29th June – Threat Intelligence Report

For the latest discoveries in cyber research for the week of 29th June, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Grocery giant Ahold Delhaize has disclosed a data breach that resulted in the theft of personal, financial, employment, and health information belonging to over 2.2 million individuals from its American business systems. The leaked data includes names, contact details, IDs, bank account numbers, and medical information. While the INC Ransom ransomware group has published samples of alleged stolen data, Ahold Delhaize has not officially confirmed the attackers’ identity. 

Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.INC) 

• Iranian hacktivist group Cyber Fattah carried out an attack targeting the Saudi Games, resulting in the exposure of thousands of records containing sensitive personal information of visitors, athletes, officials, and IT staff on Telegram and dark web forums. Leaked data included personally identifiable information, passport and ID scans, bank statements, IBANs, and medical forms, extracted in the form of SQL dumps from the event’s official registration database.  

• Michigan healthcare provider, McLaren Health Care, has notified on a ransomware attack that resulted in unauthorized access to patient databases between July 17 and August 3, 2024, impacting 743,000 individuals. The breach exposed patient names and possibly other data from McLaren Health Care and Karmanos Cancer Institute. 

• Steel giant Nucor has confirmed a cyber-attack that resulted in attackers stealing data from its information technology systems and temporarily limiting system access, which led to halted production operations at various facilities. The breach impacted systems supporting aspects of company operations, though the exact amount and type of data leaked have not been disclosed. 

• Trezor, manufacturer of hardware wallets for cryptocurrency, has suffered a data breach that resulted in its support system being abused to send phishing emails from its official email address, tricking users into visiting malicious sites that captured their cryptocurrency wallet seed phrases. Roughly 66,000 users who interacted with the support platform since late 2021 had their sensitive information exposed through unauthorized access to the third-party support ticketing portal.  

• Hawaiian Airlines has been a victim of a cyberattack that disrupted access to some of its IT systems. The incident has not resulted in any reported data leakage or compromised customer information, and flights, operations, and travel schedules remain unaffected.  

• Glasgow City Council was hit by a cyber-attack that resulted in the disruption of numerous online services and the potential exfiltration of customer data from servers managed by a third-party supplier. The attack may have exposed data submitted through unavailable web forms, impacting the council’s digital operations and posing risks to residents’ personal information.

VULNERABILITIES AND PATCHES

• Two critical unauthenticated remote code execution vulnerabilities (CVE-2025-20281 and CVE-2025-20282) in Cisco Identity Services Engine (ISE) allow remote attackers to gain root access by exploiting insufficient input validation in exposed and internal APIs, impacting ISE and ISE-PIC versions 3.3 and 3.4. Successful exploitation enables attackers to execute arbitrary OS commands or upload and execute files as root without authentication, resulting in full compromise of targeted systems.  

Check Point IPS provides protection against this threat (Cisco Multiple Products Remote Code Execution (CVE-2025-20281))

• RARLAB fixed a high severity directory traversal vulnerability (CVE-2025-6218) in WinRAR for Windows up to version 7.11, which allowed malicious archive files to extract payloads into sensitive locations such as auto-run or startup folders, potentially resulting in code execution on user logon.  

• IBM has published an advisory addressing a critical vulnerability (CVE-2025-36038) affecting IBM WebSphere Application Server. The vulnerability allows remote attackers to gain arbitrary code execution by using a crafted sequence of serialized objects. 

• Mozilla has published version 140 of Firefox, which addresses 13 vulnerabilities. Two of the vulnerabilities (CVE-2025-6424 and CVE-2025-6436) are considered critical and allow exploitable crashes and arbitrary code execution. 

THREAT INTELLIGENCE REPORTS

• Check Point Research identified a malware campaign featuring a unique evasion technique that attempts prompt injection to manipulate AI models during malware analysis. The malware includes code that instructs AI models to ignore previous instructions and not analyze it. Technical analysis reveals the prompt injection attempt is currently ineffective against large language models such as OpenAI’s o3 and gpt-4.1, highlighting evolving tactics at the intersection of malware and AI.  

• Check Point Research uncovered a new spear-phishing campaigns by the Iranian APT group Educated Manticore, associated with the Islamic Revolutionary Guard Corps. The campaign targets Israeli journalists, and cyber related academics via email and WhatsApp. The attackers lured victims to fake login pages, stealing credentials and 2FA codes to Google, Yahoo and Outlook accounts. They use a multistage React-based kit and over 130 domains and subdomains supporting vast espionage activity. 

• Check Point researchers reported on cyber criminals rapidly adopt advanced AI, such as WormGPT and Xanthorox AI, to automate phishing and malware attacks. Modular, autonomous AI systems now coordinate highly personalized attacks using deepfakes and sophisticated data analysis, leading to significant financial losses. AI-driven techniques contributed to 67.4% of phishing incidents in 2024, accelerating attack speed and enabling high-profile breaches.