This cluster centers around the UK government’s order mandating Apple to create a backdoor for accessing end-to-end encrypted data in iCloud. This order raises significant concerns about user privacy and security, as well as potential implications for global digital privacy norms. Apple is being legally pressured to compromise user data which would seriously damage privacy and security.
The Kimsuky APT group is actively employing a custom-built RDP Wrapper and proxy tools to gain unauthorized access to infected machines, enabling persistent cyber espionage. This involves spear-phishing tactics and the distribution of malicious shortcut files disguised as legitimate documents. AhnLab’s ASEC team has released a blog post detailing additional malware used in these attacks. This highlights the group’s evolving tactics and persistent threat to organizations.
Cisco addressed two critical remote code execution flaws in its Identity Services Engine (ISE), tracked as CVE-2025-20124 (CVSS score of 9.9) and CVE-2025-20125 (CVSS score of 9.1). A remote attacker authenticated with read-only administrative privileges could exploit these vulnerabilities to gain unauthorized access and control over the affected system. These flaws could allow attackers to perform privilege escalation and system configuration changes.
Successful exploitation could allow attackers to execute arbitrary code, potentially leading to a full system compromise. Cisco has released software updates to address these vulnerabilities, and administrators are urged to apply the updates as soon as possible to mitigate the risk of exploitation.
DeepSeek AI’s R1 model is gaining traction within the AI community for its detailed thought process and performance, even though it sometimes provides inaccurate answers. Some users prefer its clear reasoning over other models. The R1 model is now available on platforms like AWS and NVIDIA NIM, which allows for broader accessibility. Benchmarks also reveal that AMD’s Radeon RX 7900 XTX outperforms the RTX 4090 in certain DeepSeek benchmarks. However, there are concerns about DeepSeek’s safety guardrails, as they have reportedly failed multiple tests. It also faces scrutiny related to data use and alleged smuggling of NVIDIA GPUs.
Spanish authorities have arrested an individual for allegedly hacking several high-profile organizations, including NATO and the US Army. The hacker, known as “natohub,” is suspected of conducting over 40 cyberattacks throughout 2024, targeting both public institutions and private entities. Stolen data was then sold on BreachForums.
The arrest highlights the ongoing threat posed by malicious actors targeting government and military systems, and the importance of international cooperation in combating cybercrime.
Hewlett Packard Enterprise (HPE) experienced a data breach in May 2023, attributed to the Russian state-sponsored hacking group Midnight Blizzard (also known as Cozy Bear or APT29). The breach involved their Office 365 email environment and was confirmed in December 2023. The breach compromised employee data and was contained after its discovery.
Ransomware payments significantly decreased in 2024, falling 35% to ~$813.55 million, as more victims refused to pay. Despite a higher number of victims being posted on ransomware gang leak sites, fewer organizations yielded to extortion demands. This shift indicates a growing resistance to paying ransoms, potentially driven by improved data recovery strategies and law enforcement efforts.
The report underscores the evolving landscape of ransomware attacks, with a focus on victim empowerment through refusal to pay. It also suggests that while the number of attacks may remain high, the financial success of ransomware operations is diminishing, signaling a potential change in attacker tactics.
Cloudflare experienced an outage due to a botched attempt to block a phishing URL in its R2 object storage platform. The incident triggered a widespread outage, impacting multiple services for nearly an hour. The outage stemmed from human error during a routine abuse remediation process. Specifically, an advanced product disablement action, intended for a phishing site hosted on R2, inadvertently disabled the production R2 Gateway service responsible for the R2 API.
Hackers are targeting vulnerable SimpleHelp RMM clients to create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks. Initial exploitation of SimpleHelp RMM vulnerabilities to link with a targeted endpoint is followed by the execution of several discovery commands obtaining system and network data, domain controller details, and CrowdStrike Falcon information
Trimble Cityworks, a GIS-centric asset management and permitting software, is affected by a zero-day vulnerability (CVE-2025-0994). This vulnerability has been actively exploited in attacks targeting local governments and utilities, potentially allowing the deployment of malware. The vulnerability allows attackers to exploit deserialization flaws, potentially leading to malware delivery or other malicious activity.
Microsoft released a PowerShell script to update bootable media with the “Windows UEFI CA 2023” certificate to mitigate BlackLotus UEFI bootkit threats. This script helps to protect systems from attacks that bypass Secure Boot. The update improves the security posture of systems and is important for organizations which have legacy systems.
The Lazarus Group, a North Korean APT, employed a sophisticated LinkedIn recruiting scam to target a Bitdefender researcher, aiming to deliver malware and capture credentials. The campaign was detected and analyzed within a sandbox environment. Lazarus is known for its advanced social engineering techniques and focus on credential harvesting. This highlights the persistent threat of APTs targeting cybersecurity professionals for espionage or supply chain attacks. The group’s ability to adapt their tactics, such as leveraging professional networking platforms, demonstrates their evolving threat landscape.
