CYGNVS Honored with Three 2025 Cybersecurity Excellence Awards

Read more now
Cyber Readiness & Response

Cyber Resilience Report #001

Posted by

Cyber Center for Excellence

| Jun 26, 2025 3:50:55 PM

Summary of the Week

  • Critical RCE vulnerabilities in widely used platforms (Veeam Backup & Replication, Langflow, Grafana) are being actively exploited, highlighting the urgent need for rapid patch management and segmentation of critical infrastructure.
  • Sophisticated threat actors—including APTs and ransomware groups—are leveraging zero-day exploits (Windows WebDav), social engineering, and open-source tools to bypass traditional defenses and achieve initial access, persistence, and data exfiltration.
  • The insurance sector is under targeted attack by groups like Scattered Spider, with successful breaches causing operational disruptions and extortion attempts, underscoring the importance of identity controls, employee awareness, and incident response readiness.
  • High-profile organizations (Washington Post, Victoria’s Secret, Scania) continue to experience breaches involving credential theft, extortion, and business disruption, emphasizing the need for robust third-party risk management and rapid containment protocols.
  • Large-scale password-spraying and account takeover campaigns (targeting Microsoft Entra ID and Grafana) demonstrate the necessity of enforcing MFA, monitoring for anomalous access, and hardening authentication processes across cloud and SaaS environments.
  • Chinese state-sponsored threat actors (Salt Typhoon, Hive0154/Mustang Panda) are escalating targeted attacks on telecom, critical infrastructure, and minority communities, exploiting unpatched edge devices and leveraging advanced malware for persistent access and espionage.
  • The Scattered Spider cybercrime group is executing coordinated, sector-focused attacks using sophisticated social engineering, causing major disruptions and data breaches in retail and insurance, with financial impacts reaching hundreds of millions of dollars.
  • Healthcare remains a prime target, with large-scale breaches at both providers and SaaS vendors (Episource, McLaren Health Care) exposing millions of patient records, highlighting persistent weaknesses in third-party and internal security controls.
  • Credential-based attacks are surging, with infostealer malware and social engineering (including creative phishing for application-specific passwords) enabling threat actors to bypass traditional defenses and gain persistent access to sensitive systems.
  • Cloud and container security risks are underlined by new research showing how misconfigured or overprivileged Kubernetes containers can expose AWS credentials, emphasizing the need for strict privilege management and continuous monitoring in cloud-native environments.

Incident Analyses

China-linked Salt Typhoon Exploits Critical Cisco Vulnerability to Target Canadian Telecom

Impact: A major Canadian telecommunications provider suffered a breach after failing to patch a critical Cisco IOS XE vulnerability (CVE-2023-20198), allowing China-linked Salt Typhoon actors to access and modify network device configurations. The attackers established GRE tunnels for persistent access and potential data exfiltration, risking operational disruption, espionage, and further lateral movement. The incident highlights ongoing exposure of critical infrastructure to state-sponsored cyber threats, with potential for regulatory scrutiny and reputational harm.

Response: Canadian and U.S. authorities issued joint advisories, warning of ongoing exploitation and urging immediate patching and hardening of edge devices. The targeted company’s name was withheld, but the agencies provided technical guidance and indicators of compromise to help other organizations defend against similar attacks. The bulletin emphasized the need for urgent action across critical infrastructure sectors.

Team Nudges:

  • How quickly can we identify and patch critical vulnerabilities on all edge devices?
  • Are our network device configurations regularly audited for unauthorized changes or persistence mechanisms?
  • Do we have a tested playbook for responding to state-sponsored attacks targeting our infrastructure?
  • Are we leveraging threat intelligence to proactively defend against advanced persistent threats?

Readiness Actions:

  • Prioritize and expedite patching of all critical vulnerabilities, especially on edge and network devices.
  • Implement continuous vulnerability management and automated patch verification for perimeter systems.
  • Conduct regular configuration audits and hardening of routers, firewalls, and VPN appliances.
  • Establish robust monitoring and alerting for unauthorized configuration changes and unusual tunneling activity.
  • Run tabletop exercises simulating state-sponsored attacks on network infrastructure.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for incident response plans and device hardening guides.
  • Facilitates tabletop exercises to drill and document team responses to edge device compromise scenarios.

McLaren Health Care Says Data Breach Impacts 743,000 Patients

Impact: A ransomware attack by the INC group led to the exposure of sensitive patient data for 743,000 individuals, causing IT and phone outages across McLaren Health Care’s network. The breach disrupted hospital operations, required manual workarounds, and delayed patient care. The incident follows a previous breach, compounding reputational damage and increasing regulatory scrutiny under HIPAA and state laws.

Response: McLaren initiated forensic investigations, notified affected individuals, and began regulatory reporting. The organization restored operations but did not disclose ransom payment details. They advised patients to bring appointment and medication information manually during outages and are providing ongoing updates as required by law.

Team Nudges:

  • How quickly can we restore critical systems from backups in the event of ransomware?
  • Are our breach notification and regulatory reporting processes up to date and tested?
  • Do we have clear communication protocols for staff and patients during IT outages?
  • How are we tracking lessons learned from previous incidents to improve resilience?

Readiness Actions:

  • Implement robust, tested backup and disaster recovery processes for critical healthcare systems.
  • Enforce least privilege and network segmentation to limit ransomware spread.
  • Regularly train staff on phishing and ransomware awareness.
  • Maintain up-to-date incident response and breach notification plans, including regulatory requirements.
  • Conduct periodic tabletop exercises simulating ransomware attacks.

