For the latest discoveries in cyber research for the week of 19th January, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Spanish energy company Endesa has disclosed a data breach after unauthorized access to a commercial platform used to manage customer information. Media report attackers listed over 1 terabyte of data, including IBANs, for sale.
• Belgian hospital AZ Monica has experienced a cyberattack that forced the shutdown of IT systems across its Deurne and Antwerp campuses. Surgeries were canceled, emergency capacity reduced, and the Red Cross transferred seven critical patients, while radiology, imaging, and chemotherapy were postponed and doctors lacked access to electronic records.
• South Korean conglomerate Kyowon has reported a ransomware attack disrupting operations and potentially exposing customer information. Authorities estimate up to 9.6 million accounts could be affected, with approximately 600 of 800 servers compromised, while the company assesses data exposure and no group has claimed responsibility.
• US digital investment advisor Betterment has disclosed a breach after a social engineering attack on a third party marketing platform enabled access used to send crypto phishing emails. Exposed data includes names, emails, postal addresses, phone numbers, and dates of birth, while customer accounts were not compromised.
• Eurail, operator of Interrail and Eurail passes, has discloseda security incident affecting customers and seat reservations. Reports note exposure of personal, order, and reservation details, with some outlets referencing possible ID document copies and banking identifiers. DiscoverEU travelers may also be affected.
• Anchorage Police Department (APD) has addresseda third party incident tied to Whitebox Technologies, a data migration vendor supporting multiple agencies. APD disabled vendor access and removed remaining data from provider systems, noting no evidence of APD data misuse as mitigation steps continued.
• Armenia’s government has acknowledgeda potential leak after an actor advertised eight million records allegedly from official systems for 2,500 dollars. Early indications suggest data may stem from an electronic civil litigation platform, and authorities are validating the claims.
• US nonprofit Central Maine Healthcare has disclosed a breach affecting 145,381 individuals after intruders persisted on its network between March and June 2025. Compromised data includes personal, treatment, and insurance information. Notifications began this month across affected communities in central, western, and mid-coast Maine.

VULNERABILITIES AND PATCHES

• Check Point Research observed active exploitation of CVE-2025-37164 in HPE OneView, a CVSS 10.0 remote code execution flaw impacting versions 5.20 through 10.20. RondoDox botnet exploited this vulnerability starting January 7^th. The exploitation was reported to CISA, which added the bug to KEV.

Check Point IPS provides protection against this threat (HPE OneView Remote Code Execution (CVE-2025-37164))

• Microsoft January Patch Tuesday addressed 114 vulnerabilities, including one actively exploited zero-day, CVE-2026-20805 in Desktop Window Manager. Eight critical flaws were fixed across Windows and components.

Check Point IPS provides protection against this threat (Microsoft Desktop Windows Manager Information Disclosure (CVE-2026-20805))

• A patch was releasedfor CVE-2026-23550 in the Modular DS WordPress plugin, rated maximum severity. Active exploitation began January 13 and allows unauthenticated admin takeover via exposed routes. Users should upgrade to version 2.5.2 from 2.5.1 or earlier immediately.
• A critical flaw (CVE-2025-36911) in Google’s Fast Pair protocol enables hijacking of Bluetooth audio accessories, eavesdropping, and tracking. Fixes require firmware updates from device vendors rather than phone updates, with many impacted models pending patches.

THREAT INTELLIGENCE REPORTS

• Check Point Research recorded a sharp December surge in cyber attacks in Latin America, where organizations averaged 3,065 weekly hits, a 26% year-over-year increase, while the global average reached 2,027 attacks. Ransomware activity accelerated with 945 publicly reported attacks, 60% increase year over year.
• Check Point Research has revealed VoidLink, a cloud-native Linux framework with loaders, implants, rootkits, and modular plugins designed for persistence across containers and Kubernetes. It uses rootkits and over 30 modular plugins for credential theft, lateral movement, and covert communication. The toolkit appears China-affiliated and is rapidly evolving, yet no real-world infections have been confirmed.
• Check Point Research uncovered the Sicarii ransomware-as-a-service operation, emerging in late 2025, which uses explicit Israeli/Jewish branding despite Russian-language activity and limited Hebrew proficiency, suggesting possible identity manipulation. The malware geo-fences to avoid Israeli systems, steals data and credentials, scans networks and attempts Fortinet exploitation.
• Check Point Research identified Microsoft as the most impersonated brand in Q4 2025 phishing rank, representing 22 percent of attempts, with Google at 13 percent and Amazon at 9 percent. Campaigns spoofed Roblox, Netflix account recovery, and Spanish Facebook pages to steal credentials, enabling account takeover and enterprise access.

