Major Incidents or Breaches

  • Salesforce Customers Breached via Gainsight Integrations: Threat actors affiliated with the ShinyHunters extortion group used third-party Gainsight applications to steal data from Salesforce instances, repeating tactics seen in previous attacks earlier in the year.
  • CrowdStrike Insider Incident: An insider at CrowdStrike leaked internal system screenshots to hackers, with the material subsequently appearing on Telegram via the Scattered Lapsus$ Hunters threat group.
  • Transport for London Breach: Two British teenagers, allegedly linked to the Scattered Spider group, pleaded not guilty to charges related to the August 2024 breach of Transport for London, which caused significant financial and data exposure impacts.
  • WEL Companies Data Breach: A data breach at WEL Companies affected 120,000 individuals.
  • Cloudflare Outage: A recent Cloudflare outage highlighted the widespread impact a failure at a major provider can have on the global digital economy.

Newly Discovered Vulnerabilities

  • Grafana SCIM Flaw (CVE-2025-41115): Grafana has patched a critical vulnerability in its Enterprise product that could allow privilege escalation or user impersonation under certain configurations. The flaw has a CVSS score of 10.0.
  • Oracle Identity Manager RCE (CVE-2025-61757): An unauthenticated remote code execution vulnerability in Oracle Identity Manager is being actively exploited in the wild. CISA has issued a warning to patch immediately.
  • SonicWall Firewall and Email Security Appliance: SonicWall released patches for high-severity vulnerabilities that could lead to denial-of-service, arbitrary code execution, or unauthorized file access.
  • LINE Messaging App Protocol Bugs: Vulnerabilities in the custom protocol used by the LINE messaging app allow for message replay, impersonation attacks, and exposure of sensitive information, potentially facilitating cyber espionage.

Notable Threat Actor Activity

  • APT24 (China Nexus): APT24 has been observed deploying a new malware family, BADAUDIO, as part of a multi-year espionage campaign targeting over 1,000 domains, including Taiwanese entities. The group used supply chain attacks to deliver the BadAudio downloader and subsequent payloads.
  • ToddyCat APT: Kaspersky identified new versions of ToddyCat APT tools (TomBerBil, TCSectorCopy, XstReader) being used to steal email data and access tokens from Microsoft Outlook in targeted corporate environments.
  • ShinyHunters: Continued targeting of Salesforce customers through exploitation of Gainsight integrations.
  • Scattered Spider/Lapsus$: Ongoing legal developments involving alleged members in the UK; continued insider threat activity linked to Lapsus$-affiliated groups.

Trends, Tools, or Tactics of Interest

  • Deepfake Attacks: Entrust reports deepfake attacks now comprise 20% of biometric fraud attempts, with a 58% increase in deepfaked selfies, indicating rapid growth in synthetic identity threats.
  • CSS Stuffing in Phishing: Observations of CSS stuffing being used as an obfuscation technique in phishing emails to bypass security filters.
  • AI-Driven Scam Detection: Avast has launched Scam Guardian, a free AI-powered tool for detecting scams in websites, messages, and links, reflecting the increasing adoption of AI for consumer security.
  • Calendar Invite Spam: There is a growing trend of fake calendar invites being used to deliver spam and potentially malicious content via email and messaging apps.
  • Supply Chain Attacks: APT24’s use of supply chain vectors to deliver BadAudio malware highlights continued adversary focus on third-party compromise.
  • Insider Threats: The CrowdStrike incident underscores the persistent risk of insiders leaking sensitive information to external threat actors.
  • Automation and Entry-Level Cybersecurity: Increased automation and AI adoption are impacting entry-level cybersecurity roles, potentially affecting the security talent pipeline.
  • AI Content Risks: AI-powered toys, such as FoloToy’s Kumma teddy bear, have been found to provide inappropriate responses, raising concerns about content moderation and safety in AI-driven products for children.

Regulatory or Policy Developments Affecting the Security Industry

  • SEC Drops SolarWinds Lawsuit: The U.S. Securities and Exchange Commission has dropped its case against SolarWinds and its CISO regarding alleged investor misrepresentation related to the 2020 breach.
  • FCC Cybersecurity Rollback: The U.S. Federal Communications Commission has rescinded a rule requiring telecom carriers to implement stricter cybersecurity measures, despite ongoing state-sponsored hacking concerns.
  • US Cyber Strategy Shift: The US national cyber director announced a strategic shift toward more aggressive, offensive actions aimed at shaping adversary behaviour and imposing consequences for cyber operations.
  • CISA Directive: CISA has issued a directive for immediate patching of the actively exploited Oracle Identity Manager vulnerability (CVE-2025-61757).