How CYGNVS Helps:

  • Provides a secure, out-of-band collaboration platform for crisis management during outages.
  • Acts as a central, always-accessible repository for incident response and breach notification plans.
  • Facilitates tabletop exercises to drill ransomware response and recovery procedures.

Steel Giant Nucor Confirms Hackers Stole Data in Recent Breach

Impact: Nucor, North America’s largest steel producer, experienced a cyberattack resulting in temporary production halts and the exfiltration of sensitive company data. The breach caused operational disruption at multiple facilities, potential exposure of proprietary or employee information, and triggered regulatory notification obligations. The incident may have financial and reputational consequences, especially if stolen data is leaked or used for extortion.

Response: Nucor proactively shut down affected systems, halted production at some sites, and engaged external cybersecurity experts and law enforcement. The company has restored operations and is assessing the scope of data theft, preparing notifications to impacted parties and regulators as required.

Team Nudges:

  • How quickly can we detect and contain a breach before data exfiltration occurs?
  • Are our production continuity and shutdown procedures integrated with our incident response plan?
  • Do we have clear protocols for regulatory and stakeholder notification after a breach?
  • How are we monitoring for signs of data misuse or extortion post-incident?

Readiness Actions:

  • Implement network segmentation and access controls to limit lateral movement and data exfiltration.
  • Regularly back up critical systems and test restoration procedures.
  • Monitor for anomalous activity and unauthorized data transfers.
  • Maintain and test incident response plans, including production shutdown scenarios.
  • Engage in regular tabletop exercises simulating data breach and operational disruption.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for incident response and production continuity plans.
  • Digitizes static playbooks into interactive, guided workflows for consistent breach response.
  • Facilitates tabletop exercises to drill and document team responses to operational cyber incidents.

Healthcare SaaS Firm Says Data Breach Impacts 5.4 Million Patients

Impact: Episource, a healthcare SaaS provider, suffered a data breach affecting over 5.4 million patients. Sensitive health, insurance, and personal data was exfiltrated, exposing clients and patients to identity theft and fraud risks. The breach impacts multiple healthcare providers, triggers regulatory reporting, and may result in reputational and financial damage for both Episource and its clients.

Response: Episource detected the breach, launched an investigation, and began notifying affected individuals and authorities. The company is providing guidance to impacted patients and working to secure its systems. Notifications are being sent on behalf of clients, centralizing communication and compliance efforts.

Team Nudges:

  • How are we monitoring and managing third-party SaaS providers with access to sensitive data?
  • Do we have clear escalation and communication protocols for vendor-driven breaches?
  • Are our breach notification processes aligned with regulatory requirements for multi-client incidents?
  • How do we ensure lessons learned from SaaS breaches are incorporated into our risk management strategy?

Readiness Actions:

  • Enforce strong access controls and regular audits of third-party SaaS providers handling sensitive data.
  • Implement continuous monitoring for unusual access and data exfiltration.
  • Maintain up-to-date breach notification and regulatory compliance plans.
  • Conduct regular tabletop exercises simulating third-party data breaches.
  • Review and update contracts with vendors to ensure clear incident response obligations.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for third-party risk management and breach notification plans.
  • Facilitates tabletop exercises to drill coordinated response to SaaS provider breaches.

Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages

Impact: Coordinated cyberattacks by Scattered Spider on U.K. retailers Marks & Spencer and Co-op resulted in operational disruption, significant financial losses (estimated up to $592 million), and reputational damage. The attacks leveraged advanced social engineering against IT help desks, leading to unauthorized access and downstream impacts on suppliers and partners. The event is classified as a systemic risk for the retail sector.

Response: The Cyber Monitoring Centre categorized the incidents as a single systemic event and issued sector-wide alerts. Impacted companies initiated incident response, engaged law enforcement, and began recovery and notification processes. Ongoing investigations are focused on attribution and supply chain impacts.

Team Nudges:

  • How resilient are our help desk and privileged access processes against targeted social engineering?
  • Are we prepared to coordinate incident response with partners and suppliers during systemic events?
  • Do we have a tested playbook for large-scale, multi-company cyber incidents?
  • How are we monitoring for emerging threats targeting our sector?

Readiness Actions:

  • Strengthen help desk and call center authentication protocols to resist social engineering.
  • Implement multi-factor authentication and strict access controls for privileged accounts.
  • Conduct regular social engineering and phishing awareness training for all staff.
  • Maintain and test incident response plans for large-scale, multi-company attacks.
  • Engage in tabletop exercises simulating coordinated sector-wide incidents.

How CYGNVS Helps:

  • Provides a secure, out-of-band collaboration platform for crisis management across distributed teams.
  • Digitizes static playbooks into interactive, guided workflows for social engineering and supply chain attacks.
  • Facilitates tabletop exercises to drill coordinated response to systemic sector incidents.

Aflac Discloses Breach Amidst Scattered Spider Insurance Attacks

Impact: Aflac, a major U.S. insurance provider, suffered a data breach as part of a broader campaign targeting the insurance sector. Sensitive customer, beneficiary, and employee data—including health and social security information—was potentially exposed. While business operations continued, the breach increases regulatory, legal, and reputational risks, and highlights sector-wide vulnerability to sophisticated social engineering and data theft attacks.

Response: Aflac activated its incident response protocols, contained the intrusion within hours, and engaged external cybersecurity experts. The company is investigating the scope of data exposure and notifying affected parties and regulators as required. Sector-wide alerts have been issued, urging heightened vigilance against social engineering.

