Major Incidents or Breaches

  • SitusAMC, a major real-estate finance services provider, disclosed a data breach impacting customer data.
  • Harvard University reported a compromise of its Alumni Affairs and Development systems via a voice phishing attack, resulting in exposure of personal data of students, alumni, donors, and staff.
  • Delta Dental of Virginia suffered a breach affecting 146,000 individuals, with names, Social Security numbers, ID numbers, and health information stolen from a compromised email account.
  • Spanish airline Iberia notified customers of a data breach following claims of 77GB of stolen data.
  • Multiple organisations, including Canon, Cox, and Mazda, have been named as victims in the Oracle E-Business Suite (EBS) extortion campaign, with Cox confirming over 1.6 TB of data was stolen and Canon confirming subsidiary impact. Mazda reported no data leakage or operational impact.
  • Illegal streaming devices (e.g., Superbox, modded Amazon Fire TV Sticks) have been implicated in widespread scams, data theft, and integration into botnets.
  • Russian-linked threat actors are distributing StealC V2 infostealer malware via malicious Blender 3D model files uploaded to online marketplaces.
  • CISA issued a warning about active spyware campaigns targeting high-value Signal and WhatsApp users, leveraging commercial spyware and remote access trojans (RATs).

Newly Discovered Vulnerabilities

  • Five vulnerabilities have been identified in Fluent Bit, a widely used open-source telemetry agent, which can be chained to achieve remote code execution and stealthy intrusions into cloud infrastructure.
  • A critical flaw in Oracle Identity Manager (CVE-2025-61757) is under active exploitation and has been added to CISA’s Known Exploited Vulnerabilities catalog.
  • New Chrome and Fortinet zero-day vulnerabilities were reported as being actively exploited.
  • Microsoft confirmed a critical bug in Windows 11 24H2 causing File Explorer and Start Menu crashes when provisioning systems with cumulative updates.
  • Issues with URL mapping and URL-based access control continue to present high-profile vulnerabilities, notably in Oracle Identity Manager.
  • The Ray framework, used in AI clusters, has an exploitable flaw being used to hijack infrastructure for cryptomining and data theft.

Notable Threat Actor Activity

  • A new wave of Shai-Hulud malware attacks is targeting the npm registry, infecting over 500 packages (including well-known names like Zapier and Postman) and leaking secrets on GitHub. The campaign now executes malicious code during the preinstall phase, increasing exposure risks in build and runtime environments.
  • Threat actors are exploiting Black Friday by distributing phishing emails, scams, and malware targeting online shoppers and gamers. They are also selling stolen data and compromised accounts on the dark web.
  • The “ClickFix” attack uses a fake Windows Update animation in browsers to trick users and deliver malware, with the payload hidden in image files.
  • Matrix Push C2 is abusing browser push notifications to deliver realistic phishing and malware alerts.
  • CrowdStrike terminated an insider who aided hackers in falsely claiming a system breach by sharing internal screenshots.
  • The “Scattered LAPSUS$ Hunters” group continues to be active, according to recent threat intelligence reporting.

Trends, Tools, or Tactics of Interest

  • Vision language models are being advanced for physical security applications, enhancing employee safety monitoring.
  • Amazon has deployed an Autonomous Threat Analysis system using specialised AI agents for automated bug detection and remediation.
  • Research shows that the Chinese DeepSeek-R1 AI model generates insecure code, particularly when prompted with topics related to Tibet or Uyghurs.
  • Microsoft highlighted security risks introduced by new agentic AI features, warning that AI agents could perform malicious actions without proper controls.
  • Increased use of cloud-native patching is being advocated due to limitations and deprecation of traditional tools (SCCM and WSUS) in hybrid work environments.

Regulatory or Policy Developments Affecting the Security Industry

  • Microsoft announced the removal of Windows Internet Name Service (WINS) support from Windows Server releases starting November 2034.
  • CISA’s alert and addition of Oracle Identity Manager’s CVE-2025-61757 to the KEV catalog increases urgency for remediation across affected organisations.