A new Android malware locks device screens and demands that users pay a ransom to keep their data from being deleted. Dubbed “DroidLock” by Zimperium researchers, the Android ransomware-like malware can also “wipe devices, change PINs, intercept OTPs, and remotely control the user interface, turning an infected phone into a hostile endpoint.” The malware detected by the researchers targeted Spanish Android users via phishing sites. Based on the examples provided, the French telecommunications company Orange S.A. was one of the companies impersonated in the campaign.

Android Malware DroidLock Uses ‘Ransomware-like Overlay’

The researchers detailed the new Android malware in a blog post this week, noting that the malware “has the ability to lock device screens with a ransomware-like overlay and illegally acquire app lock credentials, leading to a total takeover of the compromised device.” The malware uses fake system update screens to trick victims and can stream and remotely control devices via virtual network computing (VNC). The malware can also exploit device administrator privileges to “lock or erase data, capture the victim's image with the front camera, and silence the device.” The infection chain starts with a dropper that appears to require the user to change settings to allow unknown apps to be installed from the source (image below), which leads to the secondary payload that contains the malware. [caption id="attachment_107722" align="aligncenter" width="300"] The Android malware DroidLock prompts users for installation permissions (Zimperium)[/caption] Once the user grants accessibility permission, “the malware automatically approves additional permissions, such as those for accessing SMS, call logs, contacts, and audio,” the researchers said. The malware requests Device Admin Permission and Accessibility Services Permission at the start of the installation. Those permissions allow the malware to perform malicious actions such as:

• Wiping data from the device, “effectively performing a factory reset.”
• Locking the device.
• Changing the PIN, password or biometric information to prevent user access to the device.

Based on commands received from the threat actor’s command and control (C2) server, “the attacker can compromise the device indefinitely and lock the user out from accessing the device.”

DroidLock Malware Overlays

The DroidLock malware uses Accessibility Services to launch overlays on targeted applications, prompted by an AccessibilityEvent originating from a package on the attacker's target list. The Android malware uses two primary overlay methods:

• A Lock Pattern overlay that displays a pattern-drawing user interface (UI) to capture device unlock patterns.
• A WebView overlay that loads attacker-controlled HTML content stored locally in a database; when an application is opened, the malware queries the database for the specific package name, and if a match is found it launches a full-screen WebView overlay that displays the stored HTML.

The malware also uses a deceptive Android update screen that instructs users not to power off or restart their devices. “This technique is commonly used by attackers to prevent user interaction while malicious activities are carried out in the background,” the researchers said. The malware can also capture all screen activity and transmit it to a remote server by operating as a persistent foreground service and using MediaProjection and VirtualDisplay to capture screen images, which are then converted to a base64-encoded JPEG format and transmitted to the C2 server. “This highly dangerous functionality could facilitate the theft of any sensitive information shown on the device’s display, including credentials, MFA codes, etc.,” the researchers said. Zimperium has shared its findings with Google, so up-to-date Android devices are protected against the malware, and the company has also published DroidLock Indicators of Compromise (IoCs).

HP’s latest threat report reveals rising use of sophisticated social engineering, SVG-based attacks, fake software updates, and AI-enhanced malware as cybercriminals escalate tactics to evade detection.

The post Report Surfaces Multiple Novel Social Engineering Tactics and Techniques appeared first on Security Boulevard.

U.S. companies made more than $2 billion in ransomware payments between 2022 and 2024, nearly equaling the total ransoms paid in the previous nine years, according to a new report from the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN). The report, which looked at threat pattern and trend information identified in Bank Secrecy Act (BSA) filings, said that between Jan. 1, 2022 and Dec. 31, 2024, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents and totaling more than $2.1 billion in ransomware payments. In the previous nine years, from 2013 to 2021, FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments, the report said. FinCEN notes that because its data is based on BSA filings, it is by nature incomplete, and indeed, the 4,194 ransomware incidents recorded by FinCEN between 2022 and 2024 is less than 40% of the nearly 11,000 ransomware attacks recorded in Cyble’s threat intelligence data over the same period.

ALPHV/BlackCat and LockBit Enforcement Actions Lowered Ransomware Payments

Ransomware incidents and payments reported to FinCEN reached an all-time high in 2023 of 1,512 incidents totaling approximately $1.1 billion in payments, an increase of 77 percent in payments from 2022. In 2024, incidents decreased slightly to 1,476 while total payments dropped to approximately $734 million. FinCEN attributed the decline in ransomware payments in 2024 to law enforcement disruption of the ALPHV/BlackCat and LockBit ransomware groups. However, LockBit is in the midst of its most significant comeback since the law enforcement actions disrupted the group, with 21 new victims claimed so far this month. Of the 267 ransomware variants identified during the reporting period, the most common variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta. However, Qilin has emerged as the top ransomware group in 2025 by a wide margin, so FinCEN’s 2025 BSA data will almost certainly change. Despite the decline in payments, the value of reported ransomware payments in 2024 was still the third-highest yearly total since the reports began in 2013. The median ransomware payment was $124,097 in 2022, $175,000 in 2023, and $155,257 in 2024. Between January 2022 and December 2024, the most common payment range was below $250,000.

Financial Services, Manufacturing and Healthcare Most Targeted Sectors

Measuring both the number of ransomware incidents and the amount of aggregate payments, the financial services, manufacturing and healthcare industries were the most affected during the report period. Between January 2022 and December 2024, the most commonly targeted industries by number of incidents identified in ransomware-related BSA reports were manufacturing (456 incidents), financial services (432 incidents), healthcare (389 incidents), retail (337 incidents), and legal services (334 incidents). Industries that paid the most in ransoms during the three-year period were financial services (approximately $365.6 million), healthcare (about $305.4 million), manufacturing (approximately $284.6 million), science and technology (about $186.7 million), and retail ($181.3 million). The Onion router (TOR) was the most common communication method used by ransomware groups. About 42 percent of BSA reports indicated the method that ransomware threat actors used to communicate with their targets. Among those reports, 67 percent indicated that ransomware actors used TOR, while 28 percent indicated that ransomware actors used email to communicate with their victims. Bitcoin (BTC) was the most common ransomware-related payment method, accounting for 97 percent of reported payments. Monero (XMR) was cited in two percent of BSA reports involving ransomware. FinCEN also identified several common money laundering typologies used by ransomware groups. Threat actors overwhelmingly collected payments in unhosted convertible virtual currency (CVC) wallets and “continued to exploit CVC exchanges for money laundering purposes after receiving payment,” the report said. Ransomware groups also used “several common preferred malicious cyber facilitators, such as shared initial access vendors,” FinCEN said.

CrowdStrike deepens its AWS partnership with automated Falcon SIEM configuration, AI security capabilities, EventBridge integrations and new MSSP-focused advancements.

The post CrowdStrike Extends Scope of AWS Cybersecurity Alliance appeared first on Security Boulevard.

U.S. and Canadian cybersecurity agencies are warning that China-sponsored threat actors are using BRICKSTORM malware to compromise VMware vSphere environments. “Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs,” CISA, the NSA and the Canadian Centre for Cyber Security warned in the advisory. Attacks have so far primarily targeted the government and IT sectors, the agencies said.

One PRC BRICKSTORM Malware Attack Lasted More Than a Year

CISA – the U.S. Cybersecurity and Infrastructure Security Agency – said it analyzed eight BRICKSTORM samples obtained from victim organizations, including one where CISA conducted an incident response engagement. While the analyzed samples were for VMware vSphere environments, there are also Windows versions of the malware, the agency said. In the incident response case, CISA said threat actors sponsored by the People’s Republic of China (PRC) gained “long-term persistent access” to the organization’s network in April 2024 and uploaded BRICKSTORM malware to a VMware vCenter server. The threat actors also accessed two domain controllers and an Active Directory Federation Services (ADFS) server, successfully compromising the ADFS server and exporting cryptographic keys. The threat actors used BRICKSTORM malware for persistent access “through at least Sept. 3, 2025,” the agency said. BRICKSTORM is an Executable and Linkable Format (ELF) Go-based backdoor. While samples may differ in function, “all enable cyber actors to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2),” the agencies said. BRICKSTORM can automatically reinstall or restart if disrupted. It uses DNS-over-HTTPS (DoH) and mimics web server functionality “to blend its communications with legitimate traffic." The malware gives threat actors interactive shell access on the system and allows them to “browse, upload, download, create, delete, and manipulate files.” Some of the malware samples act as a SOCKS proxy to facilitate lateral movement and compromise additional systems.

PRC Hackers Got Access via a Web Server

CISA said that in its incident response engagement, the PRC hackers accessed a web server inside the organization’s demilitarized zone (DMZ) on April 11, 2024. The threat actors accessed it through a web shell present on the server. “Incident data does not indicate how they obtained initial access to the web server or when the web shell was implanted,” CISA said. On the same day, the hackers used service account credentials to move laterally using Remote Desktop Protocol (RDP) to a domain controller in the DMZ, where they copied the Active Directory (AD) database (ntds.dit). The following day, the hackers moved laterally from the web server to a domain controller within the internal network using RDP and credentials from a second service account. “It is unknown how they obtained the credentials,” CISA said. The hackers copied the AD database and obtained credentials for a managed service provider (MSP) account. Using the MSP credentials, the hackers moved from the internal domain controller to the VMware vCenter server. From the web server, the PRC hackers also moved laterally using Server Message Block (SMB) to two jump servers and an ADFS server, from which they stole cryptographic keys. After gaining access to vCenter, the hackers elevated privileges using the sudo command, dropped BRICKSTORM malware into the server’s /etc/sysconfig/ directory, and modified the system’s init file in /etc/sysconfig/ to run the malware. The modified init file controls the bootup process on VMware vSphere systems and executes BRICKSTORM, CISA said. The file is typically used to define visual variables for the bootup process. The hackers added an additional line to the script to execute BRICKSTORM from the hard-coded file path /etc/sysconfig/. CISA, NSA, and the Canadian Cyber Centre urged organizations to use the indicators of compromise (IOCs) and detection signatures in their lengthy report to detect BRICKSTORM malware samples. CISA also recommended that organizations block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic; inventory all network edge devices and monitor for suspicious network connectivity, and use network segmentation to restrict network traffic from the DMZ to the internal network.

AI-enabled cybercriminals are exploiting the holiday shopping season with precision phishing, account takeovers, payment skimming and ransomware, forcing retailers to adopt real-time, adaptive defenses to keep pace.

The post AI Cybercriminals Target Black Friday and Cyber Monday appeared first on Security Boulevard.

