Global Cyberattack Vulnerability Report Highlights Indonesia as Top Target for AI-Powered Threats A 2026 study by cybersecurity firm Check Point reveals Indonesia as the most vulnerable country to AI-driven cyberattacks, with nearly half of its internet-connected devices targeted by hackers. The research analyzed five major attack types botnets, infostealers, banking trojans, ransomware, and mobile malware ranking nations based on device exposure, economic impact, and cybersecurity defenses. Key Findings: - Indonesia leads the list, with 47% of devices under attack. Weak defenses (47.5/100) and high AI-driven automation in attacks contribute to its vulnerability. Infostealers compromise 16% of devices, while botnets affect 21%. - Mongolia ranks second, with 30% of devices targeted. Low cybersecurity scores (50/100) and widespread internet use (85% penetration) make it a prime target, despite modest average incomes ($7K/year). - Mexico follows in third, with 29% of devices at risk. Botnets (10.6%) and ransomware (8.4%) dominate attacks, fueled by high internet usage (81%) and weak defenses (38/100). Average incomes ($14K/year) make it a lucrative target. - Saudi Arabia, despite stronger defenses (78.33/100), faces attacks on 28.5% of devices. High average incomes ($35K/year) and AI adoption (26%) create high-value targets, amplifying financial losses from breaches. - Georgia rounds out the top five, with 28% of devices targeted. Banking trojans alone affect 8% of accounts, while rapid AI adoption (18%) outpaces security measures. The study underscores how AI-powered attacks exploit weak defenses, high internet penetration, and economic disparities to maximize damage, with emerging economies bearing the brunt of automated threats.

Check Point Patches Critical Zero-Day Exploited in VPN Attacks Linked to Qilin Ransomware Israeli cybersecurity firm Check Point has released urgent security updates to address a critical authentication bypass vulnerability (CVE-2026-50751) in its Remote Access VPN and Mobile Access deployments. The flaw, actively exploited in zero-day attacks since May 7, allows unauthenticated remote attackers to bypass authentication on vulnerable systems, including Mobile Access/SSL VPNs, Remote Access VPNs, and Spark firewalls. The vulnerability affects only deployments using the deprecated IKEv1 key exchange protocol, specifically those configured to accept legacy Remote Access clients without requiring machine certificate authentication. Exploitation surged in early June, impacting a few dozen organizations globally, with at least one confirmed case tied to the Qilin ransomware operation. Check Point’s investigation also uncovered a second flaw (CVE-2026-50752), which enables man-in-the-middle attacks on site-to-site VPN connections due to improper certificate validation in IKEv1. While no active exploitation of CVE-2026-50752 has been observed, the company urges immediate patching to prevent potential exposure. For organizations unable to patch immediately, Check Point recommends disabling IKEv1 support, enforcing IKEv2-only authentication, mandating machine certificate authentication, and enabling IPS with updated signatures. Qilin, a Ransomware-as-a-Service (RaaS) group active since August 2022, has claimed nearly 400 victims via its dark web leak site, targeting high-profile entities such as Nissan, Asahi, Lee Enterprises, Synnovis, and Australia’s Court Services Victoria. The group’s involvement in the Check Point VPN attacks underscores the growing threat of ransomware actors exploiting critical infrastructure vulnerabilities.

