Telsy and Fortinet Collaborate for Quantum-Safe VPN

The benefits of security awareness: defending against phishing, social engineering, and related threats

 View all
Threat Intelligence, News

Attacks targeting Italian entities, new data breaches disclosed, vulnerabilities exploited ITW

Weekly Threats hor Telsy

Italy: new offensives hit the country

In the past week, several malicious campaigns were tracked in Italy. Specifically, two phishing operations abused the logos of the Healthcare Card System (Sistema TS), the Ministry of the Interior and CieID, to deceive users by simulating official communications; as well as the Weebly website creation platform, used to target users and staff at some Italian universities, in particular the Polytechnic University of Bari and the University of Bari Aldo Moro. In addition, distribution campaigns were detected for the PureLogs infostealer under the theme of purchase orders, and for the Rhadamanthys malware under the theme of Booking[.]com invoices. Beyond this, a previously unknown Android RAT named Klopatra was discovered, employed in operations against financial institutions and their clients – mainly in Spain and Italy – by a Turkic-speaking group. The malware allows attackers to gain full control over infected devices, steal sensitive data, and perform fraudulent transactions. It also combines extensive use of native libraries with the integration of Virbox, a commercial-grade code protection tool, making it difficult to detect and ensuring stealth and resilience.

 

Data Breach: Miljödata, Harrods, WestJet, Allianz Life and Red Hat among the victims

The cybercrime group DATACARRY claimed responsibility for the attack against Miljödata that occurred on August 20, 2025, which impacted at least 25 companies and 200 administrative entities and regions in Sweden. Compromised data allegedly includes names, social security numbers, emails, physical addresses, phone numbers, dates of birth, and government-issued identification documents belonging to around 870,000 accounts. At the same time, UK luxury retailer Harrods disclosed a data breach linked to a third-party provider, exposing the personal information of 430,000 e-commerce customers. The company did not reveal the name of the affected provider; however, it stated that it was contacted directly by the adversary but refused to initiate any negotiation. In addition, Canadian airline WestJet is notifying customers that the attack disclosed in June 2025 compromised sensitive information, including passports and identity documents, though it reports still working to determine the full scope of the incident. Allianz Life, instead, completed its investigation into the offensive suffered in July 2025, establishing that almost 1.5 million individuals were affected. The incident dates back to July 16, 2025, when a malicious actor managed to access a cloud-based system used by Allianz Life, exfiltrating personal data related to customers, financial professionals, and some employees. According to reports, the attack is linked to the ShinyHunters campaign against the Salesforce platform. Finally, an extortion group calling itself Crimson Collective claims to have breached Red Hat’s private GitHub repositories, stealing nearly 570 GB of compressed data covering over 28,000 internal projects. The stolen information allegedly includes around 800 Customer Engagement Reports (CERs), consulting documents that may contain sensitive details about clients’ networks and platforms. Red Hat confirmed that it suffered a security incident but did not comment on the group’s claims regarding the GitHub repositories and CERs. The same group also claimed responsibility for last week’s temporary defacement of Nintendo’s themed webpage, where contact details and links to its Telegram channel were inserted.

 

Vulnerabilities: multiple 0-days reported exploited ITW

Security researchers reported credible evidence of active exploitation of CVE-2025-10035, disclosed in Fortra GoAnywhere Managed File Transfer (MFT). This flaw, a Deserialization of Untrusted Data, allows an attacker with a forged yet valid license response signature to deserialize an arbitrary object under their control. It was added by CISA to its KEV catalog, together with CVE-2021-21311, a Server-Side Request Forgery affecting the open-source database management software Adminer, previously reported as exploited in 2022 during a campaign attributed to UNC2903. In addition, CISA added CVE-2025-20352, a Stack-based Buffer Overflow in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE software, potentially allowing Denial of Service or remote code execution; CVE-2025-59689, a Command Injection in Libraesva ESG triggered by a malicious email containing a specially crafted compressed attachment; and CVE-2025-32463, an Inclusion of Functionality from Untrusted Control Sphere vulnerability in the Unix-like OS utility Sudo, which could allow a local malicious user to exploit the -R (–chroot) option to execute arbitrary commands as root, even if not listed in the sudoers file. Moreover, ITW exploitation of CVE-2025-41244 was tracked in VMware Aria Operations and Tools products. Analysis revealed that the flaw was exploited by the China-linked cluster UNC5174, which leveraged it to achieve local privilege escalation. Finally, a months-long intrusion was identified in the network of the U.S. Federal Emergency Management Agency (FEMA), based on exploitation of Citrix CVE-2025-5777, which led to the theft of employee data from both FEMA and U.S. Customs and Border Protection (CBP). The flaw, an Out-of-bounds Read also known as CitrixBleed 2.0, enables bypassing multi-factor authentication and gradually harvesting login credentials through system memory disclosure. In response, DHS announced the dismissal of around 24 FEMA technical staff members, including senior cybersecurity and IT officials, citing negligence such as failure to implement multi-factor authentication, reliance on obsolete/legacy protocols, lack of operational visibility, and failure to report critical vulnerabilities.

 

 

Weekly Threats Report is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.