Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

This week’s briefing covers: Proof of Concept Exploit Released for CVE-2025-32756 Further to Kroll reporting in May regarding a critical zero-day vulnerability, CVE-2025-32756 in Fortinet, is now being actively exploited in the wild, with attackers using a crafted AuthHash cookie to gain control of affected systems.

In this series, we chat with cybersecurity and data resilience leaders from Kroll and our partners. Our first guest is Katherine Keefe, Managing Director and Global Cyber Insurance Lead. Future episodes will cover topics such as the Cyber Threat Landscape, AI Risk Governance, and Breach Notification.

This week’s briefing covers: MATLAB dev confirms ransomware attack behind service outage MathWorks, the developer of the popular MATLAB numeric computing platform and the Simulink simulation, has disclosed it suffered a ransomware attack beginning on May 18, 2025. The attack impacted online applications used by customers as well as internal staff systems.

This week’s briefing covers: Joint Cybersecurity Advisory released on KTA007 (APT28) A joint advisory has been released warning of Russian-attributed threat actors targeting western logistics entities and technology companies since 2022. Microsoft leads global action to disrupt LUMMASTEALER Microsoft’s Digital Crimes Unit has recently seized and facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that formed the backbone of LUMMASTEALER infrastructure.

This week’s briefing covers: Coinbase Insider Threat Leads to Theft of Customer Data Coinbase has released a blog post and filed an SEC Form 8-K reporting an incident whereby they received an email attempting to extort the company for $20m. According to the post, the threat actors approached customer support staff and “used cash offers to convince a small group of insiders to copy data in our customer support tools”. Stolen data includes personal details including identity documents and account data include balance and transaction history.

This week’s briefing covers: Software Supply Chain Attack on Golang Leads to Wiper Malware A supply-chain attack has been discovered that targeted Linux servers through malicious Golang modules, mimicking legitimate modules, that were posted on GitHub. Continued Exploitation of Critical SAP NetWeaver Critical Vulnerability Further to Kroll’s reporting in previous weeks regarding active exploitation of CVE-2025-31324, a critical vulnerability that allows a threat actor to execute code remotely.

The new Digital Operational Resilience Act (DORA) requires significant financial entities in the EU to carry out Threat-Led Penetration Testing (TLPTs) on a regular basis. However, the skills required along with the planning for these types of exercises can prove difficult and time consuming. During this session, Kroll brings together our red teaming, threat intelligence and DORA regulatory compliance experts to provide practical guidance on how security, risk and resiliency leaders can adopt a sustainable threat-led penetration testing (TLPT) program as required by DORA.

This week’s briefing covers: UK Defence Contractors Warn Staff Against Chinese EVs UK defence firms, including Lockheed Martin and Thales, have advised staff against connecting mobile phones to Chinese-made electric vehicles (EVs) due to concerns over potential espionage and data theft. These vehicles, equipped with cameras, microphones, and internet connectivity, could be exploited by hostile states to collect sensitive information.

This week’s briefing covers: POC Exploit Released for Erlang CVSS 10 Vulnerability The vulnerability allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication. NTLM Hash Leaking Vulnerability Actively Exploited Checkpoint researchers report that they have detected active exploitation of CVE-2025-24054, a hash disclosure via spoofing vulnerability that was patched as part of Microsoft’s March patching cycle.

This week’s briefing covers: Palo Alto Confirms Brute Force Campaign Against PAN-OS Devices Worldwide Following Kroll's previous bulletin highlighting a report from GreyNoise indicating a large uptick in activity targeting Palo Alto devices, it has been confirmed that Palo Alto has detected an ongoing campaign to brute force login credentials to PAN-OS devices.