigating claims of an Oracle E-Business Suite (EBS) hack after hackers named over 40 alleged victims, with the National Cyber Security Centre involved.

Newly Discovered Vulnerabilities

  • Fortinet FortiWeb is affected by a path traversal vulnerability that allows unauthenticated attackers to create administrative users. The flaw is being actively exploited and a public proof-of-concept (PoC) is available.
  • ImunifyAV, a malware scanner for Linux servers used by tens of millions of websites, has a remote code execution vulnerability that could compromise hosting environments.
  • WatchGuard Firebox firewalls are impacted by CVE-2025-9242, a critical (CVSS 9.3) unauthenticated remote code execution vulnerability, which is being actively exploited.
  • Cisco Adaptive Security Appliances (ASA) and Firepower devices are subject to two actively exploited vulnerabilities, prompting urgent patching advisories from CISA.
  • Cisco Identity Services Engine (ISE) and Citrix products are affected by CVE-2025-20337 and CVE-2025-5777, both of which have been exploited as zero-days.
  • Uhale Android-based digital picture frames contain multiple critical vulnerabilities, including the ability to download and execute malware at boot time.
  • A vulnerability in ChatGPT’s custom GPTs allowed exploitation via server-side request forgery (SSRF) to obtain Azure access tokens.

Notable Threat Actor Activity

  • Russian-speaking threat actors have registered over 4,300 fake travel domains in a mass phishing campaign targeting hotel guests’ payment data.
  • A malicious Chrome extension, “Safery,” steals Ethereum wallet seed phrases and exfiltrates them using the Sui blockchain.
  • Indonesian threat actors are likely behind the ‘IndonesianFoods’ worm, which has spammed npm with over 100,000 self-replicating malicious packages.
  • The Coyote and Maverick banking trojans are active in Brazil, with Maverick terminating itself if run outside the country.
  • Google has taken legal action against the China-based Lighthouse phishing kit, disrupting a platform responsible for SMS phishing and toll-fee scams affecting over a million victims and 17,500 fake sites.

Trends, Tools, or Tactics of Interest

  • The Tycoon 2FA phishing kit has evolved, enabling unskilled actors to launch sophisticated social engineering attacks bypassing two-factor authentication.
  • Ransomware operators are increasingly targeting virtual environments: Akira ransomware is encrypting Nutanix AHV VMs; Kraken ransomware benchmarks systems to optimise encryption without overloading them.
  • Kerberoasting attacks remain a significant threat for Active Directory environments, with attackers stealing service account passwords to escalate privileges.
  • Formbook malware is being delivered through multiple scripting techniques to evade detection.
  • A surge in exploit weaponisation speed: 50–61% of new vulnerabilities in 2025 had exploit code available within 48 hours of disclosure.
  • Organisations are moving toward single sign-on (SSO) and passkeys to address persistent weak password usage among employees.
  • Microsoft Teams is rolling out screen capture prevention for Premium customers, blocking screenshots and recordings during meetings.
  • Attackers continue to leverage phishing-as-a-service platforms, with new kits and services supporting rapid deployment of phishing campaigns.

Law Enforcement and Regulatory Developments

  • Operation Endgame, coordinated by Europol and Eurojust, disrupted the Rhadamanthys, Venom RAT, and Elysium botnet operations, taking down over 1,025 servers and arresting at least one individual.
  • CISA, FBI, and partners have released updated guidance for defending against Akira ransomware, and have reiterated patching requirements for actively exploited Cisco and WatchGuard vulnerabilities.
  • Google’s legal actions have resulted in the disruption of the Lighthouse phishing kit infrastructure.
  • The UK’s National Cyber Security Centre is assisting the NHS following claims of an Oracle EBS breach.
  • New York State is investigating the use of algorithmic surveillance pricing in consumer markets, highlighting regulatory scrutiny over data-driven practices.