AI-powered cyberattacks are rising fast, and AI firewalls offer predictive, adaptive defense—but their cost, complexity and ROI must be carefully justified as organizations weigh upgrades.

The post Are AI Firewalls Worth the Investment?  appeared first on Security Boulevard.

A new Shai-Hulud supply chain attack has hit nearly 500 npm packages with a total of 132 million monthly downloads. The latest campaign follows one in September that infected nearly 200 npm packages with more than 2 billion weekly downloads. The new campaign targeting the packages used to run JavaScript outside of a browser was reported by Aikido and other security firms. Aikido noted that a total of 492 packages have been affected by the self-replicating worm, and more than 25,000 compromised repositories labeled “Sha1-Hulud: The Second Coming” have been created containing sensitive information like passwords, API keys, cloud tokens, and GitHub or npm credentials. “The timing is notable, given npm’s recent announcement that it will revoke classic tokens on December 9 after the wave of supply-chain attacks,” Aikido’s Charlie Eriksen said. “With many users still not migrated to trusted publishing, the attacker seized the moment for one more hit before npm’s deadline.”

Shai-Hulud Attack Affects Packages from Zapier, AsyncAPI and Others

Shai-Hulud, named after the giant sandworms from Dune, is a self-replicating npm worm built to spread quickly through compromised developer environments. The latest attack has hit major npm packages from the likes of Zapier, ENS, AsyncAPI, PostHog, Browserbase, and Postman. “Once it infects a system, it searches for exposed secrets such as API keys and tokens using TruffleHog and publishes anything it finds to a public GitHub repository,” Eriksen said. “It then attempts to push new copies of itself to npm, helping it propagate across the ecosystem, while exfiltrating data back to the attacker.” If a developer installs one of these malcicious packages, the malware runs quietly during installation before anything even finishes installing, giving the malware access to the developer’s machine, build systems, or cloud environment, he said. If stolen secrets include access to code repositories or package registries, attackers can use those secrets to break into additional accounts and publish more malicious packages, spreading the attack even further. “Because trusted ecosystems were involved and millions of downloads are affected, any team using NPM should immediately check whether they were impacted and rotate any credentials that may have leaked,” Eriksen said.

Shai-Hulud Worm Details

Ashish Kurmi of Step Security noted that the latest evolution of the malware “disguises the entire payload as a helpful Bun installer.” The core payload - bun_environment.js - is 10MB and uses “extreme obfuscation techniques,” Kurmi added. These include “a massive hex-encoded string array containing thousands of entries,” an anti-analysis loop “that performs millions of arithmetic operations,” and every string in the code is retrieved through an obfuscated function. The malware delays full execution on developer machines by “forking itself into the background,” Kurmi said. “The user’s terminal returns instantly, giving the illusion of a normal install, while seconds later a completely detached process begins exfiltration.” “It executes a sophisticated, multi-stage pre-install attack that targets both CI/CD runners and developer workstations with equal effectiveness,” Kurmi said. Wiz noted that the malware targets AWS, Azure and Google Cloud Platform (GCP) by “bundling official SDKs to operate independently of host tools.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an Oracle Identity Manager vulnerability to its Known Exploited Vulnerabilities database after the SANS Internet Storm Center reported attack attempts on the flaw. CVE-2025-61757 is a 9.8-severity Missing Authentication for Critical Function vulnerability in the Identity Manager product of Oracle Fusion Middleware that was patched as part of Oracle’s October update and detailed in a blog post last week by Searchlight Cyber, which had discovered the vulnerability and reported it to Oracle. Following the Searchlight post, the SANS Internet Storm Center looked for exploitation attempts on the vulnerability and found evidence as far back as August 30. “Given the complexity of some previous Oracle Access Manager vulnerabilities, this one is somewhat trivial and easily exploitable by threat actors,” Searchlight Cyber said in its post. Cyble threat intelligence researchers had flagged the vulnerability as important following Oracle’s October update.

Oracle Identity Manager Vulnerability CVE-2025-61757 Explained

CVE-2025-61757 affects the REST WebServices component of Identity Manager in Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0. The easily exploitable pre-authentication remote code execution (RCE) vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of the vulnerability can result in takeover of Identity Manager. The Searchlight researchers began looking for vulnerabilities after an Oracle Cloud breach earlier this year exploited a host that Oracle had failed to patch for CVE-2021-35587. In the source code for the Oracle Identity Governance Suite, the researchers found that that the application compiles Groovy script but doesn’t execute it. Taking inspiration from a previous Java capture the flag (CTF) event, they noted that Java annotations are executed at compile time, not at run time, so they are free from the constraints of the Java security manager and can call system functions and read files just like regular Java code. “Since Groovy is built on top of Java, we felt we should be able to write a Groovy annotation that executes at compile time, even though the compiled code is not actually run,” they said. After experimenting with the code, they achieved RCE. “The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws,” the Searchlight researchers said. “Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters. “Participating in CTFs, or even staying up to date with research in the CTF space, continues to pay dividends, giving us unique insights into how we can often turn a seemingly unexploitable bug into an exploitable one.”

Oracle EBS Victims Climb Past 100

Meanwhile, the number of victims from the CL0P ransomware group’s exploitation of Oracle E-Business Suite vulnerabilities has now climbed past 100 after the threat group claimed additional victims late last week. Mazda and Cox Enterprises are the latest to confirm being breached, bringing the confirmed total to seven so far. Mazda said it was able to contain the breach without system or data impact, but Cox said the personal data of more than 9,000 was exposed.

Two alleged members of the Scattered Spider threat group pled not guilty today to charges related to a cyberattack on Transport for London in August 2024. Thalha Jubair, 19, of east London, and Owen Flowers, 18, from Walsall in the West Midlands, were arrested in the UK in September. They appeared before Southwark Crown Court today and entered not guilty pleas to charges of conspiring to commit unauthorized acts against computer systems belonging to Transport for London (TfL), according to news reports. Sky News reported that the two “stood in the dock together and spoke only to confirm their names and enter not guilty pleas.” The charge states in part that the two are accused of "causing, or creating a significant risk of, serious damage to human welfare and intending to cause such damage or being reckless as to whether such damage was caused. Flowers is also accused of unauthorized acts against computer systems belonging to SSM Health, and attempting to commit unauthorized acts against computer systems belonging to Sutter Health. Jubair is also accused of failing to disclose the pin or passwords for devices seized from him in March 2025, and Jubair also faces substantial charges in the U.S. Both men continue to be held on remand, the BBC reported.

Scattered Spider Trial Date Set

A provisional trial date has been set for June 8, 2026, at Southwark Crown Court, with a pre-trial hearing scheduled for February 13. The cyberattack allegedly caused £39m of damage and disrupted TfL services for three months. While transport itself was unaffected, many TfL online services and information boards were knocked offline as part of the attack. Traffic cameras and "dial a ride" bookings were some of the affected services, and some payment systems were also affected. Personal data including names, emails and home addresses were accessed, and TfL was forced to inform thousands of customers that there may have been unauthorized access to personal information that may have included bank account numbers and sort codes.

Jubair Faces U.S. Charges Too

Jubair has also been charged by the U.S. Department of Justice (DoJ) for conspiracies to commit computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions and extortion involving 47 U.S. entities. The unsealed U.S. complaint alleged that Jubair’s victims paid at least $115 million in ransom payments. The U.S. claims Jubair could face up to 95 years in prison on the charges. Scattered Spider recently joined with ShinyHunters and LAPSUS$ to form the Scattered LAPSUS$ Hunters threat collective, which remains active, that Recent attacks by the group have targeted Salesforce data, including one involving the Gainsight customer success platform this week. Scattered LAPSUS$ Hunters also claims to have been behind an insider attack at security vendor CrowdStrike, according to Bleeping Computer, although CrowdStrike says its systems and customer data were not affected by the incident.

Compromised VPN credentials are the most common initial access vector for ransomware attacks, according to a new report. Nearly half of ransomware attacks in the third quarter abused compromised VPN credentials as the initial access point, according to research from Beazley Security, the cybersecurity arm of Beazley Insurance. Nearly a quarter of initial access attacks came from external service exploitation, while remote desktop service (RDS) credential compromises, supply chain attacks and social engineering accounted for 6% each (chart below). [caption id="attachment_106993" align="aligncenter" width="480"] Initial access vectors in ransomware attacks (Beazley Security)[/caption] “This trend underscores the importance of ensuring that multifactor authentication (MFA) is configured and protecting remote access solutions and that security teams maintain awareness and compensating controls for any accounts where MFA exceptions have been put in place,” the report said. In addition to the critical need for MFA, the report also underscores the importance of dark web monitoring for leaked credentials, which are often a precursor to much bigger cyberattacks.

SonicWall Compromises Led Attacks on VPN Credentials

A “prolonged campaign” targeting SonicWall devices by the Akira ransomware group was responsible for some of the 10-point increase in the percentage of VPN attacks. “Adding to SonicWall’s misery this quarter was a significant breach of their cloud service, including sensitive configuration backups of client SonicWall devices,” the report added. Akira, Qilin and INC were by far the most active ransomware groups in the third quarter, Beazley said – and all three exploit VPN and remote desktop credentials. Akira “typically gains initial access by exploiting weaknesses in VPN appliances and remote services,” the report said. In the third quarter, they used credential stuffing and brute force attacks to target unpatched systems and weak credentials. Akira accounted for 39% of Beazley Security incident response cases in the third quarter. Akira “consistently gained access by using valid credentials in credential stuffing attacks against SonicWall SSLVPN services, exploiting weak access controls such as absent MFA and insufficient lockout policies on the device,” the report said. Qilin’s initial access techniques include phishing emails, malicious attachments, and brute forcing weak credentials or stolen credentials in remote desktop protocol (RDP) and VPN services. INC Ransomware uses a combination of phishing, credential theft, and exploitation of exposed enterprise appliances for initial access. “Beazley Security responders observed the group leverage valid, compromised credentials to access victim environments via VPN and Remote Desktop,” the report said.

