Cloud Hijacking, Squidbleed, and Parallel Intrusions Shape Today's Threat Landsc

Events tracked
170
Critical exposure
58

Summary

Today's intelligence reveals a threat landscape defined by the convergence of old and new attack vectors. While a 29-year-old vulnerability in the Squid proxy (Squidbleed) resurfaces to threaten cleartext HTTP traffic, sophisticated research from Unit 42 highlights how attackers can exploit cloud namespace uniqueness for large-scale data exfiltration. Compounding this, Microsoft's analysis of a single intrusion reveals two distinct threat actors operating in parallel, underscoring the complexity of modern incident response. Defenders must prioritize patching legacy infrastructure while hardening cloud configurations and preparing for multi-actor compromise scenarios.

Today's developments

A significant volume of alleged data breaches and leaks today targets government and healthcare entities across multiple continents. In Asia, multiple Indonesian government bodies are implicated, including the Badan Nasional Penanggulangan Bencana (disaster management agency) and regional administrations in Kalimantan Utara and Kabupaten Bantul, all allegedly breached by actor B4d0kAhay. Separately, actor Mosad Leaks claims to have breached the Bangladesh Military, with actor mossad also allegedly leaking related internal documents. In the Americas, the Centro Nacional de Trasplantes in Mexico is allegedly breached by two separate actors (cenfecracked and MVP), while a U.S. healthcare practice associated with Dr. Jeffrey D. Reuben and former Mayo Clinic patients are also named in alleged incidents. European targets include France's Mairie de Paris and the Fédération Sportive de la Police Nationale, as well as the Netherlands' food delivery platform Thuisbezorgd.nl.

Industry research published today provides critical context for these events. Unit 42 detailed a universal bucket hijacking technique that exploits the global uniqueness of cloud storage bucket names, potentially allowing attackers to redirect data streams across major cloud service providers. This is a high-priority signal for any organization using cloud storage. Separately, the disclosure of Squidbleed, a heap over-read vulnerability in the Squid web proxy dating back to a 1997 code change, can leak cleartext HTTP requests -- including credentials and session tokens -- from users sharing the same proxy. This flaw is present in Squid's default configuration and requires immediate patching.

The supply chain and AI attack surfaces also saw notable developments. A supply chain attack on ShapedPlugin WordPress plugins saw backdoor code injected into official Pro plugin releases, affecting multiple sites. Researchers also disclosed DifyTap, a set of four vulnerabilities in the open-source Dify AI platform that could allow attackers to read AI conversations across different tenants without authentication. Additionally, a new malware loader, OXLOADER, is being distributed via malicious Google Ads to deliver CastleStealer, with researchers attributing the campaign to a likely Russian-speaking, financially motivated actor.

Threat landscape signals

Today's event data shows a pronounced concentration of activity against government and public sector targets, particularly in Indonesia and Bangladesh. The healthcare sector remains a persistent target, with multiple incidents in Mexico and the United States. Actor OriginalCrazyOldFart is responsible for a high volume of alleged data leaks today, targeting multiple organizations and individuals across unspecified sectors, suggesting a broad, opportunistic data collection effort. The appearance of actor mossad targeting Bangladesh military documents in both a breach and a leak category indicates a focused, potentially politically motivated campaign.

The broader pattern from external analysis reinforces a shift toward multi-vector and multi-actor intrusions. Microsoft's report on parallel threat activity within a single ransomware case highlights that defenders can no longer assume a single attacker is responsible for all observed indicators. Combined with the cloud hijacking research and the resurgence of legacy vulnerabilities like Squidbleed, the message is clear: attack surfaces are expanding laterally across cloud, AI, and legacy infrastructure, demanding a unified and proactive defense posture.

All incidents are reported as alleged claims by threat actors and have not been independently verified by GrayscaleInsight.

Threat intelligence is reported for security awareness purposes only and does not constitute endorsement of any actor, group, or activity.

Recent editions