The post 19th January – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 17th November, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Cl0p’s Oracle E-Business Suite (CVE-2025-61882) zero-day campaign continues to expand. There are new confirmed breaches at The Washington Post, Logitech, Allianz UK, and GlobalLogic, as well as a newly listed but unconfirmed breach involving the British National Health Service (NHS). The group has leaked data sets ranging from gigabytes to terabytes and is sending extortion emails to Oracle EBS customers. Oracle has issued emergency patches, but investigations indicate exploitation began months before disclosure.

Check Point IPS provides protection against this threat (Oracle Concurrent Processing Remote Code Execution)

• Payment processor Checkout.com has discloseda data breach by the ShinyHunters threat group. Attackers accessed documents from a legacy cloud storage system that wasn’t properly decommissioned, potentially affecting about 25% of current merchants. That being said, no payment card numbers or funds were compromised. The company is notifying impacted parties and regulators.
• DoorDash, a food delivery company, has confirmeda data breach after an employee fell victim to a social engineering scam. Contact details including names, physical addresses, email addresses, and phone numbers were accessed across the US, Canada, Australia, and New Zealand.
• Ransomware group dubbed “J Group” claims to have breached Australian engineering firm IKAD. The group has reportedly exfiltrated 800GB of data by exploiting a VPN flaw and maintaining undetected access for five months. IKAD confirmed a cyber incident and the theft of non-sensitive contract and HR information, while denying exposure of classified defence data.
• Pro-Russian group NoName057(16) launched DDoS attacks disrupting Danish government, municipal, and defense-related websites, including the Ministry of Transport, Borger.dk, and Terma. The outages were brief with no data loss, and the activity aligns with wider pro-Russia targeting of European institutions.
• Port Alliance, a Russian port operator handling coal and fertilizer exports, has reportedthree days of cyberattacks combining DDoS and attempted network intrusions. Terminals remain operational, but digital services were disrupted by a botnet of more than 15,000 rotated IP addresses. The goal of the attack was to destabilize operations and disrupt business processes.
• Princeton University disclosed a breach of its Advancement database on November 10, lasting less than 24 hours before attackers were removed. The compromised database contained names, contact information, and fundraising records for alumni, donors, faculty, students, and parents, but did not include Social Security numbers, passwords, or financial information.

VULNERABILITIES AND PATCHES

• Microsoft’s October Patch Tuesday Microsoft addressed63 vulnerabilities, including an actively exploited Windows zero-day, CVE-2025-62215, a kernel privilege escalation flaw used to gain admin access. It also addressed CVE-2025-60724, a critical GDI+ vulnerability rated 9.8 enabling remote code execution via malicious documents or uploaded files, impacting Windows and Office.

Check Point IPS provides protection against this threat (Microsoft Windows Kernel Privilege Escalation (CVE-2025-62215))

• Researchers uncoveredCVE-2025-20337 and CVE-2025-5777, critical zero-day flaws in Cisco Identity Service Engine and Citrix products actively exploited against internet-facing systems. The flaws enable remote code execution without login, administrator access, and deployment of custom in-memory webshells. The exploitation began before disclosure or complete patches.

Check Point IPS provides protection against these threats (Cisco Identity Services Engine Remote Code Execution (CVE-2025-20337), Citrix NetScaler Out-of-Bounds Read (CVE-2025-5777))

• Researchers analyzedCVE-2025-12480, a critical authentication bypass in the Triofox enterprise file sharing platform (CVSS 9.1). Attackers are actively exploiting it to create admin accounts and run code via the built-in antivirus feature, installing remote access tools and tunneling RDP.

Check Point IPS provides protection against this threat (Gladinet Triofox Authentication Bypass (CVE-2025-12480))

THREAT INTELLIGENCE REPORTS

• Check Point Research reports on a fragmented ransomware landscape in Q3 2025, with 85 active groups and 1,592 victims listed across leak sites, averaging 535 victims per month. Qilin led activity while LockBit 5.0 returned, signaling potential recentralization. Manufacturing and business services remained the most affected sectors.
• Check Point Research published its October 2025 global threat report, highlighting a continued rise in cyberattacks, with organizations averaging 1,938 weekly attacks (+5% YoY) and ransomware incidents surging 48% YoY. The report also notes escalating GenAI-related data leakage risks, with 1 in 44 enterprise prompts exposing sensitive information.
• Check Point researchers analyzed a phishing campaign abusing Meta’s Facebook Business Suite and the facebookmail.com domain to deliver convincing fake notifications. More than 40,000 emails targeted over 5,000 organizations across the US, Europe, Canada, and Australia, targeting SMBs in advertising-reliant sectors, bypassing filters, and directing victims to credential-harvesting sites.
• Check Point researchers profiledthe Payroll Pirates, a malvertising network impersonating payroll systems, credit unions, and trading platforms in the US. Using Google and Microsoft ads, cloaking, and Telegram bots to bypass authentication codes, it has targeted over 200 interfaces and lured more than 500,000 users, with activity spiking in September 2025.

The post 17th November – Threat Intelligence Report appeared first on Check Point Research.

