A new ransomware targets vulnerabilities against ISPs

A new ransomware named Arkana is exploiting vulnerabilities in corporate environments for initial access. Its first victim is the telecom company WideOpenWest (WOW!), one of the largest cable and broadband service providers in the US. The group exfiltrated over 400K customers’ information and took full control of critical systems, including AppianCloud and Symphonica. Arkana claimed that through Symphonica, a cloud-native orchestration platform system servicing telecom companies, it will be able to distribute malware among customer devices.

‍

‍

An exploited flaw in Checkpoint antivirus

Threat actors are exploiting a vulnerability in Checkpoint Zone Alarm antivirus. The flaw lies in vsdatant.sys, a kernel-level driver released in 2016 and used by the software. It allows bypassing Windows memory integrity in BYOVD attacks and extracting sensitive data.

‍

Oracle Cloud breached through a known vulnerability

A hacker nicknamed rose87168 put 6 million data records from Oracle Cloud servers on sale. The threat actor claimed that it successfully compromised Oracle Cloud Servers 40 days ago by exploiting a known vulnerability that has not been previously exploited and for which no POC has been published. Although Oracle denied the breach categorically, analysis of a published sample seems to prove that rose87168 has indeed accessed sensitive information from an Oracle production environment.

‍

Exploitation of flaws in Cisco Smart Licensing Utility begins

Exploitation attempts of two Cisco vulnerabilities (CVE-2024-20439/40) have been observed. The flaws affect Cisco Smart Licensing Utility, a tool aimed at managing software licenses within an organization. They allow remote unauthenticated attackers to exfiltrate sensitive information and manage devices on a system in which the utility is running. The threat group targeting the flaws has also been spotted scanning for vulnerabilities in Internet-facing IoT devices.

‍

Another backup system under exploitation

A flaw in Nakivo backup and recovery solution (CVE-2024-48248) has been exploited in the wild. The exploitation allows to read arbitrary files and steal sensitive information, such as configuration setups, backups and various credentials. Nakivo is a popular backup tool with 29K customers across 183 countries.

‍

A Google Chrome zero-day used against Russia

Google patched a zero-day in Chrome (CVE-2025-2783) reported by the Russian cybsersecurity company Kaspersky. The flaw, allowing to escape sandbox detection, is triggered when the victim opened a personalized malicious URL in Chrome. It has been chained with another RCE vulnerability and used by a cyberespionage campaign (“Operation  ForumTroll”) targeting Russian media outlets, education institutions and government agencies.

‍

‍

MSC EvilTwin exploited

A threat actor named EncryptHub has exploited the “MSC EvilTwin” vulnerability in Microsoft Management Console (CVE-2025-26633). The flaw enables evasion from Windows file reputation protections and code execution. It was leveraged to exfiltrate sensitive data from compromised systems. EncryptHub has performed multi-stage malware campaigns against more than 600 organizations worldwide, but until now it was mostly known for its sophisticated social engineering methods.

‍

Volt Typhoon has been also after Taiwan's critical infrastructures

Since 2023, the Chinese state actor Volt Typhoon has tried to compromise Taiwanese critical infrastructures and maintain long term persistence for information theft and disruptive purposes. Sectors such as telecommunications, healthcare and IT were particularly affected. Volt Typhoon became famous in 2023 due to a similar operation against US military and critical infrastructures. It usually gets initial access by exploiting vulnerabilities in unpatched Internet-facing web and application servers.

‍

The PHP-CGI flaw is exploited again

A surge in the exploitation of the PHP-CGI vulnerability (CVE-2024-4577) has been observed since early 2025, with victims from Taiwan, Hong Kong and Brazil. Interestingly, some of the hackers have followingly modified firewall configurations to block access from other threat actors, raising speculations about a competition between different cryptojacking groups. The flaw, eventually limited to Windows hosts with installed Chinese or Japanese locales, has been exploited a few weeks ago in a large campaign targeting Japanese organizations.