New research shows increased ransomware threat to the Construction sector

New research has highlighted growing cybersecurity concerns across the construction and property sector, with 32% of industry leaders now worried about cyber threats. A survey from Beazley found the sector has the lowest confidence level of any industry surveyed, with only 74% believing they are prepared to deal with modern cyber risks.

The findings reflect how cybercrime is increasingly becoming an operational and business risk rather than simply an IT issue. Researchers warned that AI-driven phishing campaigns and automated reconnaissance are allowing threat actors to launch attacks at greater speed and scale, making incidents harder to detect and contain.

Separate research from QBE identified ransomware as the most significant cyber threat facing construction firms, with incidents causing an average of 24 days of downtime. The report also highlighted a 410% rise in IoT malware activity targeting the sector during 2025.

Industry experts are now urging organisations to integrate cybersecurity into wider project risk planning, warning that attacks can disrupt supply chains, delay projects and significantly increase costs.

NCSC warns of Russian DNS hijacking campaign targeting routers

The National Cyber Security Centre (NCSC) has issued a new advisory warning that Russian state-backed cyber actors are compromising widely used internet routers to secretly redirect users’ traffic through malicious infrastructure.

According to the advisory, the group known as APT28 has been exploiting vulnerable routers to carry out Domain Name System (DNS) hijacking attacks. These attacks allow threat actors to intercept internet traffic and steal credentials, including passwords and authentication tokens, from web and email services.

The campaign is believed to be opportunistic, with attackers targeting large numbers of devices before narrowing their focus onto organisations or individuals of intelligence interest. APT28 has previously been linked to Russia’s GRU Unit 26165 and is also known by names including Fancy Bear and Sofacy.

The NCSC warned that compromised network devices can provide hostile actors with long-term access and visibility into sensitive communications. Organisations are being urged to strengthen router security, patch vulnerabilities quickly, secure management interfaces and enable multi-factor authentication to reduce the risk of compromise.

The advisory highlights the continued threat posed by state-backed cyber operations targeting critical internet infrastructure and everyday network devices.

Palo Alto Networks warns of active zero-day attacks targeting firewalls

Palo Alto Networks has warned customers that a critical unpatched vulnerability affecting the PAN-OS User-ID Authentication Portal is being actively exploited in the wild.

Tracked as CVE-2026-0300, the flaw is a buffer overflow vulnerability that could allow unauthenticated attackers to execute arbitrary code with root privileges on exposed PA-Series and VM-Series firewalls. The issue impacts the User-ID Authentication Portal, also known as the Captive Portal, which is used to authenticate users whose identities cannot be automatically mapped by the firewall.

Palo Alto Networks said exploitation has been limited so far and primarily affects organisations with the portal exposed to the public internet or untrusted IP addresses. Security researchers at Shadowserver are currently tracking more than 5,800 exposed PAN-OS VM-Series firewalls online.

The vendor has not yet released a patch but says software fixes are expected from 13 May 2026. In the meantime, organisations are being strongly urged to restrict portal access to trusted internal networks or disable the feature entirely where possible.

The warning continues a growing trend of threat actors aggressively targeting internet-facing firewall infrastructure and security appliances.

Vimeo breach exposes data of more than 119,000 users

The ShinyHunters extortion group has claimed responsibility for a cyber attack against video platform Vimeo that exposed the personal information of more than 119,000 users.

According to data breach notification service Have I Been Pwned, the stolen data includes email addresses and, in some cases, user names. Vimeo disclosed the breach in April, linking the incident to a compromise involving Anodot, a third-party data anomaly detection provider integrated into its systems.

Vimeo stated that the attackers primarily accessed technical data, video titles and metadata, and confirmed that login credentials, payment card information and video content were not compromised. Following the incident, the company disabled Anodot credentials, removed the integration and engaged external security specialists to investigate.

After failed extortion attempts, ShinyHunters reportedly leaked a 106GB archive of stolen data on its dark web site. The group has increasingly focused on targeting SaaS environments and corporate single sign-on systems, using compromised credentials to access connected cloud platforms and sensitive business data.

The breach highlights the growing risks associated with third-party integrations and supply chain compromise within modern cloud environments.

New Mirai-based botnet targets Android and IoT devices for DDoS attacks

Cybersecurity researchers have uncovered a new Mirai-derived botnet known as xlabs_v1 that is targeting internet-exposed Android and IoT devices to build a distributed denial-of-service (DDoS) network.

Researchers at Hunt.io said the malware specifically hunts for devices with Android Debug Bridge (ADB) exposed on TCP port 5555. This includes Android TV boxes, smart TVs, set-top boxes and other IoT hardware that ship with ADB enabled by default. The malware also supports multiple hardware architectures, suggesting it can target residential routers and other connected devices.

According to the researchers, the botnet is being operated as a DDoS-for-hire service focused on attacking game servers and Minecraft hosts. It supports more than 20 attack methods across TCP and UDP protocols and includes functionality designed to bypass consumer-grade DDoS protections.

The malware also contains features to measure the bandwidth of infected devices, allowing operators to classify compromised systems into pricing tiers for customers purchasing attacks. Researchers noted that the botnet’s design prioritises scale and attack variety over sophistication.

The discovery highlights the continued risks posed by poorly secured IoT and consumer devices exposed directly to the internet.

ShinyHunters claims theft of 240 million education records in Instructure breach

Educational technology company Instructure has confirmed it suffered a cyber attack, with the ShinyHunters extortion group claiming to have stolen more than 240 million records linked to students, teachers and staff worldwide.

The company, best known for its Canvas learning management system used by schools and universities globally, said it is working with third-party cybersecurity experts and law enforcement to investigate the incident. Customers have also been required to re-authorise API access as part of the response.

According to ShinyHunters, the stolen data spans nearly 15,000 educational institutions across North America, Europe and Asia-Pacific. The group claims the information includes names, email addresses, course enrolment details and billions of private messages exchanged between students and teachers.

The threat actors also allege they gained access to connected Salesforce environments during the attack. While the full scope of the breach has not yet been independently verified, the scale of the claimed data theft would make it one of the largest education-sector cyber incidents reported this year.

The incident highlights the growing targeting of education platforms by cybercriminals seeking large volumes of personal and sensitive data.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.