Cisco, Citrix Vulnerabilities, SEO Poisoning Also Exploited

Critical vulnerabilities in Cisco and Citrix NetScaler were also targeted by attackers in the third quarter. In one campaign, a sophisticated threat actor leveraged CVE-2025-20333 and CVE-2025-20363 in Cisco ASA VPN components to gain unauthorized access into environments, Beazley said. Another campaign targeted a critical SNMP flaw (CVE-2025-20352) in Cisco IOS.‍ Threat actors also targeted Citrix NetScaler vulnerabilities CVE-2025-7775 and CVE-2025-5777. The latter has been dubbed “Citrix Bleed 2” because of similarities to 2023’s “Citrix Bleed” vulnerability (CVE-2023-4966). A “smaller yet noteworthy subset” of ransomware attacks gained access via search engine optimization (SEO) poisoning attacks and malicious advertisements, used for initial access in some Rhysida ransomware attacks. “This technique places threat actor-controlled websites at the top of otherwise trusted search results, tricking users into downloading fake productivity and administrative tools such as PDF editors,” the report said. “These tools can be trojanized with various malware payloads, depending on threat actor objectives, and can potentially give threat actors a foothold directly on the endpoint in a network. The attack is effective because it bypasses other traditional social engineering protections like email filters that prevent phishing attacks.”

U.S., Australian and UK officials today announced sanctions against Media Land, a Russian bulletproof hosting (BPH) provider, citing Media Land’s “role in supporting ransomware operations and other forms of cybercrime.” “These so-called bulletproof hosting service providers like Media Land provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries,” stated U.S. Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley. “Today’s trilateral action with Australia and the United Kingdom, in coordination with law enforcement partners, demonstrates our collective commitment to combatting cybercrime and protecting our citizens.” UK Foreign Secretary Yvette Cooper added, “Cyber criminals think that they can act in the shadows, targeting hard working British people and ruining livelihoods with impunity. But they are mistaken – together with our allies, we are exposing their dark networks and going after those responsible.” Today’s announcements came from the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC), Australia’s Department of Foreign Affairs and Trade, and the UK’s Foreign Commonwealth and Development Office. OFAC and the FBI also designated three members of Media Land’s leadership team and three of its sister companies. In the U.S., OFAC sanctions require blocking and mandatory reporting of all property and interests of the designated persons and entities and prohibit all transactions involving any property or interests of designated or blocked persons. BPH service providers offer access to specialized servers and infrastructure designed to evade detection and disruption by law enforcement.

Russian Bulletproof Hosting Provider and Individuals Sanctioned

Media Land LLC, headquartered in St. Petersburg, Russia, has provided BPH services to criminal marketplaces and ransomware actors, including “prolific ransomware actors such as LockBit, BlackSuit, and Play,” the U.S. statement alleges. Media Land infrastructure has also been used in DDoS attacks, the U.S. says. Media Land, ML Cloud (a Media Land sister company), Aleksandr Volosovik (general director of Media Land who has allegedly advertised the business on cybercrime forums under the alias “Yalishanda”), and Kirill Zatolokin (a Media Land employee allegedly responsible for collecting payment and coordinating with cyber actors) were designated by OFAC for their cyber activities. The UK alleges that Volosovik “has been active in the cyber underground since at least 2010, and is known to have worked with some of the most notorious cyber criminal groups, including Evil Corp, LockBit and Black Basta.” Yulia Pankova was designated by OFAC for allegedly assisting Volosovik with legal issues and finances. Also designated are Media Land Technology (MLT) and Data Center Kirishi (DC Kirishi), fully-owned subsidiaries of Media Land.

U.S. and UK Sanction Alleged Aeza Entities

OFAC and the UK also designated Hypercore Ltd., an alleged front company of Aeza Group LLC, a BPH service provider designated by OFAC earlier this year, and two additional individuals and entities that have allegedly led, materially supported, or acted for Aeza Group. OFAC said that after its designations of Aeza Group and its leadership on July 1, 2025, “Aeza leadership initiated a rebranding strategy focusing on removing any connections between Aeza and their new technical infrastructure. OFAC’s designations today serve as a reminder that OFAC will take all possible steps to counter sanctions evasion activity by malicious cyber actors and their enablers.” Maksim Vladimirovich Makarov, allegedly the new director of Aeza, and Ilya Vladislavovich Zakirov, who allegedly helped establish new companies and payment methods to obfuscate Aeza’s activity, were also designated. Smart Digital Ideas DOO and Datavice MCHJ – Serbian and Uzbek companies allegedly utilized by Aeza to evade sanctions and set up technical infrastructure not publicly associated with the Aeza brand – were also designated.

Five Eyes Guidance for Defending Against BPH Providers

Also today, the U.S. and other “Five Eyes” countries issued guidance for defending against risks from bulletproof hosting providers. “Organizations with unprotected or misconfigured systems remain at high risk of compromise, as malicious actors leverage BPH infrastructure for activities such as ransomware, phishing, malware delivery, and denial-of-service (DoS) attacks,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated in announcing the guidance. “BPH providers pose a significant threat to the resilience and security of critical systems and services.” Included in the guidance are recommendations for a “nuanced approach to dynamically filter ASNs, IP ranges, or individual IP addresses to effectively reduce the risk of compromise from BPH provider-enabled activity.”

Fortinet may have silently patched an exploited zero-day vulnerability more than two weeks before officially disclosing the vulnerability. CVE-2025-64446 in Fortinet’s FortiWeb web application firewall (WAF) may have been exploited as early as October 6, according to DefusedCyber in a post on X. Fortinet is believed to have patched the 9.8-rated vulnerability in FortiWeb 8.0.2 in late October, but didn’t publish an advisory disclosing the exploited vulnerability until November 14. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog the same day as Fortinet’s disclosure. Late today, Fortinet disclosed another exploited FortiWeb vulnerability - CVE-2025-58034, a 7.2-rated OS Command Injection vulnerability.

Fortinet Silent Patch Raises Concerns

The delayed notification in the case of CVE-2025-64446 has raised concerns with some in the cybersecurity industry, who say the delay may have put Fortinet customers at a disadvantage. “Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild,” VulnCheck’s Caitlin Condon said in a blog post. “We already know security by obscurity doesn't work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not,” Condon added. “When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders.” The Cyber Express has reached out to Fortinet for comment and will update this article with any response.

CVE-2025-64446 FortiWeb Vulnerability

CVE-2025-64446 is a 9.8-severity relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, and FortiWeb 7.0.0 through 7.0.11. The vulnerability could potentially allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. Fortinet recommends disabling HTTP or HTTPS for internet facing interfaces until an upgrade can be performed. “If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced,” Fortinet’s advisory said. Shadowserver shows several hundred internet-facing FortiWeb management instances, which presumably would be vulnerable until upgraded. After completing upgrades, Fortinet recommends that FortiWeb customers “review their configuration for and review logs for unexpected modifications, or the addition of unauthorized administrator accounts.” watchTowr said CVE-2025-64446 appears to comprise two vulnerabilities: a path traversal vulnerability, and an authentication bypass vulnerability. watchTowr shared one sample request stream that it said was “evidence of a threat actor looking to exploit a vulnerability ... that allowed privileged administrative functions to be reached.” In the example, the threat actor “exploited the vulnerability to add administrative accounts to the target and vulnerable appliance, serving as a weak persistence mechanism. “To be explicitly clear,” watchTowr added, “this is a complete compromise of the vulnerable appliance.”

The Washington Post has confirmed that it was breached by a threat campaign targeting Oracle E-Business Suite vulnerabilities. The Washington Post data breach is one of more than 40 victims claimed by the CL0P ransomware group in a campaign that is believed to have targeted Oracle E-Business Suite vulnerability CVE-2025-61884, but so far only four of the victims have confirmed that they were breached: The Post, Harvard University, American Airlines’ Envoy Air, and Hitachi’s GlobalLogic. The Post confirmed the data breach in a Nov. 12 filing with the Maine Attorney General’s office.

Washington Post Data Breach Detailed in Letter

The Washington Post data breach timeline was detailed in a letter from a law firm representing the newspaper to Maine Attorney General Aaron Frey. The letter states that on September 29, The Post “was contacted by a bad actor who claimed to have gained access to its Oracle E-Business Suite applications.” The Post letter said the company subsequently launched an investigation of its Oracle application environment with the help of experts. “During the investigation, Oracle announced that it had identified a previously unknown and widespread vulnerability in its E-Business Suite software that permitted unauthorized actors to access many Oracle customers’ E-Business Suite applications,” The Post’s letter states. “The Post’s investigation confirmed that it was impacted by this exploit and determined that, between July 10, 2025, and August 22, 2025, certain data was accessed and acquired without authorization.” On October 27, 2025, The Post “confirmed that certain personal information belonging to current and former employees and contractors was affected by this incident. The affected information varies by individual but may include individuals’ names, bank account numbers and associated routing numbers, Social Security numbers, and/or tax ID numbers.” On November 12, The Post said it notified 31 Maine residents of the incident, but the total number of affected employees and contractors is believed to total just under 10,000. The Post said it has offered complimentary identity protection services through IDX to individuals whose Social Security numbers or tax ID numbers were exposed in the breach.

CL0P Oracle Victims Number More Than 40

While only four victims have confirmed they were hit in the Oracle cyberattack campaign, the Cl0p ransomware group has claimed roughly 45 victims to date from the campaign on its dark web data leak site. Alleged victims claimed by CL0P have included major electronics companies, energy and utility organizations, technology companies, manufacturers, medical technology companies, healthcare providers, major colleges and universities, insurers, security companies, banks, construction and engineering firms, mining companies and communications companies, among other industries and sectors. CL0P has tended to cluster victims in campaigns targeting specific vulnerabilities throughout its six-year-history, including 267 claimed victims in February 2025 that drove ransomware attacks to record highs that month.

Researchers from Anthropic said they recently observed the “first reported AI-orchestrated cyber espionage campaign” after detecting China-state hackers using the company’s Claude AI tool in a campaign aimed at dozens of targets. Outside researchers are much more measured in describing the significance of the discovery.

Anthropic published the reports on Thursday here and here. In September, the reports said, Anthropic discovered a “highly sophisticated espionage campaign,” carried out by a Chinese state-sponsored group, that used Claude Code to automate up to 90 percent of the work. Human intervention was required “only sporadically (perhaps 4-6 critical decision points per hacking campaign).” Anthropic said the hackers had employed AI agentic capabilities to an “unprecedented” extent.

“This campaign has substantial implications for cybersecurity in the age of AI ‘agents’—systems that can be run autonomously for long periods of time and that complete complex tasks largely independent of human intervention,” Anthropic said. “Agents are valuable for everyday work and productivity—but in the wrong hands, they can substantially increase the viability of large-scale cyberattacks.”