A malicious package has been discovered in the Go ecosystem, imitating the BoltDB package. This package contains a backdoor, allowing remote code execution. The vulnerability exploits the Go Module Mirror’s caching mechanism, enabling the malware to persist undetected for an extended period. Developers who manually audited the package on GitHub did not find malicious code. The package’s strategic alteration of the git tag on GitHub further concealed the malware from manual review.
Gravy Analytics faces another lawsuit due to a potential data breach involving the location coordinates of millions of smartphones. The data was harvested from installed apps, raising privacy concerns. This is the fourth time the company has been sued for allegedly failing to protect user data. The stolen coordinates could be used for tracking and profiling individuals, posing significant risks to personal security and privacy. Legal actions and regulatory scrutiny may increase for data brokers handling sensitive location data.
Zyxel has announced that it will not be releasing patches for two actively exploited zero-day vulnerabilities, CVE-2024-40890 and CVE-2024-40891, affecting multiple legacy DSL CPE products. These vulnerabilities allow attackers to execute arbitrary commands. A Mirai botnet variant is exploiting CVE-2024-40891 in the wild. Zyxel recommends that users replace the end-of-life products with newer-generation devices for optimal protection.
The lack of patches for these exploited vulnerabilities in Zyxel devices poses a significant risk to users who continue to use them. This incident highlights the importance of vendors providing ongoing security support for their products, even after they reach end-of-life.
End-of-life (EOL) Zyxel routers are under attack via CVE-2024-40891, with no patches available, prompting users to swap EOL Zyxel routers and upgrade Netgear ones with patches. Veeam released a security advisory warning of a vulnerability impacting the Veeam Updater component that allows man-in-the-middle (MitM) attackers to execute arbitrary code on the affected server. Affected products include Veeam Backup for Salesforce, Nutanix AHV, AWS, Microsoft Azure, Google Cloud, and Oracle Linux Virtualization Manager/Red Hat Virtualization. The Veeam flaw allows attackers to perform Man-in-the-Middle (MitM) attacks, potentially leading to arbitrary code execution with root-level permissions on the affected appliance servers.
Five Eyes cybersecurity agencies (UK, Australia, Canada, New Zealand, and the US) have jointly issued guidance urging makers of network edge devices and appliances to improve forensic visibility. The aim is to help defenders detect attacks and investigate breaches more effectively. This guidance emphasizes the importance of robust security measures for devices that form the perimeter of networks, such as firewalls, routers, and VPN gateways.
Network edge devices are often targeted by adversaries to infiltrate critical infrastructure networks and systems. Improving forensic visibility can enable quicker detection and response to security incidents, minimizing potential damage and downtime. The guidance is intended for both device manufacturers and critical infrastructure owners and operators.
A zero-click spyware attack, attributed to Israeli firm Paragon, targeted around 90 WhatsApp users, including journalists and civil society members. This attack did not require any user interaction, making it very dangerous. The spyware was delivered via malicious PDFs sent through WhatsApp groups. This campaign highlights how threat actors are constantly developing sophisticated techniques to compromise mobile devices using zero-click attacks and highlights the risk to journalists and activists. WhatsApp has taken steps to neutralize the attack and has notified all the victims.
Grubhub, a popular food-ordering and delivery platform, has confirmed a data breach affecting the personal information of both customers and drivers. An unauthorized third-party accessed Grubhub’s systems, compromising contact information and partial payment details for some users. The company is urging affected users to change their passwords.
The breach highlights the risks associated with third-party service providers and the importance of robust security measures to protect sensitive user data. It also underscores the need for users to be vigilant about their online security and to take steps to protect their personal information.
Andean Medjedovic, a 22-year-old Canadian national, has been criminally charged for allegedly exploiting vulnerabilities in the KyberSwap and Indexed Finance decentralized finance (DeFi) protocols. These exploits resulted in the theft of approximately $65 million in cryptocurrency from investor funds. The accused is charged with wire fraud, unauthorized damage to a protected computer, attempted Hobbs Act extortion, money laundering conspiracy, and money laundering. Medjedovic remains at large, and authorities are actively pursuing his apprehension.
The exploitation of KyberSwap and Indexed Finance underscores the persistent security challenges within the DeFi ecosystem. Medjedovic allegedly laundered the stolen funds through a series of transactions designed to conceal the source and ownership of the funds, utilizing bridging transactions and crypto mixers. This case highlights the need for robust security audits and proactive measures to safeguard against vulnerabilities in smart contracts and DeFi platforms.