Team Nudges:

  • How quickly can we detect and contain unauthorized access to sensitive data?
  • Are our help desk and privileged access processes resilient to sophisticated social engineering?
  • Do we have a tested, sector-specific playbook for coordinated attacks?
  • How are we sharing threat intelligence and lessons learned with industry peers?

Readiness Actions:

  • Implement advanced monitoring for unauthorized access and data exfiltration, especially in high-value sectors.
  • Strengthen authentication and verification processes for help desks and privileged users.
  • Maintain and regularly test incident response and breach notification plans for data theft scenarios.
  • Conduct sector-specific tabletop exercises simulating coordinated attacks on insurance firms.
  • Review and update employee training on social engineering and credential compromise.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for incident response and breach notification plans.
  • Facilitates tabletop exercises to drill and document responses to sector-wide social engineering attacks.
  • Integrates with threat intelligence sources to inform readiness and response activities.

Hive0154 aka Mustang Panda Shifts Focus on Tibetan Community to Deploy Pubload Backdoor

Impact: China-aligned threat actor Hive0154 (Mustang Panda) conducted targeted phishing campaigns against the Tibetan community and related organizations, deploying the Pubload backdoor for espionage. The campaigns used highly tailored lures, risking compromise of sensitive data, persistent access, and further targeting of government, policy, and advocacy groups. The incident underscores the risk of advanced, targeted phishing and malware delivery against high-profile or politically sensitive entities.

Response: IBM X-Force researchers identified and documented the campaigns, sharing indicators of compromise and technical details with the security community. Recommendations were issued for detection, user awareness, and monitoring for specific malware behaviors. Ongoing threat intelligence sharing aims to improve sector-wide defenses.

Team Nudges:

  • How are we protecting high-risk users and executives from targeted phishing and malware?
  • Do we have effective detection and response capabilities for advanced persistence techniques?
  • Are our staff trained to recognize and report highly tailored phishing lures?
  • How are we leveraging threat intelligence to stay ahead of evolving APT tactics?

Readiness Actions:

  • Implement advanced email filtering and attachment scanning for spear phishing detection.
  • Train staff and high-risk users to recognize targeted phishing and suspicious file extensions.
  • Monitor for persistence techniques, DLL sideloading, and unusual process activity.
  • Hunt for known indicators of compromise and anomalous network traffic.
  • Conduct regular tabletop exercises simulating targeted phishing and malware deployment.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for spear phishing and malware response playbooks.
  • Facilitates tabletop exercises to drill response to advanced, targeted phishing campaigns.

What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia

Impact: A Russia-linked threat actor (UNC6293, likely APT29) targeted prominent academics and critics of Russia with sophisticated phishing campaigns, impersonating the U.S. Department of State to trick victims into creating and sharing Google Application Specific Passwords (ASPs). This enabled persistent access to victims’ email accounts, risking exposure of sensitive communications, reputational harm, and further targeting of high-profile individuals and organizations.

Response: Google Threat Intelligence Group detected and disrupted the campaigns, re-securing compromised accounts and sharing indicators and mitigation guidance with the community. Enhanced security resources and user notifications were provided to affected individuals, and Google promoted its Advanced Protection Program for high-risk users.

Team Nudges:

  • How are we protecting high-profile users from advanced phishing and social engineering?
  • Do we have controls to detect and respond to unauthorized ASP or credential creation?
  • Are our user awareness programs tailored to evolving phishing tactics?
  • How quickly can we respond to and contain targeted account compromise incidents?

Readiness Actions:

  • Educate high-risk users on the dangers of sharing authentication codes or ASPs.
  • Implement advanced phishing detection and user awareness training.
  • Encourage use of security programs (e.g., Advanced Protection) that block risky authentication methods.
  • Monitor for suspicious account activity and unauthorized ASP creation.
  • Maintain and test incident response plans for targeted account compromise.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for targeted phishing and account compromise response plans.
  • Digitizes static playbooks into interactive, guided workflows for credential phishing scenarios.

An Investigation of AWS Credential Exposure via Overprivileged Containers

Impact: Misconfigured or overprivileged containers in Kubernetes environments can expose AWS credentials, enabling privilege escalation and unauthorized access to cloud resources. Attackers can exploit packet sniffing or API spoofing to intercept credentials, risking data theft, service disruption, and regulatory non-compliance. The incident highlights the shared responsibility model and the need for strict privilege management in cloud-native environments.

Response: Trend Research disclosed the risks and provided technical guidance for detecting and mitigating excessive container privileges. AWS clarified that the risk falls within the customer’s responsibility under the shared responsibility model. Security vendors offer tools to enforce least privilege and monitor for misconfigurations.

Team Nudges:

  • How are we auditing and enforcing least privilege for containers and cloud workloads?
  • Do we have automated detection for excessive privileges or misconfigurations in our Kubernetes environments?
  • Are our incident response plans updated for cloud-native credential compromise scenarios?
  • How are we monitoring for lateral movement and privilege escalation in the cloud?

Readiness Actions:

  • Enforce the principle of least privilege for all containers and pods in Kubernetes environments.
  • Regularly audit container configurations and permissions for excessive privileges.
  • Monitor for unusual network activity and credential access within cloud environments.
  • Implement automated policy enforcement for container security baselines.
  • Conduct tabletop exercises simulating cloud credential compromise scenarios.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for cloud security and incident response policies.
  • Helps document and manage policies for software and container privilege usage.
  • Facilitates tabletop exercises to drill response to cloud credential exposure incidents.