For the latest discoveries in cyber research for the week of 10th November, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• The US Congressional Budget Office (CBO) has confirmed a cyber attack that resulted in a suspected foreign threat actor breaching its network and potentially exposing sensitive communications between congressional offices and CBO analysts. The incident may have led to the compromise of draft reports, economic forecasts, internal emails, and other confidential data. The attack has been attributed to the Chinese state-sponsored APT group known as Silk Typhoon.
• Hyundai AutoEver America was hit by a cyber attack that resulted in unauthorized access to its IT environment, exposing sensitive personal information, including names, Social Security Numbers, and driver’s license numbers. The attack, which occurred between February 22 and March 2, 2025, affected employees, customers, or users, although the exact number of affected individuals remains unclear.
• Swedish IT systems supplier Miljödata has suffered a data breach that resulted in the exposure and theft of personal data belonging to up to 1.5 million individuals, including names, email addresses, physical addresses, phone numbers, government IDs, and dates of birth. The incident disrupted operations across multiple Swedish municipalities, affecting both children and protected identity subjects. The stolen data was published on the dark web by the threat group Datacarry.
• Japanese media giant Nikkei has experienced a cyber-attack caused by malware infection. The attack resulted in unauthorized access to its Slack messaging platform, exposing the personal information of over 17,000 employees and business partners, including names, email addresses, and chat histories.
• Polish online loan platform SuperGrosz, operated by AIQLABS, has disclosed a breach exposing personal data of at least 10,000 customers, including names, addresses, ID and tax numbers, phone contacts, employment details, and bank account numbers. The disclosure follows a separate distributed denial-of-service (DDoS) attack on a Polish mobile payment leader Blik that disrupted instant transfers and cash withdrawals. No actor has claimed responsibility, though Polish authorities have suggested a possible Russian link to the Blik attack.
• SonicWall has confirmed that a state-sponsored threat actor was behind the September attack that resulted in the theft of all firewall configuration files stored in its cloud backup environment via an API call. The breach exposed encrypted credentials and device configuration data contained in those files, enabling potential targeted attacks. All customers who used the cloud backup service were affected.

VULNERABILITIES AND PATCHES

• Check Point Research has uncovered four critical vulnerabilities in Microsoft Teams that allow attackers to impersonate users, manipulate messages, notifications, displayed names and forge caller identities in video and audio calls. Microsoft fixed the flaws and officially tracked the notification spoofing flaw as CVE-2024-38197.
• Check Point Research detected an exploit that drained $128.64M from Balancer V2. The attacker combined a rounding error vulnerability in a certain function with carefully crafted batchSwap operations. It allowed the attacker to artificially suppress Balancer Pool Token prices and extract value through repeated arbitrage cycles
• A critical remote command execution vulnerability, CVE-2025-48703, affecting CentOS Web Panel (CWP) versions prior to 0.9.8.1204 is actively being exploited in the wild. It enables remote, unauthenticated attackers with knowledge of a valid username to execute arbitrary shell commands as that user. A patch addressing the issue was released in version 0.9.8.1205.

Check Point IPS provides protection against this threat (CentOS Web Panel Command Injection (CVE-2025-48703))

• Cisco warns of a new attack variant targeting Secure Firewall ASA and FTD that exploits CVE-2025-20333 (RCE as root via crafted HTTP) and CVE-2025-20362 (unauthenticated restricted-URL access), causing unpatched devices to reload into DoS. Both flaws were previously abused as zero-days in late September to deliver RayInitiator and LINE VIPER malware.

Check Point IPS provides protection against this threat (Cisco Multiple Products Buffer Overflow (CVE-2025-20333); Cisco Multiple Products Authentication Bypass (CVE-2025-20362))

THREAT INTELLIGENCE REPORTS

• Check Point Research demonstrated a new way to use ChatGPT for malware analysis directly from the web interface, analyzing XLoader malware. The workflow using exported IDA data enables static analysis, rapid decryption, IoC extraction, and hidden C2 discovery.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Trojan.Wins.Xloader; Trojan.Win.Xloader; Trojan.Wins.Xloader.ta.*)

• Check Point discovered AI-driven pharma scams that deepfake doctors and clinics to sell counterfeit drugs. Infrastructure shows more than 500 fake social pages daily using shared IPs, cloned site kits, AI imagery, deepfake ads/voice cloning, and spoofed clinic sites, with automated “fraud kits”.
• Researchers identified AI-powered malware families, including FRUITSHELL, PROMPTSTEAL and QUIETVAULT which were observed in operations. These malware strains leveraged LLMs like Gemini for evasive, dynamic attacks on Ukraine and worldwide victims. The researchers also found PROMPTFLUX, an experimental malware family that employed AI capabilities mid-execution to dynamically alter the malware’s behavior.

The post 10th November – Threat Intelligence Report appeared first on Check Point Research.