Read full article

Comments

© Wong Yu Liang via Getty Images

The Akira ransomware group poses an “imminent threat to critical infrastructure,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today. CISA joined with the FBI, other U.S. agencies and international counterparts to issue a lengthy updated advisory on the ransomware group, adding many new Akira tactics, techniques and procedures (TTPs), indicators of compromise (IoCs), and vulnerabilities exploited by the group. Akira is consistently one of the most active ransomware groups, so the update from CISA and other agencies is significant. As of late September, Akira has netted about $244.17 million in ransom payments, CISA said. The Akira ransomware group information was sourced from “FBI investigations and trusted third-party reporting,” the agency said. In a busy two days for the agency, CISA also added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog (CVE-2025-9242, a WatchGuard Firebox Out-of-Bounds Write vulnerability, CVE-2025-12480, a Gladinet Triofox Improper Access Control vulnerability, and CVE-2025-62215, a Microsoft Windows Race Condition vulnerability), and reissued orders to federal agencies to patch Cisco vulnerabilities CVE-2025-20333 and CVE-2025-20362.

Akira Ransomware Group Targets Vulnerabilities for Initial Access

The CISA Akira advisory notes that in a June 2025 incident, Akira encrypted Nutanix Acropolis Hypervisor (AHV) virtual machine (VM) disk files for the first time, expanding the ransomware group’s abilities beyond VMware ESXi and Hyper-V by abusing CVE-2024-40766, a SonicWall vulnerability. The updated advisory adds six new vulnerabilities exploited by Akira threat actors for initial access, including:

• CVE-2020-3580, a cross-site scripting (XSS) vulnerability in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)
• CVE-2023-28252, a Windows Common Log File System Driver Elevation of Privilege vulnerability
• CVE-2024-37085, a VMware ESXi authentication bypass vulnerability
• CVE-2023-27532, a Veeam Missing Authentication for Critical Function vulnerability
• CVE-2024-40711, a Veeam Deserialization of Untrusted Data vulnerability
• CVE-2024-40766, a SonicWall Improper Access Control vulnerability

“Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials or exploiting vulnerabilities like CVE-2024-40766,” the CISA advisory said. In some cases, they gain initial access with compromised VPN credentials, possibly by using initial access brokers or brute-forcing VPN endpoints. The group also uses password spraying techniques and tools such as SharpDomainSpray to gain access to account credentials. Akira threat actors have also gained initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address. “After tunneling through a targeted router, Akira threat actors exploit publicly available vulnerabilities, such as those found in the Veeam Backup and Replication component of unpatched Veeam backup servers,” the advisory said.

Akira’s Latest Discovery, Persistence and Evasion Tactics

Visual Basic (VB) scripts are frequently used by the group to execute malicious commands, and nltest /dclist: and nltest /DOMAIN_TRUSTS are used for network and domain discovery. Akira threat actors abuse remote access tools such as AnyDesk and LogMeIn for persistence and to “blend in with administrator activity,” and Impacket is used to execute the remote command wmiexec.py and obtain an interactive shell. Akira threat actors also uninstall endpoint detection and response (EDR) systems to evade detection. In one incident, Akira threat actors bypassed Virtual Machine Disk (VMDK) file protection by powering down the domain controller’s VM and copying the VMDK files to a newly created VM, CISA said. “This sequence of actions enabled them to extract the NTDS.dit file and the SYSTEM hive, ultimately compromising a highly privileged domain administrator’s account,” the advisory said. Veeam.Backup.MountService.exe has also been used for privilege escalation (CVE-2024-40711), and AnyDesk, LogMeIn, RDP, SSH and MobaXterm have been used for lateral movement. Akira actors have used tunneling utilities such as Ngrok for command and control (C2) communications, initiating encrypted sessions that bypass perimeter monitoring. PowerShell and Windows Management Instrumentation Command-line (WMIC) have also been used to disable services and execute malicious scripts. Akira threat actors have been able to exfiltrate data in just over two hours from initial access, CISA said. The new Akira_v2 variant appends encrypted files with an .akira or .powerranges extension, or with .akiranew or .aki. A ransom note named fn.txt or akira_readme.txt appears in both the root directory (C:) and each user’s home directory (C:\Users). CISA recommended a number of security best practices for combatting the Akira ransomware threat, including prioritizing remediating known exploited vulnerabilities, enforcing phishing-resistant multifactor authentication (MFA), and maintaining regular, tested offline backups of critical data.

Ransomware attacks soared 30% in October to the second-highest total on record, Cyble reported today. The 623 ransomware attacks recorded in October were second only to February 2025’s record attacks, when a CL0P MFT campaign drove the total number of ransomware attacks to 854. October was the sixth consecutive monthly increase in ransomware attacks, Cyble noted in a blog post. Qilin once again was the most active ransomware group, for the sixth time in the seven months since the decline of RansomHub. Qilin’s 210 claimed victims were three times greater than second-place Akira (chart below). Just behind Akira was Sinobi with 69 victims, a remarkable rise for a group that first emerged in July. [caption id="attachment_106750" align="aligncenter" width="624"] Top ransomware groups October 2025 (Cyble)[/caption] Construction, Professional Services, Healthcare, Manufacturing, IT and Energy/Utilities were the most targeted sectors (chart below). [caption id="attachment_106751" align="aligncenter" width="624"] Ransomware attacks by industry October 2025 (Cyble)[/caption] Cyble noted that 31 incidents in October may have affected critical infrastructure, and another 26 incidents had possible supply chain implications. The U.S. once again was the most attacked country, its 361 attacks 10 times greater than second-place Canada (chart below). [caption id="attachment_106753" align="aligncenter" width="624"] Ransomware attacks by country October 2025 (Cyble)[/caption] “Of concern is the emergence of Australia as a top five target, as the country’s rich resources and high per-capita GDP have made the country a rich target for threat actors,” Cyble noted. Ransomware attacks are up 50% so far this year, with 5,194 ransomware attacks through October 31, Cyble said, “as new leaders like Qilin, Sinobi and The Gentlemen have more than made up for the decline of former leaders such as LockBit and RansomHub.”

Vulnerabilities Exploited by Ransomware Groups

Critical IT vulnerabilities and unpatched internet-facing assets have fueled a rise in both ransomware and supply chain attacks this year, Cyble said. Vulnerabilities targeted in October included:

• CVE-2025-61882 in Oracle E-Business Suite – targeted by Cl0p
• CVE-2025-10035 in GoAnywhere MFT – exploited by Medusa
• CVE-2021-43226 a Microsoft Windows Privilege Escalation vulnerability – Exploited by unknown ransomware groups, according to a CISA advisory
• CVE-2025-6264 in Velociraptor – targeted by Warlock ransomware operators
• CVE‑2024‑1086 in the Linux kernel’s netfilter :nf_tables module – Exploited by unknown ransomware groups, according to a CISA advisory

Ransomware Attacks and Key Developments

Below were some of the most important ransomware developments in October, according to Cyble. Ransomware operators are “increasingly hijacking or silently installing legitimate remote access tools” such as AnyDesk, RustDesk, Splashtop, and TightVNC after credential compromise to gain persistent access, control, antivirus neutralization and ransomware delivery. Recent BlackSuit campaigns used Vishing to steal VPN credentials for initial access and DCSync on a domain controller for high-privilege access, and used AnyDesk and a custom RAT for persistence. “Other measures included wiping forensic traces with CCleaner, and using Ansible to deploy BlackSuit ransomware across ESXi hosts, encrypting hundreds of VMs and causing major operational disruption,” Cyble said. Qilin affiliates deployed a Linux-based ransomware binary on Windows machines by abusing remote-management tools like WinSCP, Splashtop, AnyDesk, and ScreenConnect, and leveraging BYOVD (Bring Your Own Vulnerable Driver) attacks, among other tools and tactics. Trigona ransomware operators brute-forced exposed MS-SQL servers and embedded malware inside database tables and exporting it to disk to install payloads. DragonForce posted on the RAMP cybercrime forum that it is opening its partner program to the public, offering services like professional file analysis/audit, hash decryption, call support, and free victim storage. Registration requires a $500 non-refundable fee. Affiliates were warned to follow the group’s rules “or face account blocking or free decryptor distribution.” Zeta88 — the alleged operator of The Gentlemen ransomware — announced updates to their Windows, Linux and ESXi lockers, including a silent mode for Windows that encrypts without renaming files and preserves timestamps, and self-spread capabilities across networks and domains. The release also introduced multiple encryption-speed modes, Windows operating modes, and a universal decryptor. The full Cyble blog also included recommended best practices and recent high-confidence Qilin indicators of compromise (IoCs).

With AI phishing attacks rising 1,760% and achieving a 60% success rate, learn how attackers use AI, deepfakes and automation — and discover proven, multi-layered defense strategies to protect your organization in 2025.

The post How AI-Generated Content is Fueling Next-Gen Phishing and BEC Attacks: Detection and Defense Strategies  appeared first on Security Boulevard.

AI malware may be in the early stages of development, but it's already being detected in cyberattacks, according to new research published this week. Google researchers looked at five AI-enabled malware samples - three of which have been observed in the wild - and found that the malware was often lacking in functionality and easily detected. Nonetheless, the research offers insight into where the use of AI in threat development may go in the future. “Although some recent implementations of novel AI techniques are experimental, they provide an early indicator of how threats are evolving and how they can potentially integrate AI capabilities into future intrusion activity,” the researchers wrote.

AI Malware Includes Infostealers, Ransomware and More

The AI-enabled malware samples included a reverse shell, a dropper, ransomware, a data miner and an infostealer. The researchers said malware families like PROMPTFLUX and PROMPTSTEAL are the first to use Large Language Models (LLMs) during execution. “These tools dynamically generate malicious scripts, obfuscate their own code to evade detection, and leverage AI models to create malicious functions on demand, rather than hard-coding them into the malware,” they said. “While still nascent, this represents a significant step toward more autonomous and adaptive malware.” “[A]dversaries are no longer leveraging artificial intelligence (AI) just for productivity gains, they are deploying novel AI-enabled malware in active operations,” they added. “This marks a new operational phase of AI abuse, involving tools that dynamically alter behavior mid-execution.” However, the new AI malware samples are only so effective. Using hashes provided by Google, they were all detected by roughly a third or more of security tools on VirusTotal, and two of the malware samples were detected by nearly 70% of security tools.

