For the latest discoveries in cyber research for the week of 3rd November, please download our Threat Intelligence Bulletin.TOP ATTACKS AND BREACHES The Everest ransomware group has claimed responsibility for a series of attacks impacting AT&T, Dublin Airport, and Air Arabia. The ransomware gang exfiltrated sensitive data including 576,000 AT&T applicant records, 1.5 million Dublin Airport passenger files, and 18,000 Air Arabia employee records. Sweden’s power grid operator Svenska kraftnät has also disclosed a recent attack by Everest, resulting in the alleged theft of 280 GB of their internal data. The Cl0p ransomware group likely exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) to breach Pan American Silver Corp, Schneider Electric, and Cox Enterprises. Data from Schneider and Cox has already been leaked on Cl0p’s site, while the group is threatening to leak Pan American Silver’s data if ransom demands are not met.Check Point IPS provides protection against this threat (Oracle Concurrent Processing Remote Code Execution) Apache OpenOffice systems have suffereda ransomware attack claimed by the Akira gang, resulting in the exfiltration of 23GB of data. The data includes sensitive employee records, financial documents, and internal development reports from the Apache Software Foundation. Akira is threatening to leak the data unless a ransom is paid, while end-user installations remain unaffected and official confirmation is pending. Ribbon Communications, an American telecommunication company, has experienced a cyber attack, suspectedly carried out by nation-state hackers. The attackers breached Ribbon’s IT network and gained unauthorized access to files belonging to several high-profile clients, including government agencies and telecom providers. Dentsu, a major Japanese advertising firm, has disclosed a data breach of its US based subsidiary Merkle, that resulted in exposure and theft of sensitive data. The incident has impacted current and former employees, as well as clients and suppliers, and affected parts of Merkle’s network. Students and alumni of the University of Pennsylvania have received a wave of offensive emails sent from compromised university email addresses, falsely claiming that sensitive student and alumni data was stolen. All emails were sent via “connect.upenn.edu,” a Penn mailing list platform hosted on Salesforce Marketing Cloud. A data breach of DomeWatch, resume bank of applicants to jobs in the offices of Democratic members of the US House of Representatives, exposed over 7,000 records containing personally identifiable information of the applicants. The leaked data includes sensitive information such as security clearance status, military service, political affiliation, and more.VULNERABILITIES AND PATCHES CVE-2025-59287, a critical unauthenticated remote code execution vulnerability (CVSS 9.8) in Microsoft Windows Server Update Services is being exploitedin the wild. Threat actors leverage public proof-of-concept code to harvest Active Directory data and network configurations from US organizations across sectors.Check point IPS blade provides protection against this threat (Microsoft Windows Server Update Service Remote Code Execution (CVE-2025-59287)) CVE-2025-12036 and CVE-2025-12428, are critical remote code execution and high-severity type confusion vulnerabilities in Google Chrome’s V8 JavaScript engine. The vulnerabilities were reported and patchedin Chrome version 142.0.7444.59/.60, exposing over three billion users to possible compromise via malicious web content prior to the update being released. Researchers have identifiedcritical vulnerabilities in OpenAI’s Atlas browser. It includes a CSRF flaw that allows attackers to inject malicious instructions into ChatGPT’s memory for remote code execution and persistent compromise. Testing showed Atlas blocked only six percent of phishing attacks, making ChatGPT users 90% more vulnerable than those using traditional browsers. Researchers discovered Shadow Escape, a zero-click exploit in popular AI assistants. The exploit leverages Model Context Protocol (MCP) connections in popular AI assistants like ChatGPT, Claude, and Gemini to exfiltrate sensitive data—including financial, medical, and personal identifiers. These bypassing traditional security by embedding malicious instructions in uploaded documents.THREAT INTELLIGENCE REPORTS Check Point Research deep-dives into three Windows Graphics Device Interface vulnerabilities (CVE-2025-30388, CVE-2025-53766, CVE-2025-47984) that lead to remote code execution and memory exposure. Those vulnerabilities were reported by Check Point Research to Microsoft, and they were addressed in the Patch Tuesday updates in May, July, and August 2025. Check Point researchers have identified Hezi Rash, a Kurdish hacktivist group founded in 2023, responsible for approximately 350 ideologically-driven DDoS attacks all over the world, including against Japan, Turkey, Israel, Iran, Iraq, and Germany. The group targets organizations in response to perceived offenses against Kurdish identity or Muslim dignity, leveraging alliances with pro-Russian and other hacktivist collectives to utilize DDoS-as-a-service platforms and specialized attack toolkits. Hezi Rash coordinates its efforts and disseminates propaganda through visible social media channels. Researchers identifieda China-affiliated campaign by UNC6384 targeting European diplomatic and government entities in Hungary, Belgium, Italy, the Netherlands, and Serbia since September. The campaign was leveraging spear-phishing with EU/NATO-themed LNK files exploiting CVE-2025-9491 to deliver PlugX malware, enabling credential theft, surveillance, and exfiltration of sensitive documents through advanced evasion and persistence tactics.The post 3rd November – Threat Intelligence Report appeared first on Check Point Research.