⏱️ Read Time: 7 minutes
The word “firewall” was first borrowed from architecture — literally meaning “a wall built to stop fire from spreading.” Seems about right for what most CISOs do on Mondays.📜 Table of Contents
🧨 Major Breaches & Incidents – Qantas cloud leak, SimonMed healthcare hit, Vietnam Airlines breach, Red Hat ripple
🕵️♂️ APTs & State-Sponsored – Crimson Collective goes cloud credential hunting
⚠️ Emerging Threats & Vulnerabilities – CL0P’s Oracle zero-day, SonicWall’s login storm, Discord vendor breach
🏛️ Policy & Strategy – CISA cuts staff, UK counts 50% more big incidents
🔒 Privacy Watch – Invoicely leaves the vault wide open
🧨 Major Breaches & Incidents
Qantas–Salesforce breach leaks 150 GB of data
The group “Scattered Lapsus$ Hunters” claims to have leaked 150 GB of data stolen from Salesforce environments tied to Qantas, Gap, and Fujifilm. Analysts say the dump includes internal documents and customer data from multiple organizations using shared cloud resources.
👉️ Cloud multi-tenancy: great for collaboration, equally great for criminals who prefer a “buy one, breach many” model.Vietnam Airlines confirms breach linked to global campaign
Vietnam Airlines confirmed it was hit as part of a large-scale, multi-company cyberattack affecting major travel and logistics networks. While the airline has restored operations, investigators believe a coordinated criminal group used a shared supplier to access multiple targets.
👉️ Aviation’s connective tissue makes it a hacker’s dream — one open gate and your frequent flyer data takes off too.Red Hat GitLab breach affects 800+ companies
A breach targeting Red Hat’s GitLab consulting environment has reportedly impacted more than 800 downstream clients. Some stolen source code and access tokens have already appeared on dark web forums.
👉️ The software supply chain: still everyone’s weakest link — and nobody’s responsibility until it explodes.
beehiiv is the one platform that does everything for your newsletter. And they do mean everything:
A newsletter editor that makes your words shine like they belong on a bestseller list
A no-code website builder that doubles as your 24/7 subscriber magnet
Revenue tools that make earning money so easy it feels like cheating: ads, referrals, and paid subs
If you’ve got a newsletter (or even just the idea for one), beehiiv is the ultimate no-brainer.
Start for free on the absolute best platform for newsletters. No credit card required.
🕵️♂️ APTs & State-Sponsored
Crimson Collective pivots to AWS credential hunting
Following their breach of Red Hat, the APT group known as Crimson Collective is scanning public code repositories with tools like TruffleHog to harvest AWS credentials. Once inside, they reportedly escalate privileges and deploy stealthy exfiltration scripts.
👉️ In the cloud, leaked credentials are the new zero-days — faster, cheaper, and nearly impossible to patch.
⚠️ Emerging Threats & Vulnerabilities
CL0P hackers exploit Oracle E-Business Suite zero-day
CL0P-linked actors are actively exploiting a newly discovered zero-day (CVE-2025-61882) in Oracle’s E-Business Suite, compromising dozens of enterprises globally. The attack chain targets unpatched, legacy instances where critical financial and HR data resides.
👉️ Old enterprise software is like fine wine — it gets more valuable to attackers the longer it sits around unpatched.SonicWall SSLVPNs targeted in credential attacks
After last month’s backup breach, SonicWall is again under fire as attackers pivot from exploiting flaws to using valid credentials for access. Reports suggest stolen or reused passwords are fueling the wave, bypassing patch-based defenses entirely.
👉️ It’s 2025 and attackers have discovered the easiest exploit of all — logging in like everyone else.Hack of Discord’s ID-verification vendor exposes 70 K users
A third-party age-verification service used by Discord was breached, leaking government IDs, emails, and selfies for about 70,000 users. Discord said its own systems weren’t compromised but confirmed the vendor handled verification for underage safety checks.
👉️ “We didn’t get hacked, our vendor did” is fast becoming 2025’s least comforting press statement.
Free, private email that puts your privacy first
Proton Mail’s free plan keeps your inbox private and secure—no ads, no data mining. Built by privacy experts, it gives you real protection with no strings attached.
🏛️ Policy & Strategy
CISA hit with RIF notices amid U.S. government shutdown
ClearanceJobs reports that the Cybersecurity and Infrastructure Security Agency (CISA) has begun receiving reduction-in-force notices as part of the ongoing U.S. government shutdown. Large portions of the agency’s staff are already furloughed, with critical operations delayed or paused.
👉️ America’s cyber shield is down to part-time coverage — the timing couldn’t be worse.UK reports 50% jump in “highly significant” cyber incidents
The UK’s National Cyber Security Centre logged 429 major cyber incidents in the past year, a 50% increase over 2024. Officials warned business leaders that many of these attacks originated from state-linked groups and targeted critical infrastructure.
👉️ The global threat volume isn’t just rising — it’s compounding, like interest on technical debt.
🔒 Privacy Watch
Invoicely platform leaves 178 K invoices exposed
Researchers found nearly 180,000 invoices sitting unprotected on an Invoicely database, exposing customer billing details, addresses, and transaction data. The records were accessible without authentication for an unknown period.
👉️ The cloud doesn’t need to be hacked if you just forget the lock — or the door.
🧭 Mitigation & Best Practices
Audit cloud vendor access – The Qantas–Salesforce and Red Hat incidents show how SaaS and supply-chain trust can evaporate fast. Review who holds admin tokens, and rotate API keys that haven’t been touched since the pandemic.
Patch ≠ protection – CL0P’s Oracle zero-day and SonicWall’s credential spree prove attackers don’t wait for Tuesday. Shrink patch windows where possible and pair patching with behavioral monitoring.
Kill password reuse – Credential stuffing has gone corporate. Mandate unique logins across VPN, SSO, and cloud admin panels; if you can’t, MFA isn’t optional anymore.
Vendor due diligence, really this time – Discord’s verification partner and Invoicely’s open DB remind us that third-party “compliance badges” are not security. Run annual audits or continuous monitoring of critical vendors.
Review incident-response coverage during government or staffing disruptions – With CISA operating on fumes, private-sector intelligence sharing matters more. Join ISACs or sector groups and ensure escalation paths aren’t reliant on a single federal feed.
👉️ Bottom line: the threat tempo is up, the defenders are down, and “someone else’s problem” is increasingly everyone’s problem.
Thanks for reading this week’s edition. Like what you see? Forward it!
Hate everything you see or have other feedback? Reply back to this email!