AI Malware Samples and Detection Rates

The reverse shell, FRUITSHELL (VirusTotal), is a publicly available reverse shell written in PowerShell that establishes a remote connection to a command-and-control (C2) server and enables a threat actor to launch arbitrary commands on a compromised system. “Notably, this code family contains hard-coded prompts meant to bypass detection or analysis by LLM-powered security systems,” the researchers said. It was detected by 20 of 62 security tools (32%), and has been observed in threat actor operations. The dropper, PROMPTFLUX (VirusTotal), was written in VBScript and uses an embedded decoy installer for obfuscation. It uses the Google Gemini API for regeneration by prompting the LLM to rewrite its source code and saving the new version to the Startup folder for persistence, and the malware attempts to spread by copying itself to removable drives and mapped network shares. Google said the malware appears to still be under development, as incomplete features are commented out and the malware limits Gemini API calls. “The current state of this malware does not demonstrate an ability to compromise a victim network or device,” they said. The most interesting feature of PROMPTFLUX may be its ability to periodically query Gemini to obtain new code for antivirus evasion. “While PROMPTFLUX is likely still in research and development phases, this type of obfuscation technique is an early and significant indicator of how malicious operators will likely augment their campaigns with AI moving forward,” they said. It was detected by 23 of 62 tools (37%). The ransomware, PROMPTLOCK (VirusTotal), is a proof of concept cross-platform ransomware written in Go that was developed by NYU researchers. It uses an LLM to dynamically generate malicious Lua scripts at runtime, and is capable of filesystem reconnaissance, data exfiltration, and file encryption on Windows and Linux systems. It was detected by 50 of 72 security tools on VirusTotal (69%). The data miner, PROMPTSTEAL (VirusTotal), was written in Python and uses the Hugging Face API to query the LLM “Qwen2.5-Coder-32B-Instruct” to generate Windows commands to gather system information and documents. The Russian threat group APT28 (Fancy Bear) has been observed using PROMPTSTEAL, which the researchers said is their “first observation of malware querying an LLM deployed in live operations.” It was detected by 47 of 72 security tools (65%). The infostealer, QUIETVAULT (VirusTotal), was written in JavaScript and targets GitHub and NPM tokens. The credential stealer uses an AI prompt and AI CLI tools to look for other potential secrets and exfiltrate files to GitHub. It has been observed in threat actor operations and was detected by 29 of 62 security tools (47%). The full Google report also looks at advanced persistent threat (APT) use of AI tools, and also included this interesting comparison of malicious AI tools such as WormGPT: [caption id="attachment_106590" align="aligncenter" width="1098"] Comparison of malicious AI tools (Google)[/caption]

An Iran-linked threat group claims to have accessed the security cameras of an Israeli defense contractor and leaked videos of internal meetings and employees working on defense systems. The threat group – Cyber Toufan – has been posting about the alleged breach of Maya Engineering on its Telegram channels for at least a few weeks, but the group’s claims became public in recent days in an X post and articles on media sites such as Straight Arrow News and Breached Company. The claims remain unverified, and The Cyber Express has reached out to Maya for comment and will update this article with any official statement, but the alleged incident shows the importance of including surveillance cameras and other sensitive devices in cybersecurity plans. “Scary stuff,” SANS instructor and consultant Kevin Garvey said on X. “Shows how *any* connected asset needs rigorous security associated to it! Good reminder to all to check if cameras and other peripherals are part of your standard vuln management and secure config programs (amongst others functional programs).”

Alleged Israeli Defense Contractor Breach

A check of Cyber Toufan’s Telegram channels by The Cyber Express found claims of the hack as early as October 12 (image below). [caption id="attachment_106549" align="aligncenter" width="533"] October 12 Telegram post by Cyber Toufan claiming Maya hack[/caption] However, the group claims to have had access to Maya’s systems for more than a year. “One and a half years after gaining full access to the network, we have explored every part of it and reached the QNAP archive,” claims a Cyber Toufan post reported by International Cyber Digest on X. “Through the systems, we have breached Elbit and Rafael's through then. Their phones, printers, routers and cameras as well. We have recorded your meetings with sound and video for over a year. This is just the beginning with Maya!” Footage released by the group shows company employees allegedly working on several defense systems, including missile and drone systems, and the group also claims to possess technical drawings of sensitive parts like missile components.

Cyber Toufan's Link to Iran

Cyber Toufan’s advanced tactics suggest technical acumen well beyond that of a typical hacktivist group, raising the possibility of a nation-state link to Iran. Cyble’s threat intelligence profile of the group states, “Cyber Toufan is a threat actor group known for targeting Israeli organizations, with possible nation-state support from Iran. Their tactics include hack-and-leak operations, data breaches, and data destruction, impacting numerous organizations. Their activities are linked to geopolitical tensions in the Middle East, featuring a mix of technical breaches and psychological warfare. Threat actors associated with Cyber Toufan operate by infiltrating systems to steal sensitive data and disrupt operations, aiming to cause economic and political damage to their targets.”

Software supply chain attacks hit levels in October that were more than 30% higher than any previous month. Threat actors on dark web data leak sites claimed 41 supply chain attacks in October, 10 more than the previous high seen in April 2025, Cyble reported today in a blog post. Supply chain attacks have more than doubled since April, averaging more than 28 a month compared to the 13 attacks per month seen between early 2024 and March 2025, Cyble said (chart below). [caption id="attachment_106524" align="aligncenter" width="717"] Supply chain attacks by month 2024-2025 (Cyble)[/caption]

Reasons Behind the Record Supply Chain Attacks

The threat intelligence company cited several reasons for the increase in attacks. The primary drivers of the surge in supply chain attacks have been a “combination of critical and zero-day IT vulnerabilities and threat actors actively targeting SaaS and IT service providers,” the blog post said, noting that “the sustained increase suggests that the risk of supply chain attacks may remain elevated going forward.” Cloud security threats and AI-based phishing campaigns are other causes cited by Cyble, although voice phishing (vishing) also played a large role in recent Scattered LAPSUS$ Hunters Salesforce breaches.

IT Companies Hit Hardest as Ransomware Groups Lead Attacks

All 24 industry sectors tracked by Cyble have been hit by a supply chain attack this year, but IT and IT services companies have been by far the biggest target because of “the rich target they represent and their downstream customer reach.” The 107 supply chain attacks targeting IT companies so far this year have been more than triple those of the next nearest sectors, which include financial services, transportation, technology and government (chart below). [caption id="attachment_106523" align="aligncenter" width="723"] Supply chain attacks by sector 2025 (Cyble)[/caption] Ransomware groups have been some of the biggest contributors to the increase in supply chain attacks. Qilin and Akira have been the top two ransomware groups so far this year, and the two have also claimed “an above-average share of supply chain attacks,” Cyble said. Akira’s recent victims have included an unnamed “major open-source software project,” the threat researchers said, and the 23GB of data stolen by the group includes “internal confidential files, and reports related to software issues and internal operations,” among other information. Akira and Qilin have also claimed a number of attacks on IT companies, including some serving sensitive sectors such as government, intelligence, defense, law enforcement agencies, healthcare, industrial and energy companies, and payment processing and financial infrastructure solutions. In one incident, Qilin claimed to have stolen source code for proprietary software products used by law enforcement, criminal justice, public safety, and security organizations. In one case, Qilin claimed to have breached customers of a U.S.-based cybersecurity and cloud services provider for healthcare and dental organizations through “clear-text credentials stored in Word and Excel documents hosted on the company’s systems.” Kyber, a new ransomware group, leaked more than 141GB of project files, internal builds, databases, and backup archives allegedly stolen from “a major U.S.-based defense and aerospace contractor that provides communication, surveillance, and electronic warfare systems.” Cl0p ransomware group exploits of Oracle E-Business Suite vulnerabilities a Red Hat GitLab breach were among the other major incidents in October.

Protecting Against Supply Chain Risks

The Cyble researchers said that guarding against supply chain attacks ”can be challenging because these partners and suppliers are, by nature, trusted, but security audits and assessing third-party risk should become standard cybersecurity practices.” The researchers outlined several steps security teams can take to better protect their organizations. “The most effective place to control software supply chain risks is in the continuous integration and development (CI/CD) process, so carefully vetting partners and suppliers and requiring good security controls in contracts are essential for improving third-party security,” the threat researchers added.

Hacktivist attacks on critical infrastructure doubled over the course of the third quarter, according to a new Cyble report. Hacktivist attacks on industrial control systems (ICS) grew throughout the third quarter and made up 25% of all hacktivist attacks by September, Cyble wrote in a blog post. “If that trend continues, it would represent a near-doubling of attacks on industrial control systems (ICS) from the second quarter of 2025,” Cyble said. The report follows a Canadian Centre for Cyber Security warning last week that hacktivists are targeting critical infrastructure in that country.

Hacktivist Attacks on Critical Infrastructure Led by Russia-linked Groups

Cyble said DDoS attacks and website defacements still account for most hacktivist activity, but the ideologically-motivated threat groups are increasingly turning their focus toward ICS attacks, data breaches, unauthorized access, and ransomware. Z-Pentest has been the leading hacktivist group targeting ICS infrastructure, but the threat group has also been joined by Dark Engine (also known as the Infrastructure Destruction Squad), Golden Falcon Team, INTEID, S4uD1Pwnz, and Sector 16. “Russia-aligned hacktivist groups INTEID, Dark Engine, Sector 16, and Z-Pentest were responsible for the majority of recent ICS attacks, primarily targeting Energy & Utilities, Manufacturing, and Agriculture sectors across Europe,” Cyble said. “Their campaigns focused on disrupting industrial and critical infrastructure in Ukraine, EU and NATO member states.” Among Z-Pentest’s targets in the third quarter were a water utility HMI system in the U.S. and an agricultural biotechnology SCADA system in Taiwan. The group frequently posts videos of its members tampering with ICS controls, and may have been one of the groups the U.S. Cybersecurity and Infrastructure Security Agency (CISA) was referring to in a warning about critical infrastructure tampering attacks earlier this year.

Most Active Hacktivist Groups

NoName057(16) remains the most active hacktivist group despite attempts by law enforcement to disrupt its operations, Cyble said. Z-Pentest and Hezi Rash increased their share of attacks in the third quarter, the threat intelligence company said. Special Forces of the Electronic Army, Jokeir_07x and BL4CK CYB3R all lost ground in the quarter, while newcomers like Red Wolf Cyber Team and INTEID increased their share of hacktivist activity in the quarter. One of the more noteworthy incidents in the quarter involved the Belarusian group Cyber Partisans BY, which joined with Silent Crow to claim a cyberattack on Russian state airline Aeroflot. The attackers disrupted key systems, exfiltrated more than 22TB of data, and claimed to have destroyed about 7,000 servers, Cyble said. In another noteworthy hacktivist attack, the Ukrainian Cyber Alliance and BO Team claimed a breach of a Russian manufacturer involved in military drone production, stealing engineering blueprints, VMware snapshots, storage mappings, and CCTV footage from UAV assembly facilities. The groups said they wiped servers, backups, and cloud environments after they exfiltrated data.

