Cybersecurity Roundup: Major Breaches, State-Backed Threats, and Critical Vulnerabilities
A wave of high-profile cyber incidents, state-sponsored attacks, and critical vulnerabilities has dominated recent cybersecurity news.
Law Enforcement Actions & Espionage
Spanish police arrested a young hacker for exploiting a payment gateway to book luxury hotel stays for just one cent. Meanwhile, a former U.S. defense contractor executive received an 87-month prison sentence for selling stolen trade secrets, including zero-day exploits, to a Russian broker. In a separate case, a Romanian national pleaded guilty to selling unauthorized access to Oregon state government networks and other U.S. victims.
State-Backed Threats & APT Activity
Google’s Threat Intelligence Group (GTIG) disrupted a China-linked APT, UNC2814, halting attacks on 53 organizations across 42 countries. The Lazarus Group, a North Korean APT, deployed Medusa ransomware against a Middle East target, while APT28 (Russia) launched Operation MacroMaze, exploiting webhooks for covert data exfiltration. Dutch intelligence warned of Russia escalating hybrid attacks, preparing for a prolonged standoff with Western nations.
Critical Vulnerabilities & Exploits
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added multiple flaws to its Known Exploited Vulnerabilities (KEV) catalog, including:
- A Soliton Systems K.K FileZen vulnerability.
- Cisco SD-WAN flaws, abused since 2023 for full admin control.
- BeyondTrust (CVE-2026-1731) and VMware Aria Operations vulnerabilities enabling remote attacks.
Juniper issued an emergency patch for a critical PTX router RCE flaw, while Check Point researchers exposed flaws in Claude Code that could turn untrusted repositories into attack vectors.
Ransomware & Data Breaches
- Everest ransomware hit Vikor Scientific’s supplier, stealing data of 140,000 patients.
- ShinyHunters breached CarGurus, exposing 12.4 million users.
- ManoMano, a European DIY chain, suffered a breach impacting 38 million customers.
- Canadian Tire disclosed a 2025 breach affecting 38 million users.
- Olympique Marseille confirmed an attempted cyberattack following a data leak.
Emerging Threats & AI Risks
- 12 million exposed .env files revealed widespread security misconfigurations.
- Aeternum, a new botnet, hides commands in Polygon smart contracts.
- An AI-powered campaign compromised 600 FortiGate systems globally.
- Arkanix Stealer, an AI-assisted info-stealer, briefly operated before shutting down.
- CrowdStrike reported attackers moving through networks in under 30 minutes.
Geopolitical & Industry Developments
- Apple’s iPhone and iPad became the first consumer devices cleared for NATO ‘RESTRICTED’ classification.
- The U.S. Treasury sanctioned an exploit broker network for theft and sale of government cyber tools.
- Iran’s internet faced near-total blackouts amid U.S. and Israeli strikes.
- Ukraine reported cyberattacks on its energy grid being used to guide missile strikes.
Malware & Campaigns
- UAT-10027, a stealthy campaign, targeted U.S. education and healthcare with the Dohdoor backdoor.
- Starkiller, a phishing service, proxies real login pages, including MFA.
- North Korean actors deployed Medusa ransomware in a Middle East attack.
- A wormable XMRig campaign used BYOVD (Bring Your Own Vulnerable Driver) and a timed kill switch for stealth.
The past week underscored the growing sophistication of cyber threats, from state-sponsored espionage to AI-driven attacks and large-scale data breaches.