Webinar: Stolen Credentials are the New Front Door to Your Network

Impact: Credential-based attacks have become a primary vector for network breaches, with attackers leveraging infostealer malware, password spraying, and phishing kits to obtain and abuse login credentials. This trend increases the risk of unauthorized access, data theft, and lateral movement, often bypassing traditional vulnerability-based defenses. Organizations face operational, financial, and reputational risks if credential abuse is not proactively addressed.

Response: Security experts are raising awareness through webinars and educational campaigns, sharing best practices for defending against credential-based attacks. Organizations are encouraged to strengthen authentication controls, monitor for compromised accounts, and implement robust detection and response strategies.

Team Nudges:

  • How are we detecting and responding to credential-based attacks in real time?
  • Are our password and MFA policies aligned with current threat trends?
  • Do we have effective user education programs on credential theft and phishing?
  • How quickly can we identify and contain lateral movement from compromised accounts?

Readiness Actions:

  • Implement strong password policies and multi-factor authentication across all accounts.
  • Monitor for signs of credential compromise and unauthorized logins.
  • Educate users on phishing, infostealer malware, and credential theft tactics.
  • Regularly review and update identity and access management policies.
  • Conduct tabletop exercises simulating credential-based breaches.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for identity security and credential compromise response plans.
  • Digitizes static playbooks into interactive, guided workflows for credential abuse scenarios.
  • Facilitates tabletop exercises to drill response to credential-based attacks.

Scania Confirms Insurance Claim Data Breach in Extortion Attempt

Impact: Sensitive insurance claim documents containing personal, financial, and potentially medical data were stolen from Scania's Financial Services systems. The breach, enabled by compromised credentials from an external IT partner, led to direct extortion attempts and public data leaks. While Scania claims limited operational impact, the incident poses significant reputational and regulatory risks, especially regarding privacy compliance and customer trust.

Response: Scania took the compromised application offline, launched an internal investigation, and notified privacy authorities. The company is assessing the breach's scope and working to contain further exposure. Employees were alerted to the extortion attempts, and external communications were managed to address the incident.

Team Nudges:

  • How are we validating the security posture of our third-party partners and their access to sensitive systems?
  • Do we have a clear, tested protocol for responding to extortion attempts and direct communications from threat actors?
  • Are our incident response plans easily accessible and actionable for all relevant teams, including external partners?
  • How do we ensure rapid notification and compliance with privacy authorities in the event of a data breach?

Readiness Actions:

  • Enforce strong credential hygiene and regular password audits, especially for third-party partners.
  • Implement multi-factor authentication (MFA) for all external and privileged access.
  • Continuously monitor for infostealer malware and credential leaks across the supply chain.
  • Establish clear incident response protocols for extortion and data breach scenarios.
  • Regularly review and restrict third-party access to sensitive systems.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for incident response plans, ensuring all stakeholders have up-to-date guidance during a breach.
  • Provides a secure, out-of-band collaboration platform for crisis management, reducing risk of further compromise during extortion attempts.
  • Digitizes static playbooks into interactive, guided workflows for consistent execution in high-pressure situations.

New Veeam RCE Flaw Lets Domain Users Hack Backup Servers

Impact: A critical RCE vulnerability (CVE-2025-23121) in Veeam Backup & Replication allows any authenticated domain user to remotely execute code on backup servers. This exposes organizations to ransomware, data theft, and destruction of backups, undermining business continuity and increasing the risk of extortion and regulatory penalties. The flaw is particularly dangerous due to widespread domain-joined deployments and the history of ransomware groups targeting Veeam servers.

Response: Veeam released a security update (version 12.3.2.3617) to patch the vulnerability and issued advisories urging immediate upgrades. The company reiterated best practices, including isolating backup servers from the main domain and enforcing strong authentication. Security researchers and vendors have highlighted the urgency of patching and hardening backup infrastructure.

Team Nudges:

  • Are our backup servers isolated from the main domain, and do we follow vendor-recommended hardening practices?
  • How quickly can we patch critical vulnerabilities in backup infrastructure across all environments?
  • Do we regularly test our ability to restore from backups in a ransomware or destructive attack scenario?
  • Are we monitoring for unusual access patterns or privilege escalations on backup systems?

Readiness Actions:

  • Patch backup and replication software immediately upon release of security updates.
  • Isolate backup servers from production domains and use dedicated authentication mechanisms.
  • Enforce multi-factor authentication and least privilege for backup server access.
  • Regularly test backup restoration processes and monitor for unauthorized access attempts.
  • Review and follow vendor security best practices for backup infrastructure.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for incident response and backup recovery plans, ensuring teams can execute under pressure.
  • Facilitates tabletop exercises to drill and document team responses to backup compromise or ransomware scenarios.

Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet

Impact: A critical unauthenticated RCE vulnerability in Langflow (CVE-2025-3248) is being actively exploited to deploy the Flodrix botnet, enabling full system compromise, DDoS attacks, and potential data loss or exposure. Organizations using unpatched Langflow versions face operational disruption, reputational damage, and possible regulatory consequences due to botnet-driven attacks and data breaches.

Response: Langflow released version 1.3.0 to patch the vulnerability, adding authentication to the affected endpoint. Security vendors issued detection rules and threat intelligence updates. Organizations are urged to patch immediately, restrict public access, and monitor for indicators of compromise. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, increasing urgency for remediation.

