Cyberattack news — last week

Brief summary

A busy week for cybersecurity: nation-state and criminal actors continued to exploit remote-access and VPN products (Ivanti, Cisco-related issues), multiple large consumer data breaches expanded, a browser-extension supply‑chain compromise was weaponized, and enforcement actions and criminal sentences highlighted an active market for stolen exploits. Several network outages and alleged DDoS incidents added operational disruptions.

Major developments (one paragraph each)

• CISA published an updated Malware Analysis Report on the RESURGE malware targeting Ivanti Connect Secure appliances, providing deeper technical details to help defenders identify, mitigate, and respond to advanced TTPs. This follows reporting that VPN flaws have been used by Chinese actors to compromise dozens of Ivanti customers; defenders should treat Ivanti remote‑access deployments as high-risk and apply mitigations promptly (CISA report, reporting on exploitation: https://x.com/TechCrunch/status/2025966220319891494).

• Cisco disclosed that threat actors have been exploiting a critical bug to break into large customer networks since 2023, indicating long-running intrusions tied to a severe vendor-side vulnerability and underscoring risks posed by unpatched infrastructure (TechCrunch).

• Two major consumer data incidents expanded or remained significant: Conduent’s breach grew to affect at least ~25 million people, and CarGurus disclosed a breach impacting ~12.5 million accounts — both events reinforce persistent exposure of personal data at scale and the need for breach response and monitoring for affected users (Conduent, CarGurus).

• A Chrome extension (reported as having ~7,000 users and a Google “Featured” badge) was sold, weaponized, and pushed a malicious update — a classic browser‑extension supply‑chain compromise that highlights how small-scale tooling can be repurposed to deliver malware to legitimate users via trusted distribution channels (SwiftOnSecurity retweet).

• U.S. sanctions and criminal sentences signaled intensified pressure on the exploit market and those who traffic in offensive tooling. The U.S. Treasury sanctioned a Russian zero‑day broker accused of buying exploits stolen from a U.S. defense contractor, while separate prosecutions resulted in jailing individuals tied to selling hacking tools (including a former L3Harris Trenchant boss) and a spyware maker was sentenced in Greece for wiretapping politicians and journalists — reflecting coordinated legal and diplomatic action against exploit trade and mercenary surveillance tools (Treasury/zero‑day broker, L3Harris Trenchant boss jailed, spyware sentence in Greece).

• Network/availability incidents: Cloudflare observed a near‑100x surge in BGP routing announcements from Hetzner at 21:00 UTC coinciding with an observed ~50% traffic drop and DNS complaints from customers, suggesting routing/DNS issues or a large-scale configuration/incident at a major hosting provider. Separately, Wikipedia reportedly blacklisted content after an alleged DDoS attack — continuing visibility of availability attacks affecting high‑profile internet services (CloudflareRadar, Wikipedia/DDoS).

• Legal/contractual fallout over security failures: Marquis filed suit against SonicWall, alleging that a failing firewall backup contributed to a ransomware incident — an example of customers seeking remediation and accountability via litigation when security product failures lead to breaches (TechCrunch).

Key themes and topics

• Remote‑access and VPN vulnerabilities remain a primary vector: Ivanti and other VPN/remote access products continue to be targeted and exploited.
• Supply‑chain weaponization at small scale: browser extensions and legitimate app marketplaces are ongoing abuse vectors for distributing malicious updates.
• Exploit brokering and trafficking is a live, cross‑border problem: enforcement and sanctions are rising, but the market still fuels capability transfer to malicious actors.
• Large consumer data breaches persist, with tens of millions of records exposed in separate incidents.
• Availability incidents (BGP/DNS anomalies, DDoS) continue to cause operational disruption at major providers and public platforms.
• Litigation and regulatory action are an increasing part of the response landscape after breaches.

Notable patterns and trends

• Convergence of nation‑state and criminal techniques: state‑linked actors continue to exploit VPNs and unpatched infrastructure while criminal groups monetize access via ransomware or data theft.
• Long‑running, undetected intrusions tied to vendor bugs: evidence of exploitation dating back to 2023 (Cisco) shows difficulties in detecting and remediating supply‑side vulnerabilities quickly.
• Defensive emphasis on detailed technical reporting: agencies (e.g., CISA) are publishing deeper TTP-level analysis to accelerate detection and response across the community.
• Increased legal/regulatory pressure on exploit sellers and vendors linked to operational failures.

Important mentions, interactions, and data points

• Chrome extension: ~7,000 users, Google Featured badge; malicious update after sale (SwiftOnSecurity retweet).
• CISA RESURGE Malware Analysis Report for Ivanti Connect Secure: updated technical guidance and detection/mitigation details (CISA).
• Cisco critical bug exploited since 2023: ongoing compromises of large customer networks (TechCrunch).
• Data breach scale: Conduent (~25M) and CarGurus (~12.5M) affected (Conduent, CarGurus).
• Treasury sanctions: Russian zero‑day broker accused of buying stolen U.S. defense exploits (TechCrunch).
• Legal outcomes: former L3Harris Trenchant boss jailed; spyware maker sentenced in Greece; Marquis sues SonicWall over alleged backup-related ransomware (L3Harris, spyware Greece, Marquis v. SonicWall).
• Network outage indicators: Hetzner BGP/DNS-related surge and traffic drop; Wikipedia blacklisting after alleged DDoS (CloudflareRadar, Wikipedia/DDoS).

Takeaway / What to watch next

• Patch and inventory remote‑access/VPN products immediately (Ivanti, SonicWall, Cisco-related advisories).
• Monitor for malicious or unexpected updates in browser extensions and tighten extension policy for managed environments.
• Watch for further enforcement/sanctions actions targeting exploit brokers and for litigation outcomes that may set precedents for vendor liability.

Sources (selected tweets inline above):

• https://x.com/SwiftOnSecurity/status/2027161709102719377
• https://x.com/CISAgov/status/2027119031778467883
• https://x.com/TechCrunch/status/2027052878763069800
• https://x.com/TechCrunch/status/2027048327020417522
• https://x.com/TechCrunch/status/2026778524418269653
• https://x.com/CloudflareRadar/status/2026792486350344472
• https://x.com/TechCrunch/status/2026408864883847185
• https://x.com/TechCrunch/status/2026415661103329511
• https://x.com/TechCrunch/status/2026373209952760144
• https://x.com/TechCrunch/status/2026336372823556351
• https://x.com/TechCrunch/status/2026298970759397563
• https://x.com/TechCrunch/status/2025966220319891494
• https://x.com/TechCrunch/status/2025305427190358415