Hacktivism and Geopolitical Conflict

Geopolitical conflict “remains a primary motive in hacktivist campaigns,” Cyble said. The Thailand–Cambodia border conflict, the India–Pakistan and India-Bangladesh rivalries, Middle East conflicts – including the Israel–Hamas war and the Israel-Iran and Houthi–Saudi Arabian conflicts – the Russia–Ukraine war and domestic unrest in the Philippines were some of the major conflicts driving hacktivism across the globe. Ukraine was the leading target of hacktivist campaigns in the third quarter, Cyble said (chart below). [caption id="attachment_106494" align="aligncenter" width="624"] Most attacked countries by hacktivist groups (Cyble)[/caption] “The growing sophistication of the leading hacktivist groups is by now an established trend and will likely continue to spread to other groups over time,” Cyble said. “That means that exposed environments in critical sectors can expect further compromise by hacktivist groups, advanced persistent threats (APTs), and others known to target critical infrastructure.”

Canadian cybersecurity officials are warning that hacktivists are increasingly targeting critical infrastructure in the country. In an October 29 alert, the Canadian Centre for Cyber Security described three recent attacks on internet-accessible industrial control systems (ICS). The alert doesn’t attribute the ICS attacks to any particular group, but Russia-linked hacktivists have been the dominant groups tampering with ICS controls in the last year, particularly since the emergence of Z-Pentest in the fall of 2024. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also warned about hackers tampering with ICS controls.

Canadian ICS Attacks Target Water, Energy, Agriculture

One of the ICS hacktivist incidents targeted a water facility, where hacktivists tampered with water pressure values, “resulting in degraded service for its community.” Another involved a Canadian oil and gas company, where an Automated Tank Gauge (ATG) was tampered with to trigger false alarms. A third incident targeted a grain drying silo on a Canadian farm, where temperature and humidity levels were tampered with, “resulting in potentially unsafe conditions if not caught on time,” the alert said. “While individual organizations may not be direct targets of adversaries, they may become victims of opportunity as hacktivists are increasingly exploiting internet-accessible ICS devices to gain media attention, discredit organizations, and undermine Canada's reputation,” the Cyber Centre alert said. Exposed ICS components that could be targeted include Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Human-Machine Interfaces (HMIs), Supervisory Control and Data Acquisition (SCADA) systems, Safety Instrumented Systems (SIS), Building Management Systems (BMS), and Industrial Internet of Things (IIoT) devices, the alert said. “Unclear division of roles and responsibilities often creates gaps leaving critical systems unprotected,” Cyber Centre said. “Effective communication and collaboration are essential to ensuring safety and security.”

Recommended ICS Security Protections

Cyber Centre said provincial and territorial governments should coordinate with municipalities and organizations within their jurisdiction “to ensure all services are properly inventoried, documented, and protected. This is especially true for sectors where regulatory oversight does not cover cyber security, such as Water, Food, or Manufacturing.” Municipalities and organizations in turn should work with their service providers to make sure that managed services are implemented securely and maintained properly, with clearly defined requirements. Devices and services should be properly secured based on vendor recommendations and guidelines. The alert said organizations should conduct a comprehensive inventory of all internet-exposed ICS devices and “assess their necessity.” “Where possible, alternative solutions—such as Virtual Private Networks (VPNs) with two-factor authentication—should be implemented to avoid direct exposure to the internet,” the alert said. If that isn’t possible, enhanced monitoring and practices should be used, including active threat detection tools such as Intrusion Prevention Systems (IPS), routine penetration testing, and continuous vulnerability  management. Organizations should also regularly conduct tabletop exercises to evaluate their response capabilities and to define roles and responsibilities in the event of a cyber incident.

Paying attackers a ransom to recover from ransomware attacks fails 41% of the time, and even when recovery keys work, ransomware victims don’t always recover all of their data. That’s one of the findings from cyber insurer Hiscox’s Cyber Readiness Report 2025, which is based on interviews with 5,750 organizations in seven countries. The report found that 27% of those organizations had experienced a ransomware attack in the preceding 12 months. Among the organizations that paid a ransom, 60% recovered “some or all of their data,” the report said, but 41% “were given a recovery key, but still had to rebuild their systems.” It gets worse. For 31% of ransomware victims who paid a ransom, attackers demanded more money, the report found. And additional attacks were sustained by 27% of those who paid a ransom, “though not necessarily an attack from the same entity.” “No company enjoys rewarding bad players for hijacking their data, but when it comes to ransomware attacks, it is common for organisations to make every effort to recover what could be lost,” Hiscox said. “That includes paying the ransom where that is demanded.” “Paying a ransom does not always solve the problem,” the report noted.

IoT Devices Most Common Attack Vector

Vulnerabilities are a key initial attack vector noted by the report. Internet of Things (IoT) devices owned by the organizations were the most common point of entry for cyberattacks (33%), followed by supply chain vulnerabilities (28%), and cloud-based corporate servers (27%). AI tools and software were attackers’ initial point of entry for 15% of organizations. Ransomware victims aren’t the only ones at risk of multiple cyberattacks, as the report found that one cyberattack significantly raise the risk for multiple cyberattacks. Of the organizations surveyed, 59% had experienced at least one cyberattack in the preceding 12 months. Among those organizations, larger companies or those with higher revenue were more likely to experience additional incidents. Companies with more than $1 million in revenue that had experienced an attack in the last year had more averaged six cyberattacks, compared to four for those businesses with less than $1 million in revenue. Businesses with 50-249 employees had an average of seven attacks in the last year compared to companies with 11-49 employees, which averaged five attacks. Nonprofits were the hardest hit sector, averaging eight incidents, while organizations in the chemical, property, and media sectors averaged three cyberattacks.

Most Favor Ransomware Payment Disclosure

The report noted that a new law in Australia requires companies to disclose the amount of ransoms paid, and 71% of respondents agree that such disclosures should be mandatory. However, 53% believe that private companies should not be obligated to disclose ransomware payments. While the report paints a challenging picture for cybersecurity defenders, there was one bright spot: 83% of respondents reported improved cyber resilience at their company in the last 12 months.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two DELMIA Apriso vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Today’s addition of CVE-2025-6204 and CVE-2025-6205 to the KEV catalog follow last month’s addition of CVE-2025-5086 to the CISA database, which was the first addition of an industrial control system (ICS)/operational technology (OT) vulnerability to the exploited vulnerabilities catalog since December 2023. However, IT vulnerabilities added to the KEV catalog often appear in ICS/OT products too. DELMIA Apriso is manufacturing operations management (MOM) and manufacturing execution system (MES) software from Dassault Systèmes that is used to manage production processes and connect factory floors to enterprise resource planning (ERP) systems. In a blog post last month, Johannes Ullrich, SANS Internet Storm Center (ISC) founder and Dean of Research for SANS Technology Institute, said DELMIA Apriso differs from the small IoT devices that are often the focus of manufacturing security in that it is “‘big software’ that is used to manage manufacturing. ... This type of Manufacturing Operation Management (MOM) or Manufacturing Execution System (MES) ties everything together and promises to connect factory floors to ERP systems. But complex systems like this have bugs, too.”

DELMIA Apriso Vulnerabilities CVE-2025-6204 and CVE-2025-6205 Under Attack

CISA typically doesn’t say what threat groups are exploiting vulnerabilities added to the KEV catalog or how they’re being exploited, and CISA’s latest DELMIA Apriso notice only says that “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” CISA gave federal civilian agencies a deadline of November 18 to patch the vulnerabilities. CVE-2025-6205 is the higher-rated of the two vulnerabilities, a 9.1-severity Missing Authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 that could allow an attacker to gain privileged access to the application. CVE-2025-6204 is an 8.0-rated Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 that could allow an attacker to execute arbitrary code. Both vulnerabilities were initially published in the National Vulnerability Database (NVD) on August 4, 2025. The Dassault Systèmes advisories for CVE-2025-6204 and CVE-2025-6205 include links for customers to access remediation information. CVE-2025-5086, the DELMIA Apriso vulnerability added to the CISA KEV database in September, is a 9.0-rated Deserialization of Untrusted Data vulnerability that also affects Release 2020 through Release 2025 and could lead to remote code execution. That vulnerability was initially published on June 2, 2025. Before CVE-2025-5086, an analysis by The Cyber Express shows that the most recent ICS/OT vulnerability added to the KEV catalog was CVE-2023-6448, a 9.8-severity Insecure Default Password vulnerability in Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs.

Caller ID spoofing causes nearly $1 billion (EUR 850 million) in financial losses from fraud and scams each year, according to a new Europol position paper that calls for technical and regulatory solutions to fight the problem. Phone calls and texts are the primary attack vectors, accounting for about 64% of reported cases, Europol said in the report. Caller ID spoofing is accomplished by manipulating the information displayed on a user’s caller ID, typically using Voice over Internet Protocol (VoIP) services or specialized apps to show a fake name or number “that appears legitimate and trustworthy,” Europol said. “The ability of malicious actors to conceal their true identity and origin, severely impedes the capacity of law enforcement agencies (LEAs) to trace and prosecute cybercriminals,” Europol said.

Caller ID Spoofing Attack Types

Europol outlined some of the caller ID spoofing attack types seen by EU law enforcement agencies. Criminals often spoof caller IDs to impersonate organizations like banks, government agencies, utility companies, or even family members, in scam calls to get recipients to reveal sensitive information, make fraudulent payments, or initiating money transfers under false pretenses. Tech support scammers impersonate legitimate tech support services to convince victims of non-existent computer issues in order to demand payment, install malware or obtain remote access for exploitation. Caller ID spoofing can also be used in swatting attacks to make it appear that an emergency call originated from a victim’s address. Organized crime networks have even set up “spoofing-as-a-service” platforms to automate caller ID spoofing, “with the aim of lowering the barrier for others to be able to commit crimes,” Europol said. “By offering such services, criminals can easily impersonate banks, LEAs or other trusted entities.”

Europol Calls for Regulatory and Technical Response

Europol surveyed law enforcement agencies across 23 countries and found significant barriers to implementing anti-caller-ID spoofing measures. “This means that the combined population of approximately 400 million people remain susceptible to these types of attacks,” the report said. The law enforcement agency said there is an “urgent need for a coordinated, multi-faceted approach to mitigate cross-border caller ID spoofing.” “The transnational nature of spoofing attacks demands seamless information sharing and coordinated action among Internet Service Providers (ISPs), telecommunications providers, law enforcement and regulatory bodies,” the agency said. Among the technical controls that are needed are “robust international traceback mechanisms” that include a neutral, cross-jurisdictional system for hop-by-hop tracing, standardized processes for information sharing, and APIs and signaling checks. Also needed are mechanisms for validating inbound international calls, and vendor-neutral tools with standardized interfaces for Do Not Call (DNC)/ Do Not Originate (DNO) lists, unallocated number lists, blacklisting, and malformed number detection. “Through multi-stakeholder collaboration, to address emerging threats and develop effective countermeasures, digital security can be significantly enhanced,” Europol said. “This will ensure citizens are better protected from the adverse effects of caller ID spoofing.” The report also acknowledged the importance of being prepared for other mobile threats such as SIM-based scams, anti-regulatory subleasing, the use of anonymous prepaid services in cybercrime, callback scams and smishing attacks.