Team Nudges:

  • Are all our Langflow and similar automation tools patched and protected from public exposure?
  • How do we monitor for and respond to botnet infections or DDoS attacks originating from compromised internal systems?
  • Do we have a tested playbook for rapid containment and recovery from mass exploitation events?
  • Are we leveraging threat intelligence to proactively identify and mitigate emerging vulnerabilities in our tech stack?

Readiness Actions:

  • Patch all Langflow instances to version 1.3.0 or later and verify removal of public exposure.
  • Restrict access to development and automation tools to trusted networks and authenticated users only.
  • Monitor for indicators of compromise and unusual outbound connections from automation servers.
  • Conduct regular vulnerability assessments and threat hunting for exposed endpoints.
  • Establish clear incident response playbooks for botnet and DDoS scenarios.

How CYGNVS Helps:

  • Comes with pre-built, expert-vetted response plans for threats like botnet infections and DDoS attacks.
  • Digitizes static playbooks into interactive, guided workflows for rapid, consistent response to emerging threats.
  • Facilitates tabletop exercises to drill and document team responses to exploitation of critical vulnerabilities.

Hackers Switch to Targeting U.S. Insurance Companies

Impact: Multiple U.S. insurance companies have suffered breaches and business disruptions due to targeted attacks by the Scattered Spider group, known for sophisticated social engineering, credential compromise, and ransomware deployment. These incidents have resulted in prolonged outages, customer service interruptions, and potential data exposure, with significant reputational and regulatory implications for the affected firms.

Response: Impacted companies disconnected affected systems, activated incident response protocols, and notified customers and regulators. Industry and government advisories have been issued, urging heightened vigilance, employee education, and improved authentication controls. Security teams are reviewing helpdesk procedures and monitoring for unauthorized access.

Team Nudges:

  • How robust are our helpdesk authentication and password reset procedures against sophisticated social engineering?
  • Are all privileged accounts protected by strong MFA and monitored for unusual activity?
  • Do we regularly train staff to recognize and report impersonation attempts across all communication channels?
  • How quickly can we detect and contain a sector-wide attack targeting our industry peers?

Readiness Actions:

  • Educate employees and helpdesk staff on advanced social engineering and impersonation tactics.
  • Implement strong authentication and rigorous controls for password resets and MFA registration.
  • Monitor for unauthorized logins and unusual access patterns, especially to privileged accounts.
  • Review and harden helpdesk and identity management processes to prevent abuse.
  • Conduct regular tabletop exercises simulating targeted social engineering attacks.

How CYGNVS Helps:

  • Facilitates tabletop exercises to drill and document team responses to social engineering and ransomware scenarios.
  • Acts as a central, always-accessible repository for incident response and identity management playbooks.
  • Provides a secure, out-of-band collaboration platform for managing crises involving sensitive customer data.

Washington Post's Email System Hacked, Journalists' Accounts Compromised

Impact: Email accounts of journalists covering sensitive topics were compromised in a targeted attack, likely by a nation-state actor. The breach risks exposure of confidential sources, sensitive communications, and internal information, threatening operational integrity, journalistic independence, and the organization's reputation. Regulatory scrutiny and trust erosion are significant concerns.

Response: The Washington Post initiated an internal investigation, notified affected employees, and began forensic analysis. The organization is working to determine the scope and impact, while managing internal and external communications. No public technical details or remediation steps have been disclosed yet.

Team Nudges:

  • Are our journalists and high-risk users protected by advanced email security and strong authentication?
  • How do we detect and respond to targeted attacks on sensitive accounts or communications?
  • Do we have a tested playbook for managing breaches involving confidential sources or sensitive data?
  • How do we balance transparency and operational security during a high-profile incident?

Readiness Actions:

  • Implement advanced email security controls and continuous monitoring for targeted attacks.
  • Enforce strong authentication and regular credential reviews for high-risk user groups.
  • Conduct regular security awareness training focused on phishing and APT tactics.
  • Establish clear incident response protocols for targeted attacks on sensitive accounts.
  • Review and harden access controls for email and collaboration platforms.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for incident response plans tailored to targeted attacks.
  • Provides a secure, out-of-band collaboration platform for managing sensitive investigations and communications.
  • Facilitates tabletop exercises to drill responses to nation-state and APT scenarios.

Over 46,000 Grafana Instances Exposed to Account Takeover Bug

Impact: A critical client-side open redirect vulnerability (CVE-2025-4123) in Grafana exposes over 46,000 internet-facing instances to account takeover, session hijacking, and potential server-side request forgery (SSRF). Attackers can exploit the flaw to hijack user sessions, change credentials, and access internal resources, risking data breaches, operational disruption, and regulatory penalties for affected organizations.

Response: Grafana Labs released security updates addressing the vulnerability and urged immediate patching. Security researchers published technical details and exposure statistics to raise awareness. Organizations are advised to upgrade, restrict public access, and monitor for exploitation attempts.

Team Nudges:

  • Are all our Grafana and similar monitoring tools patched and protected from public exposure?
  • How do we monitor for and respond to account takeover or SSRF attempts on critical applications?
  • Do we have a tested playbook for rapid containment and credential reset in the event of a compromise?
  • Are we regularly assessing the security posture of our internet-facing applications?

Readiness Actions:

  • Patch all Grafana instances to the latest secure version and verify removal of public exposure.
  • Restrict access to monitoring and visualization tools to trusted networks and authenticated users.
  • Monitor for suspicious session activity and unauthorized credential changes.
  • Conduct regular vulnerability assessments of internet-facing applications.
  • Establish incident response playbooks for account takeover and SSRF scenarios.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for incident response and application security playbooks.
  • Digitizes static playbooks into interactive, guided workflows for rapid response to account takeover incidents.

