Italy blocks suspected Russian cyberattacks ahead of winter Olympics

Italian authorities have confirmed they foiled a series of cyberattacks targeting government infrastructure and Olympic-linked websites in the days leading up to the Winter Olympics. Foreign Minister Antonio Tajani stated the attacks were of Russian origin and included attempts to disrupt Italian foreign ministry systems, an embassy site in Washington, D.C., and online platforms connected to the Games and hotels in Cortina d’Ampezzo.

The timing has raised concerns, with the Winter Olympics set to begin later this week and Russia barred from competing as a nation due to the ongoing war in Ukraine. Only a limited number of Russian athletes are permitted to take part under a neutral banner.

The incident also highlights growing geopolitical tension around cybersecurity. In the United States, recent comments from President Donald Trump suggesting Russia is not viewed as a major cyber threat have drawn criticism from experts. Meanwhile, US officials have continued to publicly warn of cyber risks from China and Iran, underscoring differing threat perceptions at a sensitive moment for global events.

Ransomware groups exploit critical VMware ESXi flaw

CISA has confirmed that ransomware groups are actively exploiting CVE-2025-22225, a high-severity VMware ESXi vulnerability that allows attackers to escape virtual machine isolation and gain control of the underlying hypervisor. The flaw, patched by Broadcom in March 2025, is rated Important with a CVSS score of 8.2 and enables arbitrary kernel writes from the VMX process.

The vulnerability was disclosed alongside two other zero-days, CVE-2025-22224 and CVE-2025-22226, which attackers are chaining together to achieve full VM escape. CISA added CVE-2025-22225 to its Known Exploited Vulnerabilities catalogue, requiring US federal agencies to patch under BOD 22-01.

Recent intelligence links the flaw to active ransomware campaigns targeting enterprise hypervisors, often following initial admin-level access. With tens of thousands of exposed ESXi instances still unpatched, organisations are being urged to apply updates immediately, restrict administrative privileges, and monitor for indicators of compromise to reduce the risk of widespread encryption and data theft.

Incognito dark web narcotics market operator jailed for 30 years

A Taiwanese man has been sentenced to 30 years in prison for running Incognito Market, one of the world’s largest online narcotics marketplaces, which facilitated more than $105 million in illegal drug sales worldwide. Rui-Siang Lin, 24, also known as Pharoah, pleaded guilty to money laundering and multiple drug trafficking conspiracy charges following his arrest in May 2024.

US prosecutors described Incognito Market as a vast criminal enterprise, hosting more than 1,800 vendors, over 400,000 customer accounts and hundreds of thousands of transactions. The platform enabled the sale of more than a tonne of narcotics, including methamphetamine, cocaine, amphetamines and MDMA, with some substances laced with fentanyl.

Judge Colleen McMahon called it the most serious drug case she had encountered in nearly three decades, describing the operation as a business that turned Lin into a global drug kingpin. Law enforcement ultimately dismantled the marketplace by seizing key servers used for transactions, DDoS protection and cryptocurrency payments, bringing an end to the operation in March 2024.

AI-driven phishing surges at unprecedented scale

Phishing activity accelerated sharply in 2025, with security filters blocking one malicious email every 19 seconds, more than double the rate seen the previous year, according to researchers. The increase is being driven by threat actors embedding artificial intelligence directly into their phishing operations, allowing campaigns to be generated, adapted and deployed at scale.

The latest research shows attackers are using AI to produce near-flawless emails in local languages and to run highly personalised, polymorphic campaigns that constantly change their appearance. Three quarters of phishing URLs were unique, helping attacks evade traditional detection. Notably, 18 percent of phishing emails contained no links or attachments, highlighting the continued growth of business email compromise.

The report also recorded a 105 percent rise in the use of remote access tools and a 204 percent increase in malware-delivering phishing emails. With attackers abusing legitimate software and rapidly shifting infrastructure, researchers warn that post-delivery analysis and human validation are now critical to identifying threats that bypass perimeter-based defences.

SQL injection flaw impacts thousands of WordPress sites

More than 40,000 WordPress websites have been exposed to risk following the discovery of a SQL injection vulnerability in the popular Quiz and Survey Master plugin. The flaw affected versions 10.3.1 and earlier and could be exploited by any authenticated user with Subscriber-level access or above, significantly widening the potential attack surface.

The issue stemmed from a REST API function used to retrieve quiz question data. A request parameter, is linking, was incorrectly assumed to be numeric and inserted directly into a database query without proper validation or sanitisation. This allowed a malicious user to inject additional SQL commands, potentially enabling unauthorised access to site databases.

The vulnerability, tracked as CVE-2025-67987, was responsibly disclosed and has now been fixed in version 10.3.2 of the plugin. The patch enforces strict integer handling of the affected parameter, preventing malicious input. While there is no evidence of active exploitation, the incident highlights ongoing risks within widely deployed plugins and the importance of timely patching and secure coding practices.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.