The Qilin ransomware group has been by far the most active ransomware group over the last seven months, so two new research reports detailing some of the group’s tactics, techniques and procedures (TTPs) are worth noting. Trend Micro researchers examined a Qilin attack – the group is identified as “Agenda” by Trend – that deployed the group’s Linux ransomware variant on Windows systems, while Cisco Talos also looked at the group’s methods, including defensive evasion techniques. Cyble threat intelligence researchers have documented 677 ransomware attacks by Qilin since the group emerged as the top ransomware group following the decline of RansomHub in what may have been an act of sabotage. Those 677 attacks are more than double those of second-place Akira (chart below). [caption id="attachment_106327" align="aligncenter" width="1200"] Top ransomware groups April-October 2025 (Cyble)[/caption]

Qilin Ransomware Group Deploys Linux Ransomware on Windows

The Qilin ransomware attack documented by Trend Research combined WinSCP for secure file transfer and Splashtop Remote for executing the Linux ransomware binary on Windows machines, in addition to using Bring Your Own Vulnerable Driver (BYOVD) for defense evasion and deployment of multiple SOCKS proxy instances to obfuscate command-and-control (C&C) traffic Qilin installed legitimate tools like AnyDesk through Atera’s remote monitoring and management (RMM) platform and ScreenConnect for command execution. The attackers also targeted Veeam backup infrastructure using custom credential extraction tools, “systematically harvesting credentials from multiple backup databases to compromise the organization’s disaster recovery capabilities before deploying the ransomware payload,” the researchers said. “This attack challenges traditional Windows-focused security controls,” the researchers wrote. “The deployment of Linux ransomware on Windows systems demonstrates how threat actors are adapting to bypass endpoint detection systems not configured to detect or prevent Linux binaries executing through remote management channels.” Initial access appears to have come from a social engineering campaign involving fake CAPTCHA pages, because investigators “identified that multiple endpoints within the compromised environment had connected to malicious fake CAPTCHA pages hosted on Cloudflare R2 storage infrastructure. These pages presented convincing replicas of legitimate Google CAPTCHA verification prompts.” Those pages apparently delivered infostealers to the endpoints, harvesting authentication tokens, browser cookies, and stored credentials. “The presence of valid credentials used throughout the attack chain strongly suggests that these stolen credentials provided the ... threat actors with the valid accounts necessary for their initial access into the environment,” the researchers said. “This assessment is further supported by the attackers’ ability to bypass multifactor authentication (MFA) and move laterally using legitimate user sessions, indicating they possessed harvested credentials rather than relying on traditional exploitation techniques.” The attackers used a SOCKS proxy DLL for remote access and command execution, loaded directly into memory using the legitimate Windows rundll32.exe process. The legitimate administrator account password was also reset to prevent admins from regaining access. ScreenConnect was used to execute discovery commands via temporary command scripts, “systematically enumerating domain trusts and identifying privileged accounts while appearing as normal administrative activity.” Network scanning tools like NetScan were also used to discover additional systems, services, and potential lateral movement targets, while PuTTY SSH clients were used to facilitate lateral movement to Linux systems within the environment.

Qilin Targeting Veeam Backups to Harvest Credentials

The Qilin attackers targeted Veeam backup infrastructure to harvest credentials, “recognizing that backup systems often store credentials for accessing multiple systems across the enterprise,” the Trend researchers said. PowerShell scripts with base64-encoded payloads were used to extract and decrypt stored credentials from Veeam databases. “When decoded, these scripts revealed systematic targeting of multiple Veeam backup databases, each containing credentials for different segments of the infrastructure,” the researchers said. “This approach provided the attackers with a comprehensive set of credentials for remote systems, domain controllers, and critical servers stored within the backup infrastructure.”

Qilin Defense Evasion Tactics

The attackers deployed “sophisticated anti-analysis tools to evade security solutions,” Trend said, with 2stX.exe and Or2.exe using the eskle.sys driver for anti-antivirus capabilities through a BYOVD attack. The eskle.sys driver was used to disable security solutions, terminate processes, and evade detection, they said. Cisco Talos researchers documented Qilin defense evasion techniques that included  using obfuscated PowerShell code that employed numeric encoding. Executing the PowerShell commands makes three configuration changes, the Talos researchers said. Disabling Windows Antimalware Scan Interface (AMSI) prevents interference with execution of payloads, and disabling TLS certificate validation allows the attackers to contact malicious domains or C2 servers. The third configuration change enables Restricted Admin to force RDP authentication to rely on NT hashes or Kerberos tickets rather than passwords. “Although passwords are not retained, NT hashes remain on the system and can be abused by an attacker to impersonate the user,” Talos said. The Talos researchers observed “traces of attempts to disable EDR using multiple methods,” such as commands that launch the EDR’s uninstall.exe file or attempts to stop services using the sc command. Use of open source tools like dark-kill and HRSword was also observed. “The use of legitimate tools and cross-platform execution methods makes detection significantly more challenging,” the Trend researchers said. “Organizations must urgently reassess their security posture to account for these unconventional attack vectors and implement enhanced monitoring of remote management tools and backup system access.”

China claims it has “irrefutable evidence” that the U.S. National Security Agency (NSA) launched a two-year cyberattack campaign on China's National Time Service Center (NTSC). In a WeChat post, China’s Ministry of State Security (MSS) said an attack on the high-precision keeper of "Beijing Time" could have led to “network communication failures, financial system disruptions, power outages, transportation disruptions, and space launch failures,” and also could have wreaked havoc with international time. The MSS post details what it claims was a more than two-year NSA cyberattack operation involving “42 specialized cyberattack weapons.”

Alleged NSA Cyberattack Exploited SMS Vulnerability

The MSS claims that the NSA campaign was “long-planned and systematic.” Beginning on March 25, 2022, China alleges that the NSA exploited a vulnerability in the SMS service of an “overseas mobile phone brand” to gain control of mobile phones of multiple NTSC staff members. A year later, beginning on April 18, 2023, the NSA launched multiple attacks using stolen credentials to infiltrate NTSC systems and “spy on the center's network systems,” the MSS post said in translation. From August 2023 to June 2024, the NSA “deployed a new cyber warfare platform and activated 42 specialized cyberattack weapons to launch a high-intensity cyberattack” against multiple internal NTSC network systems, the MSS post claimed. The NSA “also attempted to penetrate the high-precision ground-based timing system, potentially disabling it.” The MSS did not provide any details on the “42 specialized cyberattack weapons.” The NSA cyberattacks were often launched late at night or early morning Beijing time, and used VPNs in the U.S., Europe, and Asia to conceal the source of the attacks, the MSS said. The U.S. intelligence agency also used “forged digital certificates” to bypass antivirus software, and used “high-strength” encryption algorithms “to completely erase traces of the attacks.” China said it responded by “securing evidence” of the attacks - which it did not provide in the post - disrupting the attack chain. and improving defensive measures to stop potential threats.

MSS Takes Issue with U.S. Claims of Chinese Cyber Threats

China accused the U.S. of a multi-year campaign “continuously carrying out cyberattacks targeting China, Southeast Asia, Europe, and South America. They have infiltrated and controlled critical infrastructure, stolen vital intelligence, and monitored key personnel.” The MSS also charged that the U.S. has “exploited its technological base” in the Philippines, Japan, and Taiwan to conceal its involvement and shift the blame for cyberattacks elsewhere. U.S. cyber officials in recent years have alleged that Chinese cyber operations pose a significant threat to U.S. critical infrastructure – a claim the MSS took issue with in the WeChat post. “[T]he US has repeatedly hyped up the ‘China cyber threat’ theory, coercing other countries to hype up so-called ‘Chinese hacker attacks,’ sanctioning Chinese companies, and prosecuting Chinese citizens in an effort to confuse the public and distort the truth,” the MSS post said. “Ironclad facts have proven that the US is the true ‘Matrix’ and the greatest source of chaos in cyberspace.” The Cyber Express has reached out to the NSA for comment and will update this article with any response.

Airlines are a popular target for hackers in part because of the amount of personal data they collect – and no personal data is more coveted by cybercriminals than passports and government IDs. Passport and ID leaks pose a “severe, long-term identity theft risk,” according to personal data removal and privacy company Incogni. “Unlike credit cards, travel documents are difficult to replace and can be exploited for years in synthetic identity fraud, fake travel documents, and impersonation scams.” For that reason alone, this week’s leak of customer data from Qantas Airways by the Scattered LAPSUS$ Hunters threat group could have been worse. The leaked data included names, email addresses and Frequent Flyer details, a small amount of more personal data like addresses, dates of birth and phone numbers, but “no credit card details, personal financial information or passport details were impacted,” according to Qantas. While Qantas avoided the most damaging kind of leak, there’s still risk for consumers, Incogni notes. “Even when payment or passport data isn’t exposed, personal identifiers like names, dates of birth, and loyalty program details can be enough to drive large-scale fraud,” Darius Belejevas, Head of Incogni, told The Cyber Express. “Attackers often combine these records with information from other breaches to build detailed identity profiles.” The incident also highlights the growing risk of third-party vendors, as the incident was linked to Salesforce social engineering and third-party breaches. “The Qantas case shows how one compromised supplier can ripple across industries, exposing millions of customer records in a single incident,” Belejevas added.

Airline Data Breaches Growing

According to Cyble’s threat intelligence database, there have been more than 20 airline data breaches claimed by threat actors on the dark web thus far in 2025, up roughly 50% percent from the same period of 2024. Part of that increase is due to a focus on the sector by Scattered Spider and the larger Scattered LAPSUS$ Hunters alliance, but other threat groups seem to be targeting the airline sector too. The most recent incident occurred this week, when the CL0P ransomware group claimed to possess data from American Airlines regional carrier Envoy Air. Envoy Air confirmed the incident in a statement to The Cyber Express – but said no customer data was involved. “We are aware of the incident involving Envoy’s Oracle E-Business Suite application,” Envoy Air told The Cyber Express. “Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised.” WestJet, which suffered a data breach in June of this year, wasn’t as lucky, as the breach exposed some passenger travel documents like passports and other government-issued identification information. WestJet responded by offering affected customers 24 months of complimentary identity theft protection and monitoring services, but Incogni warns that compromised identity documents “can fuel fraud for much longer” than two years.

