Threat Alerts

Researchers are tracking UNC6040, a financially motivated threat group using voice phishing to target Salesforce instances for data theft and extortion. By posing as IT support, attackers trick employees into authorizing a malicious Data Loader app, exfiltrating sensitive data via modified versions, sometimes named “My Ticket Portal,” and using VPN IPs and phishing panels for credential harvesting and lateral movement across platforms like Okta and Microsoft 365, with links to “The Com” collective.

Extortion may follow months after breaches, with attackers claiming ties to ShinyHunters. Recommendation includes enforcing least privilege, restricting app access, IP-based controls, enhanced monitoring, and universal MFA to counter these social engineering tactics.

A sharp rise in deepfake-driven fraud has been observed in early 2025, with documented financial losses exceeding $200 million across sectors. These incidents increasingly involve advanced real-time voice and video impersonation techniques during virtual meetings, authentication steps, and onboarding workflows. In nearly half of all known cases, attackers leveraged manipulated video—either pre-recorded or generated live—to deceive victims, often bypassing identity verification systems.

This escalation continues a broader trend identified over the past three years, with deepfake incidents growing by over 2100% since 2022. Threat actors are incorporating deepfake content into social engineering campaigns, business email compromise (BEC), and impersonation-based access attempts, reflecting the growing use of synthetic media in coordinated intrusion activity.

Cisco discovered a critical vulnerability in its Identity Services Engine (ISE) cloud deployments, tracked as CVE-2025-20286 (CVSS score 9.9). This severe security flaw exists because credentials are improperly generated when deploying ISE on major cloud platforms including Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). The vulnerability creates a dangerous situation where the improperly generated credentials are shared across multiple ISE deployments running the same release, potentially allowing attackers to access ISE instances in different cloud environments.

The impact of this vulnerability is particularly concerning as it only affects ISE instances where the Primary Administration node is deployed in the cloud, and successful exploitation could enable attackers to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. Cisco has emphasized the urgency of this issue by warning that there are no workarounds available and that proof-of-concept exploit code targeting this security defect already exists publicly.

The Play ransomware group, active since mid-2022, has remained one of the most aggressive and persistent ransomware threats targeting organizations across North and South America, Europe, and Australia. As of early 2025, nearly 900 entities have been affected, with Play continuing to rely on a double extortion model—exfiltrating data prior to encrypting systems and then threatening to publish the stolen material if ransom demands are not met. The recent advisory update emphasizes the evolving tactics of the group, including new access vectors, tooling, and deployment methods, indicating an ongoing effort to adapt and evade defensive measures.

The updated details reflect Play’s use of recently exploited vulnerabilities, including CVE-2024-57727 (CVSS Score 8.8) in remote monitoring software to achieve remote code execution. Infections begin through exposed services or compromised credentials, often purchased through dark web markets or supplied via initial access brokers. Once inside, Play operators utilize tools for discovery and lateral movement, leveraging command-line interpreters and penetration testing frameworks to escalate privileges and disable endpoint protections. Infections result in data exfiltration via file transfer utilities and subsequent file encryption using campaign-specific payloads. The binary used in each attack is uniquely compiled to evade detection and employs intermittent encryption techniques to reduce behavioral visibility.

Of particular note is the group’s expanded targeting of ESXi infrastructure. This variant uses tailored shell commands to shut down virtual machines and encrypt key VM-related files, with the ransom note embedded directly into the ESXi interface. Victims are contacted through personalized email addresses, and in many cases, by phone—wherein the attackers pressure organizations to comply. These operational updates and tooling enhancements signal that Play ransomware actors are maintaining an active development cycle and refining their methods to bypass conventional defenses and maximize extortion leverage.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued five urgent advisories addressing critical vulnerabilities across a range of industrial control systems. These flaws impact essential technologies such as electronic access control systems, fire safety panels, environmental monitoring devices, and medical imaging platforms. With CVSS scores between 8.2 and 9.3, the vulnerabilities pose serious risks to public safety, operational continuity, and national infrastructure. Affected products include Siemens SiPass, Consilium CS5000 fire panels, Instantel Micromate monitors, and unnamed medical imaging software.

The vulnerabilities involve a wide array of attack vectors, from improper cryptographic signature checks (CVE-2022-31807) and out-of-bounds reads (CVE-2022-31812) to insecure default settings (CVE-2025-41438), hardcoded credentials (CVE-2025-46352), and missing authentication mechanisms (CVE-2025-1907). In medical environments, memory corruption flaws (CVE-2025-5307) present risks of arbitrary code execution. These weaknesses can allow attackers to bypass authentication, escalate privileges, and seize full control of affected systems. In some cases, no patches are currently available, requiring hardware upgrades or network-level defenses to mitigate potential exploitation.

A coordinated global operation involving the FBI, Europol, and cybersecurity firms including ESET, Microsoft, and Cloudflare has significantly disrupted the operations of Lumma Stealer—one of the most active and widely used infostealer malware families. Lumma was responsible for over 1.7 million known attacks in the past year, operating as a professional cybercrime service with an affiliate model, Telegram-based marketplace, and a sprawling network of command-and-control (C2) infrastructure. Analysts observed hyperactive development cycles, with malware updates and new infrastructure—up to 74 new C2 domains each week—designed to support its exfiltration operations.

Beyond credential theft, Lumma Stealer was a key enabler in broader cybercrime, with stolen data often passed to ransomware operators or sold via dark web markets. While the takedown—featuring 3,353 unique domains sinkholed—will disrupt ongoing infections and curtail future spread, experts caution that the group may attempt a comeback. However, the operation has severely damaged its infrastructure and reputation, potentially undermining affiliate trust. Ongoing monitoring will be critical to prevent resurgence.