Victoria’s Secret Restores Critical Systems After Cyberattack

Impact: A cyberattack forced Victoria’s Secret to shut down corporate systems, in-store services, and its e-commerce website, resulting in business disruptions and delayed financial reporting. While all critical systems have been restored and the company expects no material impact on annual results, the incident highlights operational risks, potential financial losses, and reputational damage, especially in the context of ongoing attacks on the retail sector.

Response: Victoria’s Secret enacted response protocols, took affected systems offline, and engaged third-party experts to investigate and restore operations. The company communicated with stakeholders, delayed earnings releases, and continues to assess the incident’s full impact. No ransomware group has claimed responsibility, and the company is working to strengthen defenses.

Team Nudges:

  • How quickly can we restore critical systems and business operations after a major cyberattack?
  • Are our business continuity and disaster recovery plans up-to-date and regularly tested?
  • Do we have clear communication protocols for stakeholders during prolonged outages?
  • How do we coordinate with third-party experts and internal teams during crisis recovery?

Readiness Actions:

  • Develop and regularly test business continuity and disaster recovery plans for critical systems.
  • Implement network segmentation and least privilege access to limit attack spread.
  • Conduct regular tabletop exercises simulating large-scale outages and ransomware attacks.
  • Engage third-party experts for incident response readiness assessments.
  • Ensure transparent communication protocols for stakeholders during major incidents.

How CYGNVS Helps:

  • Facilitates tabletop exercises to drill and document team responses to large-scale outages and ransomware scenarios.
  • Acts as a central, always-accessible repository for business continuity and incident response plans.
  • Provides a secure, out-of-band collaboration platform for managing crisis communications and recovery efforts.

Password-spraying attacks target 80,000 Microsoft Entra ID Accounts

Impact: A large-scale password-spraying campaign targeted over 80,000 Microsoft Entra ID accounts across hundreds of organizations, resulting in multiple account takeovers. The attacks leveraged the TeamFiltration framework and exploited weak authentication, exposing organizations to data breaches, lateral movement, and potential regulatory consequences.

Response: Security researchers identified the campaign, attributed it to the UNK_SneakyStrike threat actor, and published indicators of compromise. Organizations are advised to block malicious IPs, enable MFA, enforce OAuth 2.0, and implement conditional access policies. Detection rules for the attacker's user agent and behavior have been recommended.

Team Nudges:

  • Are all user accounts, especially privileged ones, protected by strong MFA and conditional access policies?
  • How do we detect and respond to password-spraying and large-scale brute-force attacks?
  • Are our detection rules and threat intelligence feeds up-to-date for emerging attack tools?
  • Do we regularly educate users on password hygiene and the risks of credential reuse?

Readiness Actions:

  • Enforce multi-factor authentication for all users, especially those with privileged access.
  • Monitor for unusual login attempts and password-spraying patterns.
  • Implement conditional access policies and enforce OAuth 2.0 for cloud accounts.
  • Regularly review and update detection rules for known attack frameworks and user agents.
  • Educate users on the risks of weak passwords and credential reuse.

How CYGNVS Helps:

  • Integrates with threat intelligence sources to inform readiness and update detection rules for emerging attack frameworks.
  • Acts as a central, always-accessible repository for identity and access management playbooks.
  • Digitizes static playbooks into interactive, guided workflows for rapid response to account takeover incidents.

Fog Ransomware Attack Uses Unusual Mix of Legitimate and Open-Source Tools

Impact: Fog ransomware operators used a blend of legitimate employee monitoring software and open-source pentesting tools to evade detection and facilitate lateral movement, credential theft, and data exfiltration. The attack resulted in system compromise, data encryption, and operational disruption, with increased risk of undetected persistence and regulatory exposure due to stealthy tool usage.

Response: Incident responders documented the novel toolset, published indicators of compromise, and advised organizations to update detection rules and monitor for unusual software installations. Security teams are urged to review endpoint monitoring and lateral movement controls, and to educate staff on the risks of legitimate tool abuse.

Team Nudges:

  • How do we monitor for and control the use of legitimate admin and monitoring tools across our environment?
  • Are our detection and response capabilities tuned to identify open-source and dual-use tool abuse?
  • Do we regularly hunt for stealthy persistence mechanisms and unusual data exfiltration methods?
  • How do we educate staff on the risks of legitimate tool misuse and insider threats?

Readiness Actions:

  • Monitor for installation and execution of unusual or unauthorized software, including legitimate admin tools.
  • Update detection rules to cover open-source and dual-use tools commonly abused by attackers.
  • Implement strong endpoint protection and network segmentation to limit lateral movement.
  • Conduct regular threat hunting for signs of stealthy persistence and data exfiltration.
  • Educate staff on the risks of tool misuse and insider threats.

How CYGNVS Helps:

  • Helps document and manage policies for software and browser extension usage, reducing risk from unauthorized tools.
  • Acts as a central, always-accessible repository for incident response and threat hunting playbooks.

Erie Insurance Confirms Cyberattack Behind Business Disruptions

Impact: A cyberattack caused widespread outages and business disruptions at Erie Insurance, preventing customers from accessing the portal, making claims, or receiving paperwork. The incident has impacted customer service, delayed business processes, and may result in reputational and regulatory consequences, depending on the nature and scope of the breach.

Response: Erie Insurance activated its incident response protocol, took protective actions to safeguard systems, and engaged law enforcement and cybersecurity experts for forensic analysis. The company communicated with customers, provided alternative contact methods, and warned against phishing attempts during the outage. The full scope and impact are still under investigation.

