- Email: office@meraal.me
- 60 Alfalah Town, Main Boulevard, Cantt, Lahore , Pakistan
- +923234979477
Threat Landscape Summary (March 31 – April 7, 2025)
The week of March 31 to April 7, 2025, was marked by a series of high-profile data breaches in the cloud, automotive, and retail sectors, signaling a strategic shift by threat actors toward targeting “centralized identity” and “infrastructure-as-a-service” providers. A critical zero-day in the Windows Common Log File System (CVE-2025-29824) saw immediate exploitation by ransomware groups, while a major breach at Oracle Cloud involving approximately 6 million records underscored the vulnerability of Single Sign-On (SSO) and LDAP systems.
In the retail and logistics space, the NASCAR organization and the UK’s Co-operative Group both confirmed major disruptions due to ransomware, highlighting that the “Spring Surge” of 2025 is prioritizing organizations with complex, time-sensitive supply chains. Furthermore, the discovery of a massive 16-billion-credential aggregation leak has begun to fuel a new wave of automated account takeover (ATO) attacks across global SaaS platforms.
The global landscape is currently dominated by SaaS-to-SaaS supply chain attacks, where threat actors exploit OAuth tokens and API integrations rather than traditional network perimeters. This week saw the fallout from the “Salesloft-Drift” compromise reach its peak, affecting over 700 organizations worldwide.
Additionally, we are observing the maturation of “Extortion-Only” models. Groups like HELLCAT and Medusa are increasingly avoiding the technical overhead of file encryption, focusing instead on rapid data exfiltration and the threat of leaking proprietary source code or sensitive donor data to maximize pressure on high-profile targets like Jaguar Land Rover and NYU.
Oracle Cloud (Tech/Cloud): On April 2, a threat actor identified as “rose87168” claimed the exfiltration of 6 million records from Oracle’s SSO and LDAP systems. Stolen data included Java KeyStore (JKS) files and encrypted passwords, posing a systemic risk to enterprise customers using Oracle for identity management.
NASCAR (Sports/Entertainment): The Medusa ransomware group claimed responsibility for a breach at NASCAR, alleging the theft of over 1TB of data, including internal financial reports, vendor contact details, and sensitive business documents.
Jaguar Land Rover (Automotive): Following a breach in late March, the impact escalated this week as JLR was reportedly forced to pause operations at multiple factories due to the theft of critical development logs and engineering source code by the HELLCAT group.
New York University (Higher Education): NYU confirmed a breach affecting 3 million applicants. The attacker, “@bestn-gy,” defaced the university’s homepage and leaked sensitive demographic and financial aid data dating back to 1989.
Co-operative Group (Retail – UK): A ransomware attack disrupted operations for 6.5 million members, impacting both digital and in-store services. This incident is part of a broader trend of targeting major cooperative and loyalty-based retailers.
| Date | Affected Organization | Sector | Incident Type | Impact |
| Mar 31, 2025 | Oracle Cloud | Technology | Identity Breach | 6M SSO/LDAP records exposed |
| Apr 02, 2025 | NYU | Education | Data Theft | 3M applicant records & PII |
| Apr 04, 2025 | WK Kellogg Co | Food/Retail | Supply Chain | Employee/Vendor data (Cleo exploit) |
| Apr 05, 2025 | NASCAR | Sports | Ransomware | 1TB of internal documents stolen |
| Apr 06, 2025 | Co-operative Group | Retail | Ransomware | 6.5M members’ data affected |
| Apr 07, 2025 | DaVita | Healthcare | Data Extortion | 2.6M medical/PII records leaked |
The “Credential Buffet” Aggregation:
The emergence of a 16-billion-record credential dump—compiled from years of infostealer logs—has changed the economics of account takeover. This dataset is being used to target “non-federated” accounts, specifically local VPN and administrative logins that lack Hardware-MFA. This week, we tracked a 300% increase in login attempts against corporate Slack and GitHub environments using these leaked credentials.
Automotive Supply Chain Fragility:
The JLR incident demonstrates that cyberattacks on the automotive sector are no longer just about PII; they are about intellectual property (IP). By targeting Jira credentials and source code repositories, attackers can cripple physical manufacturing capabilities, leading to multi-billion-dollar losses that far exceed the value of any ransom.
| CVE ID | Description | Severity | Mitigation Status |
| CVE-2025-29824 | Windows CLFS EoP: Use-after-free in Common Log File System driver. | 7.8 (High) | Actively Exploited. Ransomware groups using for SYSTEM privs. |
| CVE-2025-30406 | CentreStack/Triofox RCE: Hardcoded cryptographic keys in file-sharing app. | 9.8 (Critical) | CISA KEV listed. High risk for enterprise file storage. |
| CVE-2025-22457 | Ivanti Connect Secure Overflow: Stack-based buffer overflow in VPN gateways. | 9.8 (Critical) | Emergency patch available; unauthenticated RCE risk. |
| CVE-2025-27480 | Windows RDP RCE: Use-after-free in Remote Desktop Services. | 8.1 (Critical) | Critical for organizations using Remote Desktop Gateway roles. |
For Technical Audiences:
The industrial impact seen at Jaguar Land Rover suggests that threat actors are moving toward “Physical-Financial Disruption.” By targeting the code that runs the factory, they gain immense leverage. We advise all manufacturing clients to isolate their OT (Operational Technology) networks from their IT (Information Technology) development environments to prevent code theft from leading to assembly line shutdowns.
Meraal Cyber Security (MCS) Threat Intelligence Team
