2nd March – Threat Intelligence Report

This week's threat intelligence report highlights multiple significant cyber incidents. Wynn Resorts suffered a data breach linked to ShinyHunters, exposing employee HR records, while Qilin ransomware targeted Transport Workers Union Local 100, compromising data of 67,000 members. Critical vulnerabilities were disclosed in Anthropic Claude Code (allowing RCE and API credential theft), Roundcube Webmail (CVE-2025-49113 exploited in wild), SolarWinds Web Help Desk (pre-auth RCE chain), and Cisco Catalyst SD-WAN (CVSS 10 bypass active for 3 years). AI-related threats include coordinated 'distillation' attacks by China-based firms including DeepSeek, MiniMax, and Moonshot to extract model training data. State-linked operations by Camaro Dragon, COLDRIVER, and Lazarus Group remain active. Organizations should prioritize patching critical vulnerabilities, implement multi-layered endpoint protection, and monitor for associated IOCs.

For the latest discoveries in cyber research for the week of 2nd March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Wynn Resorts, a United States-based casino and hotel operator, has confirmed that employee data was accessed following an extortion threat linked to ShinyHunters. The company said operations were not disrupted. Reports indicate […] The post 2nd March – Threat Intelligence Report appeared first on Check Point Research .

This week's threat intelligence report highlights multiple significant cyber incidents. Wynn Resorts suffered a data breach linked to ShinyHunters, exposing employee HR records, while Qilin ransomware targeted Transport Workers Union Local 100, compromising data of 67,000 members. Critical vulnerabilities were disclosed in Anthropic Claude Code (allowing RCE and API credential theft), Roundcube Webmail (CVE-2025-49113 exploited in wild), SolarWinds Web Help Desk (pre-auth RCE chain), and Cisco Catalyst SD-WAN (CVSS 10 bypass active for 3 years). AI-related threats include coordinated 'distillation' attacks by China-based firms including DeepSeek, MiniMax, and Moonshot to extract model training data. State-linked operations by Camaro Dragon, COLDRIVER, and Lazarus Group remain active. Organizations should prioritize patching critical vulnerabilities, implement multi-layered endpoint protection, and monitor for associated IOCs. For the latest discoveries in cyber research for the week of 2nd March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Wynn Resorts, a United States-based casino and hotel operator, has confirmed that employee data was accessed following an extortion threat linked to ShinyHunters. The company said operations were not disrupted. Reports indicate […] The post 2nd March – Threat Intelligence Report appeared first on Check Point Research . For the latest discoveries in cyber research for the week of 2nd March, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Wynn Resorts, a United States-based casino and hotel operator, has confirmed that employee data was accessed following an extortion threat linked to ShinyHunters. The company said operations were not disrupted. Reports indicate the stolen dataset includes HR-related information, including contact details and employment records for current and former staff. UFP Technologies, a United States-based medical device manufacturing giant, has disclosed a cyberattack that compromised parts of its IT environment and resulted in data exfiltration. The company reported disruptions to shipping and labeling workflows. According to the company, some of its data was wiped in the attack. Transport Workers Union of America Local 100, which represents New York City transit workers, was targeted by the Qilin ransomware group and listed on its leak site. According to reports, personal data of the union’s 67,000 members is now at risk of fraud and identity misuse. Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Wins.Qilin.ta.* Ransomware.Wins.Qilin.) European home improvement marketplace ManoMano has reported a data breach tied to a third-party customer support portal. The exposed records include customer names, email addresses, phone numbers, and support ticket details. ManoMano said passwords and payment data were not affected, and notifications are being sent to impacted users. AI THREATS Check Point Research has discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. Stolen keys can provide access to shared Workspaces for file access and tampering. Anthropic patched the issues, including CVE-2025-59536. Anthropic warns of coordinated “distillation” activity attributed to China-based AI firms, including DeepSeek, MiniMax, and Moonshot. Anthropic said fraudulent accounts generated millions of Claude exchanges aimed at extracting reasoning, coding, and agent workflows. The activity was described as an effort to train competing models. OpenAI has released a report listing malicious attempts to misuse its models. Among the threats listed in the report is an influence operation attempt linked to Chinese law enforcement, which targeted Japan’s prime minister. VULNERABILITIES AND PATCHES Two Roundcube Webmail flaws have been listed as exploited in the wild, including CVE-2025-49113, a high-severity post-auth remote code execution bug. The second issue, CVE-2025-68461, is an unauthenticated cross-site scripting flaw. The bugs affect widely used Roundcube deployments, including cPanel environments globally. Check Point IPS provides protection against this threat (Roundcube Webmail Remote Code Execution (CVE-2025-49113)) Researchers have unveiled a pre-auth remote code execution chain in SolarWinds Web Help Desk. The chain combines authentication bypass flaws CVE-2025-40552 and CVE-2025-40554 with deserialization RCE CVE-2025-40553. A successful attack can allow takeover of exposed help desk servers without credentials. The flaws affect widely deployed on-premises instances. Check Point IPS provides protection against these threats (SolarWinds Web Help Desk Authentication Bypass (CVE-2025-40536, CVE-2025-40554, CVE-2025-40552), SolarWinds Web Help Desk Insecure Deserialization (CVE-2024-28986, CVE-2024-28988, CVE-2025-40553,...