Team Nudges:

  • How quickly can we restore customer-facing services after a major cyberattack?
  • Are our incident response and business continuity plans up-to-date and regularly tested?
  • Do we have clear protocols for communicating with customers and partners during outages?
  • How do we coordinate with law enforcement and external experts during crisis recovery?

Readiness Actions:

  • Develop and regularly test incident response and business continuity plans for customer-facing systems.
  • Implement robust monitoring and detection for unusual network activity and potential breaches.
  • Ensure clear communication protocols for customers and partners during outages.
  • Engage third-party experts for forensic analysis and recovery support.
  • Educate customers on phishing risks during service disruptions.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for incident response and business continuity plans.
  • Provides a secure, out-of-band collaboration platform for managing crisis communications and recovery efforts.
  • Facilitates tabletop exercises to drill and document team responses to large-scale outages and customer service disruptions.

Hackers Exploited Windows WebDav Zero-Day to Drop Malware

Impact: An APT group exploited a Windows WebDav RCE zero-day (CVE-2025-33053) to target defense and government organizations, enabling remote code execution without dropping files locally. The attack facilitated stealthy malware deployment, credential theft, and persistent access, posing severe operational, reputational, and national security risks for targeted entities.

Response: Microsoft released a patch for the vulnerability, and security researchers published technical details and detection guidance. Organizations are urged to apply updates immediately, monitor WebDav traffic, and review endpoint security controls. Incident response teams are analyzing potential exposure and strengthening defenses against similar stealthy attack vectors.

Team Nudges:

  • How quickly can we identify and patch zero-day vulnerabilities across our environment?
  • Are we monitoring for and restricting risky protocols like WebDav to prevent stealthy exploitation?
  • Do we have advanced EDR capabilities to detect fileless malware and lateral movement?
  • Are our users trained to recognize and report suspicious files or phishing attempts?

Readiness Actions:

  • Apply security patches promptly, especially for zero-day vulnerabilities in core operating systems.
  • Monitor and restrict WebDav and similar protocols for suspicious activity and outbound connections.
  • Educate users on phishing risks and the dangers of opening suspicious files or links.
  • Implement advanced endpoint detection and response (EDR) to identify stealthy malware and lateral movement.
  • Establish incident response playbooks for zero-day exploitation scenarios.

How CYGNVS Helps:

  • Acts as a central, always-accessible repository for incident response and patch management playbooks.
  • Facilitates tabletop exercises to drill and document team responses to stealthy APT attacks and zero-day exploitation.

Playbook Update Checklist

  • Review and update credential management policies, especially for external IT partners and third-party vendors, ensuring strong authentication and regular credential rotation.
  • Implement and enforce multi-factor authentication (MFA) for all privileged and sensitive accounts, including backup servers, cloud admin, and external partner access.
  • Update incident response procedures to include rapid containment and communication protocols for extortion attempts and data leak threats, including direct employee contact by attackers.
  • Harden backup infrastructure by following vendor best practices (e.g., Veeam: use separate AD forests, restrict domain joins, and enforce 2FA for admin accounts), and ensure timely patching of backup and replication software.
  • Add detection and response steps for exploitation of critical vulnerabilities in widely used platforms (e.g., Langflow, Grafana, Microsoft Exchange, WebDAV), including immediate patching, access restriction, and monitoring for indicators of compromise.
  • Enhance monitoring and alerting for unusual authentication attempts, password spraying, and account enumeration activities, especially targeting cloud identity providers (e.g., Microsoft Entra ID).
  • Update playbooks to include procedures for identifying and mitigating social engineering attacks targeting help desks, call centers, and privileged account reset processes.
  • Incorporate steps to validate and restrict public exposure of critical applications and dashboards (e.g., Langflow, Grafana), including regular internet-facing asset reviews and access control enforcement.
  • Integrate threat intelligence feeds and IOCs from recent attacks (e.g., Flodrix botnet, TeamFiltration, Fog ransomware) into detection and hunting procedures.
  • Expand forensic readiness to capture and analyze logs from cloud, email, and backup systems, and ensure rapid evidence preservation in the event of targeted attacks or APT activity.
  • Review and test business continuity and disaster recovery plans to ensure resilience against ransomware, DDoS, and large-scale outages, including communication protocols for customers and regulators.
  • Update user awareness training to address current attacker tactics, including phishing, MFA fatigue, and impersonation, with a focus on high-risk roles (e.g., journalists, finance, IT support).
  • Immediately review and update patch management procedures to ensure critical vulnerabilities (e.g., Cisco IOS XE CVE-2023-20198) are identified and remediated on all edge and network devices within 24-48 hours of disclosure.
  • Enhance incident response protocols for detecting and containing credential-based attacks, including monitoring for large-scale credential abuse, infostealer malware, and suspicious authentication attempts across all environments.
  • Integrate advanced social engineering detection and response steps, with a focus on help desk and call center impersonation scenarios (e.g., Scattered Spider TTPs), including mandatory verification callbacks and escalation procedures.
  • Update playbooks to include rapid containment and investigation steps for SaaS and third-party vendor breaches, especially those impacting sensitive healthcare or insurance data, with clear notification and regulatory compliance workflows.
  • Expand threat hunting and monitoring for persistence mechanisms such as registry modifications, scheduled tasks, and DLL sideloading, particularly in directories like C:\ProgramData and for processes masquerading as legitimate software.
  • Incorporate specific detection and response actions for cloud and container environments, including monitoring for overprivileged containers, hostNetwork usage, and excessive Linux capabilities (e.g., CAP_NET_RAW, CAP_NET_ADMIN), and enforcing least privilege policies.
  • Add procedures for immediate revocation and investigation of compromised credentials, including application-specific passwords (ASPs), and ensure users are notified and educated on risks of sharing such credentials.
  • Strengthen data exfiltration detection and response, including monitoring for GRE tunnels, unusual outbound traffic, and unauthorized access to configuration files on network devices.
  • Update communication protocols to ensure timely, transparent, and regulatory-compliant notifications to affected parties and authorities following a breach, with templates for healthcare and critical infrastructure sectors.
  • Integrate proactive threat intelligence ingestion and sharing into IR workflows, ensuring IOCs (e.g., hashes, IPs, C2 domains) from recent campaigns are rapidly disseminated to detection and prevention systems.
  • Enhance phishing response playbooks to include steps for identifying and mitigating sophisticated rapport-building and multi-stage phishing campaigns, especially those targeting high-profile or high-risk users (e.g., academics, executives).
  • Review and test business continuity and disaster recovery plans to ensure rapid restoration of critical operations following ransomware or destructive attacks, including scenarios involving production halts and large-scale outages.

