Originally reported by Security Affairs, The Record
TL;DR
Nation-state actors continue sophisticated campaigns with Russian APT exploiting Zimbra zero-day against Ukrainian targets and Iranian threat actors compromising Stryker through Microsoft Intune. Meanwhile, ransomware groups exploit Cisco firewall zero-days and law enforcement disrupts major IoT botnets.
Multiple active nation-state campaigns including Russian APT exploiting Zimbra zero-day against Ukraine and Iranian group compromising major medical device manufacturer via legitimate Microsoft infrastructure.
A Russia-linked threat actor has been exploiting a high-severity cross-site scripting vulnerability in Zimbra Collaboration to target users in Ukraine. The vulnerability, tracked as CVE-2025-66376 with a CVSS score of 7.2, allows attackers to execute scripts through insufficiently sanitized HTML emails when opened by victims.
The campaign demonstrates continued nation-state targeting of Ukrainian infrastructure through email-based attack vectors, leveraging zero-day vulnerabilities in widely deployed collaboration platforms.
FBI and CISA issued warnings about Microsoft Intune security risks following an Iran-linked cyberattack against medical device manufacturer Stryker. The attackers broke into the legitimate Microsoft device management system and used it to wipe company data without deploying traditional malware.
This living-off-the-land technique highlights the growing trend of nation-state actors abusing legitimate cloud management platforms to avoid detection while maximizing operational impact.
Amazon researchers revealed that the Interlock ransomware gang exploited a zero-day vulnerability in Cisco firewalls weeks before public disclosure. The pre-disclosure exploitation timeline suggests either independent discovery or potential access to vulnerability information through supply chain or intelligence channels.
CISA has since added a related Cisco vulnerability (CVE-2026-20131) affecting Secure Firewall Management Center (FMC) Software and Security Cloud Control (SCC) Firewall Management to its Known Exploited Vulnerabilities catalog, indicating confirmed active exploitation.
The U.S. Department of Justice, working with Canadian and German authorities alongside major technology companies, disrupted command-and-control infrastructure used by several IoT botnets including AISURU, Kimwolf, JackSkid, and Mossad. The coordinated operation targeted botnet operators and their global infrastructure.
While not directly nation-state activity, these botnets often serve as infrastructure for subsequent APT campaigns or are leveraged by state-sponsored actors for initial access operations.
French aircraft carrier Charles de Gaulle was tracked in real time through a sailor's Strava fitness app activity, according to Le Monde reporting. The operational security failure allowed real-time location tracking of the strategic naval asset through publicly shared running data.
This incident mirrors previous OPSEC failures involving military personnel and fitness tracking applications, highlighting persistent challenges in managing personal device security within military environments.
U.S. intelligence chiefs urged lawmakers to extend Section 702 surveillance powers without modifications during the House Intelligence Committee's annual worldwide threats hearing. The remarks represented the most vocal support for President Trump's surveillance strategy to date.
Separately, the White House definitively rejected speculation about cyber "letters of marque" that would allow private companies to conduct cyberattacks on behalf of the U.S. government, clarifying the administration's position on private sector involvement in offensive cyber operations.
Originally reported by Security Affairs, The Record