Protecting Against Airline Data Breaches

Incogni recommends that people impacted by airline data breaches - and travelers in general - take proactive steps to protect themselves, including:

• Enrolling in identity theft monitoring if offered.
• Reporting suspicious calls and phishing attempts to national anti-fraud hotlines such as the Canadian Anti-Fraud Centre or the FTC in the U.S.
• Using strong, unique passwords and multi-factor authentication on all online accounts.
• Removing personal information from data broker and people-search sites to cut off “one of the easiest shortcuts for scammers.”

“Individuals and organizations need to better protect, and whenever possible by any means necessary not share, sensitive data in an era where it is now being used not just being stolen by cybercriminals and nation-states but also by legitimate organizations that are using it for their own purposes to manipulate specific outcomes,” Ron Zayas, CEO of Incogni, said in a statement.

Spanish fashion retailer Mango has confirmed a data breach after one of its external marketing service providers suffered unauthorized access to limited customer information. The company emphasized that its corporate systems were not compromised and that financial or login details remain secure. The Mango data breach adds to a growing list of cybersecurity incidents hitting major global retailers in 2025. In its official statement, Mango said the exposed data included customers’ first names, countries, postal codes, email addresses, and phone numbers. The company clarified that last names, banking information, credit card details, or passwords were not affected in the breach. “Mango’s infrastructure and corporate systems have not been compromised,” the company said, assuring customers that normal operations continue. Upon discovering the breach, Mango immediately activated its security protocols and notified the Spanish Data Protection Agency (AEPD) and relevant authorities as required under data protection laws. The retailer also urged customers to remain cautious of suspicious emails or phone calls and avoid sharing personal details with unknown sources. For assistance, Mango has made its customer service email and helpline available to address any concerns.

Responds Swiftly to Contain Mango Data Breach

According to the company, the Mango data breach was limited to marketing-related data held by an external provider. This incident did not involve Mango’s main network or systems handling sensitive information. The fashion retailer said it took “immediate action” to contain the issue and ensure no further exposure. Mango reiterated its commitment to privacy, stating, “We regret any inconvenience this specific incident may have caused. The protection of our customers’ data remains a top priority.” [caption id="attachment_106085" align="aligncenter" width="660"] Source: X[/caption] The Spanish Data Protection Agency (AEPD) has been informed, and Mango continues to cooperate fully with authorities as investigations continue.

Retail Cybersecurity Under Pressure Amid Global Attacks

The Mango data breach comes amid a series of high-profile retail cyberattacks across Europe and the United States this year. Just weeks earlier, luxury fashion house Louis Vuitton disclosed a cyberattack — the third within 90 days — that exposed customer data from its global and Korean operations. The LVMH cyberattack, confirmed on July 2, 2025, affected personal information but not payment data. In May, Victoria’s Secret also reported a security incident that forced the company to temporarily take down its U.S. website while investigations were ongoing. Meanwhile, UK logistics firm Peter Green Chilled, a supplier to supermarkets like Tesco and Sainsbury’s, experienced a cyberattack that disrupted operations. Luxury retailer Harrods was another recent victim, confirming a Harrods cyberattack in April 2025 that prompted precautionary restrictions on internet access at its sites. Although customer services remained active, the incident highlight the increasing pressure on retail cybersecurity worldwide.

Maintains Strong Business Performance Despite Mango Data Breach

Despite the recent Mango data breach, company's business continues to show strong growth. The company reported a turnover of €1.728 billion in the first half of 2025, marking a 12% increase year-over-year and a 14% growth at constant exchange rates. The retailer invested around €110 million in strategic projects during this period, with 70% allocated to new store openings and refurbishments. With a presence in 120 countries and 2,925 points of sale worldwide, Mango’s international business now represents 78% of total turnover. Its top-performing markets include Spain, France, Turkey, Germany, and the United States.

Ongoing Focus on Customer Trust and Cyber Resilience

As the Mango data breach investigation continues, the retailer is reinforcing its cybersecurity measures and reviewing third-party security policies to prevent similar incidents in the future. The company said it remains committed to transparency and the protection of customer data. “MANGO makes our Customer Service email address (personaldata@mango.com) and telephone number (900 150 543) available for any additional questions, and we regret any inconvenience this specific incident may have caused you,” reads company’s statement.  “As always, we want to thank you for your trust and commitment to our brand,” statement concluded.

Security and application delivery vendor F5 revealed today in an SEC filing that a nation-state threat actor had “long-term, persistent access” to some of the company’s most critical environments. The SEC 8-K filing said the intrusion by a “highly sophisticated nation-state threat actor” was discovered on August 9 but not reported until now because the U.S. Department of Justice had “determined that a delay in public disclosure was warranted.” After detecting the breach, F5 activated its incident response processes and took “extensive actions to contain the threat actor.” F5 determined that the threat actor “maintained long-term, persistent access to certain F5 systems, including the BIG-IP product development environment and engineering knowledge management platform. Through this access, certain files were exfiltrated, some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP.” The company sought to assure customers and investors that the incident has been contained and that there has been no evidence of additional unauthorized activity. “We are not aware of any undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities,” the SEC filing said. ”We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines. This assessment has been validated through independent reviews by leading cybersecurity research firms.” F5 shares (NASDAQ:FFIV) were off 4% in recent trading after falling more than 5% at its lows for the day.

CISA Issues F5 Breach Guidance

Also today, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to federal civilian agencies directing them to secure their F5 environments, noting that the “threat actor’s access to F5’s proprietary source code could provide that threat actor with a technical advantage to exploit F5 devices and software.” Ryan Dewhurst, Head of Proactive Threat Intelligence at watchTowr, said in a statement today that it seemed like something was wrong on October 13, when F5 “quietly announced it had rotated its signing certificates and cryptographic keys, the ones used to prove that F5-produced software is legitimate and untampered. That’s not a routine update. Vendors only do that when something has gone very wrong. Today, F5 confirmed exactly that.” “Older software signed with the previous keys may now warrant closer scrutiny,” Dewhurst added. “For a vendor whose products sit deep in enterprise and government networks, this is a serious breach of trust. If those compromised keys were stolen, and F5 hasn’t ruled that out, malicious software updates signed by ‘F5’ could be indistinguishable from the real thing." F5 said there is no evidence that CRM, financial, support case management, or iHealth systems data has been accessed, or the NGINX, F5 Distributed Cloud Services and Silverline environments. “However, some of the exfiltrated files from our knowledge management platform contained configuration or implementation information for a small percentage of customers,” F5 said. “The Company is currently reviewing the contents of these files and will communicate with affected customers directly as appropriate.”

F5 Issues Customer Breach Guidance

As part of the SEC filing, F5 also shared a disclosure statement sent to customers today. The statement said the company is “taking proactive measures to protect our customers and strengthen the security posture of our enterprise and product environments. We have engaged CrowdStrike, Mandiant, and other leading cybersecurity experts to support this work, and we are actively engaged with law enforcement and our government partners.” F5 has released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients. “We strongly advise updating to these new releases as soon as possible," the company said. The company has also released a threat hunting guide, hardening guidance with verification, and SIEM integration and monitoring guidance, and added automated hardening checks to the F5 iHealth Diagnostic Tool. “This tool will surface gaps, prioritize actions, and provide links to remediation guidance,” F5 said. Since the incident, the company has rotated credentials and strengthened access controls across systems, deployed better inventory and patch management automation, added better detection and response, improved its network security architecture, and hardened its product development environment. Other steps include ongoing code review and penetration testing with support from both NCC Group and IOActive, and extending CrowdStrike Falcon EDR sensors and Overwatch Threat Hunting to BIG-IP for additional visibility and to strengthen defenses. An early access version is available to BIG-IP customers, and F5 is providing supported customers with a free Falcon EDR subscription through October 14, 2026. “Your trust matters,” F5 concluded. ”We know it is earned every day, especially when things go wrong. We truly regret that this incident occurred and the risk it may create for you. We are committed to learning from this incident and sharing those lessons with the broader security community.”

A managed security services provider has detected credential attacks on SonicWall SSLVPN devices. The attacks, reported by Huntress, involve “widespread compromise” of SonicWall SSLVPN devices. “Threat actors are authenticating into multiple accounts rapidly across compromised devices,” the service provider said. “The speed and scale of these attacks imply that the attackers appear to control valid credentials rather than brute-forcing.”

Report Follows SonicWall Backup Advisory

The report follows a SonicWall advisory that an unauthorized party had accessed firewall configuration backup files for all SonicWall customers who have used the company’s cloud backup service. The configuration files contain encrypted credentials and configuration data, and encryption would make credential exploitation challenging, but SonicWall nonetheless noted that “possession of these files could increase the risk of targeted attacks.” Huntress said there is “no evidence” to link the credential attacks to the SonicWall backup breach, but urged users to follow SonicWall’s guidance and take additional steps.

SonicWall SSLVPN Attacks Widespread

The SonicWall SSLVPN credential attacks have occurred across “multiple customer environments,” Huntress said. Much of the attack activity started on October 4, “with clustered authentications occurring over the course of the following two days.” As of October 10, more than 100 SonicWall SSLVPN accounts across 16 customer environments had been affected, the service provider said. Authentication attempts on the SonicWall devices originated from the IP 202.155.8[.]73. “In some instances, the actors did not appear to generate further adversarial activity in the network, disconnecting after a short period,” the service provider said. “In other cases, there was evidence of post-exploitation activity, with the actors conducting network scanning activity and attempting to access numerous local Windows accounts.”

Protecting Against SonicWall Credential Attacks

Actions recommended by Huntress include:

• Restricting WAN management and remote access wherever possible
• Disabling or limiting HTTP, HTTPS, SSH, SSL VPN and inbound management until credentials are reset
• Resetting all secrets and keys on affected devices, including local admin accounts, VPN pre-shared keys, LDAP/RADIUS/TACACS+ bind credentials, wireless PSKs and SNMP credentials
• Revoking external API keys, dynamic DNS, SMTP/FTP credentials and “any automation secrets that touch the firewall or management systems”
• Increasing logging and reviewing recent logins and configuration changes for suspicious activity
• After resetting, reintroduce services one by one and monitor for reappearance of unauthorized access
• Enforce multi-factor authentication (MFA) for all admin and remote accounts and apply least privilege to management roles.

The Cyber Express has reached out to SonicWall for comment and will update this article with any further information.