27th October – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 27th October, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Toys “R” Us Canada has suffered a data breach that resulted in stolen customer records being leaked on the dark web. The compromised data affects an undisclosed number of individuals and includes names, physical addresses, email addresses, and phone numbers, while account passwords and financial details were not exposed. No threat actor has claimed responsibility yet.
• Japanese retailer Askul has been a victim of a ransomware attack that resulted in system failures and the suspension of all online orders, user registrations, and product shipments across its three e-commerce sites. The incident disrupted logistics operations for major retailers including Muji, Loft, and Sogo & Seibu, and may have led to a possible leak of personal and customer data.
• Swedish security company Verisure has confirmed a data breach that resulted in unauthorized access to customer data held by its subsidiary, Alert Alarm. The attack affected systems managed by an external billing partner and led to the compromise of names, addresses, email addresses, and social security numbers of around 35,000 current and former Alert Alarm customers in Sweden.
• Oregon-based Jewett-Cameron Trading company has experienced a cyber-attack that resulted in the theft of video meeting images, non-public financial documents, and IT information after hackers breached and encrypted parts of its internal corporate systems. The incident materially impacted on the company’s operations and may affect its financial results.
• Kaufman County, near Dallas, disclosed a cyberattack that shut down multiple county systems, especially courthouse computers. The disruption affected services for nearly 200,000 residents and coincided with similar incidents hitting public payment systems and municipal operations in La Vergne, Tennessee; DeKalb County, Indiana; and the Chester County Library System in Pennsylvania.
• Password manager LastPass was hit by a phishing campaign impersonating inheritance request, luring users to enter master passwords and passkeys on fake sites. The attack exposed credentials, endangered vaults and synced authentication methods, and led to about $4.4M in crypto thefts. The financially motivated threat actor CryptoChameleon (UNC5356) was responsible for the attack.
• Several European defense manufacturers, including UAV/drone firms, have experienced a cyber-attack that resulted in ScoringMathTea RAT infections via trojanized GitHub projects and fake job-offer lures, enabling remote control and theft of proprietary UAV designs and manufacturing know-how. Corporate systems were compromised, and sensitive weapons-system data was likely exposed. The attack is attributed to North Korea–linked Lazarus group.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (APT.Win.Lazarus; Gen.Win.Crypter.Lazarus; APT.Wins.Lazarus.ta.*; Trojan.Wins.DreamJob.ta.*)

VULNERABILITIES AND PATCHES

• CVE-2025-33073, a Windows SMB Client elevation-of-privilege flaw, is being exploited to gain SYSTEM privileges on Windows and Windows Server. Exploitation coerces SMB authentication via a crafted script, bypasses NTLM reflection mitigations, and can enable authenticated RCE when SMB signing isn’t enforced. The flaw was patched in June 2025, and PoC exploits are publicly available.

Check Point IPS provides protection against this threat (Microsoft Windows Privilege Escalation (CVE-2025-33073))

• Microsoft released out of band security update to mitigate critical Windows Server Update Service vulnerability, CVE-2025-59287. This vulnerability was first patched as part of October Patch Tuesday, while out of band emergency update on October 23 was released to better address this critical flaw.

Check Point IPS provides protection against this threat (Microsoft Windows Server Update Service Remote Code Execution (CVE-2025-59287)

• Active exploitation of the critical SessionReaper vulnerability (CVE-2025-54236) has been observed targeting Adobe Commerce (Magento), affecting versions 2.4.9-alpha2 through 2.4.4-p15 and earlier. The flaw lets attackers hijack sessions via the REST API without user interaction, often dropping PHP webshells on default session storage. Over 60% of Magento stores remain unpatched.

Check Point IPS provides protection against this threat (Adobe Multiple Products Remote Code Execution (CVE-2025-54236))

• A logic flaw, CVE-2025-62518, was identified in the abandoned Rust async-tar and forks like tokio-tar, enabling RCE via TAR desynchronization during extraction and allowing file injection/overwrite. Impacted projects include testcontainers, uv, wasmCloud, liboxen, and Binstalk; forks are patched, but millions remain exposed through abandoned dependencies.

THREAT INTELLIGENCE REPORTS

• Check Point Research uncovered and analyzed the YouTube Ghost Network, a sophisticated and coordinated collection of malicious accounts operating on YouTube. These accounts systematically take advantage of YouTube’s features to promote malicious content, ultimately distributing malware while creating a false sense of trust among viewers. Notable malware families involved included Lumma Infostealer, Rhadamanthys, HijackLoader, and RedLine.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat.

• Check Point Research identified LockBit rapid resurgence after its disruption in 2024, with a dozen organizations hit in September 2025, half by the new LockBit 5.0 (“ChuongDong”) variant. The group is deploying attacks across Windows, Linux, and ESXi environments in Europe, the Americas, and Asia. LockBit 5.0 adds multi-platform builds, stronger anti-analysis, faster encryption, and more.

Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Lockbit.tajai.*; Ransomware.Win.LockBit; Ransomware.Wins.LockBit)