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
VMware cybersecurity rating report: https://www.rankiteo.com/company/vmware
Juniper Networks cybersecurity rating report: https://www.rankiteo.com/company/juniper-networks
Canadian Institute for Cybersecurity cybersecurity rating report: https://www.rankiteo.com/company/canadian_institute_cybersecurity
"id": "CISVMWJUNCAN1772332146",
"linkid": "cisco, vmware, juniper-networks, canadian_institute_cybersecurity",
"type": "Breach",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '140,000 patients',
'industry': 'Healthcare',
'name': 'Vikor Scientific’s supplier',
'type': 'Healthcare Supplier'},
{'customers_affected': '12.4 million users',
'industry': 'Automotive',
'name': 'CarGurus',
'type': 'E-commerce'},
{'customers_affected': '38 million customers',
'industry': 'Retail (DIY)',
'location': 'Europe',
'name': 'ManoMano',
'type': 'E-commerce'},
{'customers_affected': '38 million users',
'industry': 'Retail',
'location': 'Canada',
'name': 'Canadian Tire',
'type': 'Retail'},
{'industry': 'Sports',
'location': 'France',
'name': 'Olympique Marseille',
'type': 'Sports Organization'},
{'industry': 'Defense',
'location': 'U.S.',
'name': 'U.S. Defense Contractor',
'type': 'Government Contractor'},
{'industry': 'Public Sector',
'location': 'U.S.',
'name': 'Oregon State Government',
'type': 'Government'},
{'industry': 'Multiple',
'location': '42 countries',
'name': '53 Organizations (UNC2814 Targets)',
'type': 'Various'}],
'attack_vector': ['Exploited Vulnerabilities',
'Phishing',
'Zero-Day Exploits',
'Webhooks Exploitation',
'AI-Powered Attacks',
'Supply Chain Attack'],
'data_breach': {'data_encryption': ['Yes (Ransomware)'],
'data_exfiltration': ['Yes'],
'file_types_exposed': ['.env files'],
'number_of_records_exposed': ['140,000',
'12.4 million',
'38 million',
'38 million'],
'personally_identifiable_information': ['Yes'],
'sensitivity_of_data': ['High', 'Medium'],
'type_of_data_compromised': ['Patient data',
'User data',
'Customer data',
'Trade secrets',
'Government network access']},
'description': 'A wave of high-profile cyber incidents, state-sponsored '
'attacks, and critical vulnerabilities has dominated recent '
'cybersecurity news, including law enforcement actions, '
'state-backed threats, ransomware attacks, data breaches, and '
'emerging AI-driven threats.',
'impact': {'brand_reputation_impact': ['Olympique Marseille',
'Canadian Tire',
'ManoMano'],
'data_compromised': ['140,000 patients (Vikor Scientific supplier)',
'12.4 million users (CarGurus)',
'38 million customers (ManoMano)',
'38 million users (Canadian Tire)'],
'identity_theft_risk': ['140,000 patients',
'12.4 million users',
'38 million customers'],
'operational_impact': ['Disrupted services',
'Data exfiltration',
'Network compromise'],
'systems_affected': ['Payment gateways',
'Government networks',
'Healthcare systems',
'E-commerce platforms',
'Energy grids',
'NATO-classified devices']},
'initial_access_broker': {'data_sold_on_dark_web': ['Yes (Romanian '
'national)']},
'motivation': ['Financial Gain',
'Espionage',
'Data Theft',
'Sabotage',
'Geopolitical'],
'ransomware': {'data_encryption': ['Yes'],
'data_exfiltration': ['Yes'],
'ransomware_strain': ['Medusa', 'Everest']},
'references': [{'source': 'Google’s Threat Intelligence Group (GTIG)'},
{'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'Catalog'},
{'source': 'Check Point Research'},
{'source': 'CrowdStrike'}],
'regulatory_compliance': {'legal_actions': ['87-month prison sentence (U.S. '
'defense contractor executive)',
'Guilty plea (Romanian '
'national)']},
'response': {'law_enforcement_notified': ['Spanish Police',
'U.S. Law Enforcement'],
'remediation_measures': ['Emergency patch for Juniper PTX router',
'Disruption of UNC2814 attacks'],
'third_party_assistance': ['Google’s Threat Intelligence Group '
'(GTIG)']},
'threat_actor': ['UNC2814 (China)',
'Lazarus Group (North Korea)',
'APT28 (Russia)',
'ShinyHunters',
'Everest Ransomware',
'Aeternum Botnet',
'Arkanix Stealer'],
'title': 'Cybersecurity Roundup: Major Breaches, State-Backed Threats, and '
'Critical Vulnerabilities',
'type': ['APT Activity',
'Ransomware',
'Data Breach',
'Vulnerability Exploitation',
'Espionage',
'Malware Campaign'],
'vulnerability_exploited': ['Soliton Systems K.K FileZen',
'Cisco SD-WAN flaws',
'BeyondTrust (CVE-2026-1731)',
'VMware Aria Operations',
'Juniper PTX router RCE flaw',
'Claude Code flaws']}