Cybersecurity Roundup: Critical Incidents and Trends in April 2025

As cyber threats continue to evolve, April 2025 has seen a series of high-profile incidents that underscore the importance of robust cybersecurity practices. From ransomware disrupting retail to zero-day exploits targeting enterprise systems, IT professionals must stay vigilant. This post recaps the most significant cybersecurity events of the month, detailing attack types, techniques, impacts, and key takeaways to help you strengthen your defenses.

1. Marks & Spencer (M&S) Cyberattack Disrupts Retail Operations

• Date: Ongoing, reported by April 25, 2025; impacts persisted through April 29.
• Attack Type: Cyberattack, likely ransomware or data breach.
• Technique: The attack crippled M&S’s online infrastructure, halting website sales and order processing. While specifics remain undisclosed, it likely exploited vulnerabilities in M&S’s network or third-party systems. The attack affected gift card systems and canceled orders placed on or after April 23.
• Impact:
  • Financial: Over £500 million wiped from M&S’s stock value.
  • Operational: Suspended UK and Ireland online orders, paused Ocado food deliveries, and idled warehouse staff.
  • Customer: Canceled orders and gift card issues risk long-term reputational damage.
• Takeaway: Retail IT teams must prioritize network segmentation, endpoint monitoring, and rapid incident response to mitigate ransomware. Regular audits of third-party integrations are critical to prevent supply chain attacks.

2. SK Telecom Data Breach Exposes Vulnerabilities

• Date: Detected April 19, 2025, ~11 p.m. local time; reported in April.
• Attack Type: Data breach.
• Technique: An unspecified cyberattack enabled unauthorized access to customer or corporate data. No evidence of data misuse was reported, and the attack wasn’t claimed by any group. Likely vectors include phishing, credential stuffing, or unpatched vulnerabilities.
• Impact:
  • Financial: SK Telecom’s shares plummeted post-announcement.
  • Reputational: Public disclosure eroded trust, highlighting the stakes of transparency.
• Takeaway: Implement zero-trust architectures and continuous monitoring to detect intrusions early. Ensure timely patching and conduct regular penetration testing to identify weak points.

3. Iran Repels Large-Scale Infrastructure Attack

• Date: April 27, 2025.
• Attack Type: State-sponsored cyberattack on critical infrastructure.
• Technique: Targeted Iran’s Bandar Abbas port and other infrastructure, likely using advanced persistent threats (APTs) or DDoS techniques. Coincided with a physical explosion, suggesting a hybrid cyber-physical attack. Iran has previously attributed similar incidents to Israel.
• Impact:
  • Infrastructure: Attack was repelled, but the port explosion caused 18 deaths and hundreds of injuries.
  • Geopolitical: Escalated tensions with adversaries, reinforcing cybersecurity’s role in national security.
• Takeaway: Critical infrastructure operators must harden OT systems, deploy intrusion detection, and prepare for hybrid threats. Geopolitical risk assessments should inform cybersecurity strategies.

4. SAP NetWeaver Zero-Day Exploitation

• Date: Exploited in April 2025; reported April 28.
• Attack Type: Zero-day vulnerability exploitation (CVE-2025-31324, CVSS 10.0).
• Technique: Attackers uploaded JSP web shells to SAP NetWeaver systems, enabling remote code execution. They leveraged the Brute Ratel C4 framework and Heaven’s Gate technique to evade endpoint detection.
• Impact:
  • System Compromise: Full control over affected systems, risking sensitive business data.
  • Enterprise Risk: SAP’s widespread use amplifies the threat across industries.
• Takeaway: Apply SAP patches immediately and monitor for anomalous file uploads. Deploy behavior-based detection to catch post-exploitation activity, especially for zero-day threats.

5. DslogdRAT Malware Targets Ivanti ICS

• Date: Ongoing since December 2024; reported April 25, 2025.
• Attack Type: Malware via zero-day (CVE-2025-0282, patched January 2025).
• Technique: Chinese threat actors (UNC5337) exploited Ivanti Connect Secure vulnerabilities to deploy DslogdRAT, SPAWNCHIMERA, and RESURGE malware. Focused on espionage, primarily in Japan.
• Impact:
  • Espionage: Persistent access to sensitive data in targeted organizations.
  • Infrastructure: Compromised secure remote access systems, critical for enterprise operations.
• Takeaway: Patch Ivanti systems promptly and monitor for web shell activity. Use threat intelligence to track nation-state actors and prioritize defenses against espionage campaigns.

Broader Trends in April 2025

• Identity-Based Attacks: Phishing and stolen credentials outpaced exploits, often bypassing MFA. Deploy real-time browser defenses to counter these threats.
• Third-Party Risks: Supply chain attacks doubled, exploiting trusted partners. Vet third-party vendors and enforce strict access controls.
• Ransomware Surge: A 9% rise in U.S. critical infrastructure attacks from 2023 to 2024 continued into 2025, using encryption (MITRE T1486) and command execution (T1059).
• Zero-Day Exploits: 159 CVEs were exploited in Q1 2025, with 28.3% within 24 hours of disclosure, targeting CMS and edge devices.

Actionable Recommendations for IT Professionals

1. Patch Management: Prioritize patching for critical vulnerabilities like CVE-2025-31324 and CVE-2025-0282. Automate patch deployment where possible.
2. Zero-Trust Architecture: Enforce least privilege, MFA, and continuous authentication to mitigate identity-based attacks.
3. Threat Intelligence: Subscribe to feeds tracking APTs and zero-day exploits. Monitor for indicators of compromise (IoCs) from groups like UNC5337.
4. Incident Response: Develop and test playbooks for ransomware and data breaches. Ensure backups are offline and immutable.
5. Supply Chain Security: Audit third-party vendors and implement network segmentation to limit lateral movement.

Final Thoughts

April 2025 highlights the relentless pace of cyber threats, from retail disruptions to nation-state espionage. As attackers exploit zero-days and trusted relationships, IT professionals must adopt proactive, layered defenses. Stay informed, patch diligently, and leverage threat intelligence to protect your organization.