Check Point Harmony SASE Windows Client Flaw Grants SYSTEM Privileges via JWT Manipulation A critical vulnerability in Check Point’s Harmony SASE Windows client (CVE-2025-9142) allows local attackers to escalate privileges to SYSTEM by exploiting poor validation in certificate processing. The flaw affects versions below 12.2, with the last update issued on January 14, 2026. The issue stems from the Perimeter81 service component, which runs with elevated privileges. Attackers can manipulate the tenant name in a JWT token, passed via IPC or URI handlers, to trigger directory traversal. This enables the service to write or delete files outside its intended directory for example, crafting paths like `../../../../../../../../../sleep` to target `C:\sleep`. The vulnerability arises from inadequate JWT signature verification in the `SaferVPN.Core.Sdp.SdpCertificates` class, which uses a user-supplied `WorkingDirectory` from the JWT’s `tenantId` field without proper validation. Functions like `CleanCertFolder()` and `GenerateAndLoadCertificates()` executed as SYSTEM can then delete or write files in arbitrary locations. Exploitation requires local access and follows a precise sequence: 1. Pre-create a target directory (e.g., `C:\sleep`). 2. Invoke the URI handler (`perimeter81://`) with a tampered JWT, delaying a rogue server’s CSR response. 3. Swap the directory with a symlink (via RPC Control) to redirect writes e.g., replacing `client.crt` with a path like `C:\Windows\System32\newfile.dll`. 4. Serve malicious certificate content, which the SYSTEM service writes, potentially enabling DLL hijacking on restart. A proof-of-concept (PoC) demonstrates achieving a SYSTEM shell via automated named pipes, local web servers, and symlink timing. While Microsoft patches (e.g., CVE-2024-38014) mitigate older OpLock tricks, symlink-based attacks remain viable. Impacted versions include Harmony SASE 11.5.0.2501 and all releases below 12.2. The client supports 40+ allowed domains (e.g., `perimeter81.com`, `sase.checkpoint.com`), but attackers bypass these controls by forging unverified JWTs. Notably, QA environments (e.g., `splinter.saseqa.checkpoint.com`) are also vulnerable. Check Point has released version 12.2 to address the flaw, urging users to upgrade via sk182466. The accompanying SK article (sk184557) details symptoms, root causes, and remediation steps. The researcher behind the discovery returned the domain `p81-falcon.com` to aid patching, and updated TLS certificates now block rogue server setups. The flaw underscores risks in SASE clients processing web-derived inputs without strict validation, highlighting the need for privileged service hardening even in local attack scenarios.

The article highlights a systemic issue across 66% of organizations that experienced cloud security breaches in the past year, with 91% of incidents remaining undetected for over an hour and 62% taking more than 24 hours to remediate. Prolonged exposure allowed attackers to escalate privileges, exfiltrate data, or deploy ransomware, leading to reputational damage, regulatory fines (e.g., GDPR penalties), and operational disruptions. Causes included misconfigured cloud storage, overly permissive access controls, disabled logging (e.g., AWS CloudTrail), and alert fatigue—exacerbated by fragmented hybrid environments. The delayed response enabled adversaries to maintain persistence, perform account takeovers, and exploit cloud resources for malicious purposes, compounding financial and legal risks. While no single company is named, the pattern reflects widespread vulnerabilities in cloud security postures, with breaches often escalating from initial access to data theft or system compromise before mitigation.

In August 2025, the education sector in India—highlighted by Check Point Research—faced an average of 4,178 cyberattacks per organization weekly, marking a 13% year-on-year increase. The sector’s rapid digitization, coupled with chronic underfunding in cybersecurity, expanded its attack surface, making it a prime target for threat actors. While the report did not specify the exact nature of each attack, the scale and frequency suggest data breaches, ransomware, or disruptive cyberattacks aimed at exploiting vulnerable systems. Given the sector’s role in handling student records, financial aid data, and research intellectual property, compromises could lead to financial fraud, reputational damage, or operational disruptions (e.g., halting online classes or exam systems).The attacks align with broader trends where education globally remains the most targeted sector, with India’s volume surpassing the worldwide average (1,994 attacks/week). Though no specific incident was detailed, the pattern implies high-severity threats, potentially involving phishing, malware, or ransomware campaigns designed to extract sensitive data or cripple institutional infrastructure. The lack of robust defenses exacerbates risks, increasing the likelihood of prolonged outages, data leaks, or financial losses—directly impacting students, faculty, and administrative operations.

A hacker using the alias CoreInjection claims to have obtained sensitive data from Check Point, including user credentials, employee contract details, and internal network maps. Check Point downplays the incident, asserting it relates to a limited and previously addressed breach. The breach supposedly involved just one account with restricted portal access and did not extend to customers' systems, production, or security architecture. Despite the company's stance, security experts like Hudson Rock CTO Alon Gal suggest Check Point may have had an administrator account compromised, indicating a serious breach with potential internal company data leaks.

An unnamed educational institution in the US fell victim to a ransomware attack amid a 41% global surge in cyberactivity targeting schools (Jan–Jul 2025). The attack, part of a broader trend where US institutions saw a 67% year-on-year increase, encrypted critical systems including student records, financial aid databases, and research data. The breach disrupted operations for weeks, forcing cancellations of online classes and delaying admissions processing. While no direct evidence of data exfiltration was confirmed, the attackers demanded a multi-million-dollar ransom, threatening to leak sensitive student and faculty information if unpaid. The institution faced reputational damage as local media covered the incident, and parents raised concerns over data privacy. Recovery costs—including system restoration, legal fees, and cybersecurity upgrades—exceeded $5 million, straining the institution’s budget. The attack underscored the education sector’s vulnerability, now the most targeted globally, with ransomware groups exploiting underfunded IT defenses.