Suggested Exercises

Extortion via Compromised Backup Partner

Scenario : A trusted Managed Service Provider's (MSP) compromised credentials are used to exploit a critical RCE flaw in your Veeam backup server. Simultaneously, your CISO receives a data extortion email with samples of stolen PII, threatening a public leak. The attacker claims to have exfiltrated terabytes of data and deleted all primary backups, crippling your recovery capabilities and initiating a time-sensitive crisis.

Learning objectives:

  • Evaluate the effectiveness of the incident response plan when a critical third-party partner is the entry vector.
  • Test the team's ability to detect lateral movement and data exfiltration originating from a trusted, but compromised, source.
  • Assess the organization's business continuity and disaster recovery (BC/DR) strategy in a scenario where primary backups are unavailable.
  • Practice crisis communication protocols for internal stakeholders (Legal, HR, Execs), the compromised MSP, and external regulatory bodies.
  • Validate the process for ensuring compliance and timely patching of critical vulnerabilities within third-party managed infrastructure.

Privileged Account Takeover via Help Desk Social Engineering

Scenario : An attacker, aggressively impersonating a senior executive, pressures the IT help desk into an unauthorized MFA reset for a privileged account. Using the compromised credentials, they gain access to Microsoft Entra ID and begin enumerating users and exfiltrating sensitive data from SharePoint, mimicking the TTPs of the TeamFiltration tool. The SOC detects the anomalous login just as the real executive reports being locked out, indicating an active, high-level breach is in progress.

Learning objectives:

  • Evaluate the robustness of Identity and Access Management (IAM) policies, specifically for privileged account password and MFA resets.
  • Test the help desk's ability to identify and resist sophisticated social engineering tactics, especially those involving pressure and impersonation.
  • Assess the Security Operations Center's (SOC) speed in detecting and responding to account takeover and anomalous cloud activity (e.g., in Entra ID/Office 365).
  • Practice the containment and eradication strategy for a compromised privileged cloud account, including revoking sessions, analyzing access logs, and determining the blast radius.
  • Validate the effectiveness of security awareness training for roles that are common targets for social engineering, such as IT help desk staff.

Multi-Stage Attack via Unsecured Dev Environments

Scenario : The SOC detects a C2 connection from a public-facing, experimental Langflow AI server, which is vulnerable to a known exploited RCE (CVE-2025-3248). The attacker uses fileless techniques for reconnaissance and pivots internally to an unpatched, internet-facing Grafana instance. They then launch a targeted phishing attack against a developer to exploit a client-side flaw (CVE-2025-4123), attempting to hijack their session and access sensitive infrastructure dashboards.

Learning objectives:

  • Assess the organization's governance and security controls for the deployment of experimental and open-source software, particularly in emerging tech areas like AI/ML.
  • Test the vulnerability management team's ability to identify and prioritize patching for publicly exposed services, especially those listed as actively exploited (KEVs).
  • Evaluate the incident response team's capability to detect and trace a multi-stage attack that leverages multiple vulnerabilities across different systems.
  • Practice forensic analysis of a stealthy attack that minimizes on-disk artifacts and leverages "living-off-the-land" or in-memory execution techniques.
  • Validate the security team's visibility into developer and R&D environments and their ability to enforce secure configuration baselines for new applications.

About This Report

The Cyber Resilience Report is a bi-weekly newsletter providing a strategic snapshot designed to help security leaders protect business continuity and reduce financial risk in an era of relentless cyber threats. Each issue distills recent impactful incidents, vulnerabilities, and attacker trends into executive-level insights. You'll gain a clear understanding of where business risk is rising—from ransomware targeting critical infrastructure to insider threats and delayed vendor patches—and what actions to take now to strengthen resilience. With actionable response checklists, team nudges, and playbook updates, this report equips you to prioritize resources, align stakeholders, and proactively safeguard revenue, reputation, and recovery readiness.

About CYGNVS

Over 2,500 customer organizations rely on CYGNVS as their Out-of-Band AI Command Center for Cyber Readiness and Response reducing the cost and impact of incidents and outages. Even when systems are unavailable or compromised, IT/Security, Business Teams, and External Providers collaborate inside CYGNVS to prepare and import response plans, practice playbooks in tabletop exercises, successfully execute the response, and report to regulators and customers. Learn more at CYGNVS.com.

References