The 15th September 2025 Threat Intelligence Report from Check Point Research details a range of active cyber threats and vulnerabilities impacting diverse sectors worldwide. The report opens with a ransomware attack on Panama’s Ministry of Economy and Finance by the INC Ransom group, resulting in theft of over 1.5TB of sensitive fiscal data including emails and financial documents. Similar ransomware and data breach incidents affected Vietnam’s National Credit Information Center (CIC), American furniture company Lovesac, New York Blood Center, and British train operator LNER, exposing personal identifiable information (PII), health data, and customer travel records. The report highlights critical vulnerabilities such as CVE-2024-40766, an improper access control flaw in SonicWall SSL VPN appliances (Gen 5–7, SonicOS 7.0.1-5035 and earlier) with a CVSS score of 9.3, actively exploited by Akira ransomware operators. This vulnerability allows attackers to bypass access controls and crash firewalls, often due to migrated configurations without credential resets. Additional vulnerabilities include Windows SMB elevation of privilege and denial of service in Newtonsoft.Json affecting SQL Server. Emerging threats include the Yurei ransomware group employing double extortion via encryption and data theft, and WhiteCobra’s campaign distributing malicious VS Code extensions to steal cryptocurrency wallets. The report also notes a 101% year-over-year increase in cyber attacks targeting agriculture, education, telecom, and government sectors, with ransomware rising 14% globally. Check Point’s Threat Emulation and Harmony Endpoint products provide detection and protection against many of these threats. The report underscores the growing complexity and scale of ransomware and data theft campaigns, emphasizing the need for proactive patching, threat detection, and supply chain security.

European organizations face substantial risks from these threats due to several factors. The SonicWall SSL VPN vulnerability is particularly concerning as many European enterprises and government agencies rely on these appliances for secure remote access; exploitation can lead to unauthorized access, data breaches, and network disruption. Ransomware groups like Akira and INC Ransom pose direct threats to critical infrastructure and public sector entities, potentially disrupting essential services and exposing sensitive data. Data breaches involving personal and financial information can lead to regulatory penalties under GDPR, reputational damage, and financial losses. The supply chain risk demonstrated by LNER’s breach via a third-party supplier highlights vulnerabilities in interconnected ecosystems common in Europe. The surge in attacks on agriculture, education, telecom, and government sectors aligns with key European economic and strategic sectors, increasing the likelihood of targeted campaigns. Additionally, the use of malicious development tools and extensions threatens European software supply chains and developer environments, risking widespread compromise. Overall, these threats could degrade trust in digital services, impact national security, and impose significant remediation costs.

European organizations should prioritize immediate patching of the SonicWall SSL VPN vulnerability (CVE-2024-40766) and ensure all VPN appliances are updated to the latest firmware with credential resets post-migration. Implement strict network segmentation and zero-trust access models to limit lateral movement if VPNs are compromised. Deploy advanced endpoint detection and response (EDR) solutions with threat emulation capabilities, such as Check Point’s Threat Emulation and Harmony Endpoint, to detect ransomware and malware variants like Akira, INC Ransom, and Yurei. Conduct thorough security assessments of third-party suppliers and enforce stringent access controls and monitoring to mitigate supply chain risks. Educate developers and IT teams to avoid installing unverified VS Code extensions and implement application whitelisting and code signing policies. Enhance monitoring of Docker APIs and cloud environments to detect and block unauthorized access and malware deployment. Regularly back up critical data with offline copies and test recovery procedures to reduce ransomware impact. Finally, engage in threat intelligence sharing with European cybersecurity agencies to stay informed about emerging threats and coordinated defense strategies.