Exploit Surge Hits Zero-Day Vulnerabilities: Microsoft and Google Face Increased Threats
The cybersecurity threat landscape in 2025 has intensified, marked by a steep rise in zero-day exploit activity and shifting ransomware tactics. New research reveals significant increases in both the frequency and complexity of attacks, with major software ecosystems under strain as criminal groups adopt new techniques to bypass traditional defenses.
Record Increase in Zero-Day Exploits
Black Hat USA 2025 saw the release of For Scout’s latest threat review, which reported a 46% surge in zero-day attacks in the first half of the year. Microsoft and Google products topped the list of most exploited platforms, with attackers capitalizing on undisclosed vulnerabilities to gain footholds in enterprise environments. This upswing is attributed to rapid vulnerability discovery, bug bounty mining, and black-market trading of exploits—trends accelerated by automation and AI-assisted reconnaissance.
Targeted Devices Expand Beyond PCs
Ransomware operators are now increasingly targeting unconventional hardware, such as IP cameras and BSD-based servers. These devices, often less protected than core infrastructure, serve as gateway points for lateral movement within networks. Once inside, adversaries escalate privileges and deploy ransomware payloads, often evading existing monitoring solutions that prioritize traditional endpoints. The report highlights the importance of securing non-traditional assets and addressing supply-chain exposures linked to connected devices.
Geopolitical Backing Drives Attack Sophistication
Of 137 tracked threat actors, approximately 40% were linked to state sponsors. Iranian-aligned groups have demonstrated a marked emphasis on operational technology (OT) infrastructure within critical sectors, including energy, transportation, and public administration. These campaigns exhibit advanced persistent threat (APT) characteristics, blending spear-phishing, zero-day exploits, and custom malware with strategic intent. Other nation-state actors, such as Vietnamese-linked groups, are similarly escalating campaigns against specialized targets.
Strategic Implications for Defenders
The compounding rise in zero-day weaponization calls for organizations to adopt real-time threat intelligence, continuous product patching, and multidisciplinary incident response strategies. Standard perimeter defenses are insufficient against attackers leveraging unknown vulnerabilities, especially across a diverse device landscape. Increased funding for research into undiscovered exploits and strengthened collaboration with vendors and security communities are recommended steps for reducing exposure.
ShinyHunters Orchestrate Major Salesforce Data Theft
A significant breach attributed to the ShinyHunters actor has resulted in large-scale data theft at Salesforce. This event stands out for its methodical exploitation of both technical vulnerabilities and third-party integrations, signaling escalating risk to SaaS platforms and customer data.
Attack Methodology and Chain
The operation reportedly began with the identification of misconfigurations in Salesforce integrations used by enterprise customers. By exploiting OAuth token vulnerabilities and abusing API permissions, attackers accessed privileged datasets without direct credential compromise. Lateral movement was achieved using secondary application tokens issued by connected SaaS partners, extending the reach of the initial breach.
Data Exfiltration and Impact
The stolen data includes sensitive customer information—such as contact lists, email correspondence, and proprietary business records. Forensics revealed ongoing exfiltration over several days, masked by use of legitimate API traffic patterns. Salesforce customers are now being urged to re-examine app integrations, enforce least privilege policies, and implement anomaly detection specifically tailored to SaaS activity.
Industry-Wide Implications
Security analysts warn that similar attacks could proliferate, as threat actors target SaaS ecosystems where third-party code and integration complexity exceed that of on-premise applications. Enhanced audit logging, regular security reviews of connected SaaS partners, and advanced Cloud Access Security Broker (CASB) deployment are suggested best practices to mitigate similar breaches in the future.
SafePay Ransomware Threatens to Leak 35TB from Ingram Micro
The new SafePay ransomware group has executed a high-profile attack on Ingram Micro, one of the world’s largest technology distributors. The attackers claim to have exfiltrated an astonishing 35 terabytes of sensitive data, and are using this as leverage in extortion negotiations.
Intrusion Details and Attack Flow
According to incident forensics, SafePay gained access via compromised third-party contractor credentials with elevated cloud privileges. The ransomware payload began with data discovery and staged exfiltration—backed up to decentralized cloud storage nodes—before activating file encryption on critical enterprise storage systems.
Threat of Data Release and Corporate Response
The attackers have issued an ultimatum: pay an undisclosed ransom, or face the public release of confidential files encompassing customer records, partner contracts, financial data, and internal communications. Ingram Micro has enacted incident response procedures, isolated affected systems, and engaged law enforcement. At present, there is no indication that company operations outside targeted segments are disrupted.
Technical and Industry Lessons
The sheer scale of the exfiltrated data and SafePay’s methodological approach signal a new level of risk for organizations with global digital supply chains. Techniques involving decentralized data staging complicate both incident response and forensic attribution, while threats to leak data constitute a compelling pressure tactic even in the absence of functional disruption. Strategic recommendations include hardening vendor access paths and tightening egress controls on all sensitive datasets.
Shade BIOS Attack Defeats Endpoint Security Measures
Researchers have uncovered a disruptive malware campaign named “Shade”, which uniquely targets BIOS-level components to subvert endpoint security. This represents an escalation in attacker sophistication, as legacy security tools struggle to counter firmware-based threats.
Technical Mechanism of BIOS Exploitation
The Shade malware achieves persistence by deploying malicious payloads within the UEFI/BIOS firmware of compromised systems. By modifying core firmware routines, the implant ensures execution on boot while remaining invisible to traditional antivirus and EDR solutions. Attackers can override operating system-level security mechanisms, reinstall deleted malware modules, and maintain ongoing access through device resets.
Detection and Mitigation Challenges
Identifying and eradicating firmware-based threats like Shade is particularly challenging. Few organizations regularly scan for firmware integrity, and incident response often requires firmware reflashing or replacing affected hardware. Security vendors are now racing to develop BIOS and UEFI anomaly detection modules that operate below the OS layer.
Potential Impact and Recommendations
The Shade campaign is mainly targeting government and high-value enterprise assets, likely for espionage purposes. Hardware manufacturers and endpoint security providers are being urged to collaborate on standardizing firmware update protocols and integrity verification tools to counter this new class of persistent threat.
