🚨Week 30: Qantas Breach, Air Serbia Cyberattack, SharePoint Breach, Cloudflare Blocks Pirate Sites, Congress Revisits Stuxnet...

Register Your Interest – VIP Cybersecurity Experience at F1 Abu Dhabi 

Join an exclusive group of senior cybersecurity leaders for a full-day experience during the Abu Dhabi Grand Prix - featuring curated conversations, peer networking, and premium hospitality alongside one of the world’s most prestigious sporting events.

Who Should Attend

This invitation-only event is designed for:

• CISOs & Heads of Information Security

• CIOs, CTOs, and Technology Strategy Leaders

• Board-level Executives & Risk Leaders

• Senior Management from Critical Infrastructure, Finance, Energy, Government & Enterprise

Register your interest here

Executive Summary

Microsoft has confirmed that a China‑based actor dubbed Storm‑2603, along with nation‑state groups Linen Typhoon and Violet Typhoon, are exploiting critical zero‑day vulnerabilities—collectively dubbed ToolShell (CVE‑2025‑49704, CVE‑2025‑49706, and bypasses CVE‑2025‑53770, CVE‑2025‑53771)—in on‑premises SharePoint Server environments. Starting July 18, 2025, these threat actors have deployed Warlock ransomware against compromised servers, shifting the campaign from espionage to financially motivated cyberattacks.

At least 400 organizations have been impacted across government, defense, education, and critical infrastructure sectors—including the U.S. National Nuclear Security Administration, Education Department, Rhode Island General Assembly, and agencies in Europe and the Middle East. Attackers have stolen cryptographic MachineKeys, installed web shells, harvested credentials via Mimikatz, then spread ransomware via PsExec and GPO manipulation, posing long-term persistence risks even after patching.

Microsoft urges immediate action: install security updates for all on‑prem SharePoint versions, enable AMSI in full mode, deploy Defender or equivalent, rotate ASP.NET machine keys, restart IIS, and deploy endpoint detection tools to contain the threat.

Key Facts & Impact

• Affected vulnerabilities: CVE‑2025‑49704, 49706, 53770, 53771 exploited—patch bypasses included.

• Actors involved: Storm‑2603 (Warlock / LockBit deployment), plus state‑linked groups Linen Typhoon and Violet Typhoon.

• Scope: ~400 organizations reportedly compromised globally.

• High‑value targets: National-level agencies including U.S. nuclear and education systems.

• Impact: MachineKey theft enables future backdoor access; ransomware encrypts critical systems and finances extortion.

• Attack chain: Initial RCE → web shell (spinstall0.aspx) → credential harvesting via LSASS/Mimikatz → lateral movement (PsExec, WMI) → ransomware via GPO modifications.

• Mitigation steps: Patch immediately, enable AMSI & Defender, rotate machine keys, restart IIS, deploy EDR solutions.

This incident underscores a dangerous shift from espionage to ransomware targeting strategic infrastructure, with long‑lasting consequences if not urgently addressed.

💻 Malware and Vulnerabilities

Patchwork Targets Turkish Defence Firms via Spear‑Phishing: The state‑linked Patchwork APT (aka APT-C‑09/Quilted Tiger) is spear‑phishing Turkish defence contractors using malicious LNK files disguised as unmanned systems conference invites. The five‑stage chain delivers payloads enabling espionage, with targets including missile‑system manufacturers amid rising India‑Pakistan regional tensions. Link

Critical Null‑Pointer Bugs in Bloomberg Comdb2 Allow DoS: Cisco Talos disclosed five vulnerabilities in Bloomberg’s Comdb2 database—three null‑pointer dereferences and two assertion flaws (CVE‑2025‑36520, 35966, 48498, 46354, 36512)—that allow remote denial‑of‑service via crafted TCP or protocol‐buffer messages. The medium‑severity flaws impact Comdb2 8.1 instances worldwide and were patched promptly. Link

New VoIP Botnet Recruits Routers via Default Credentials: Researchers uncovered a Mirai‑style botnet targeting VoIP‑enabled routers using default Telnet passwords. Initial detection in New Mexico exposed ~90 compromised devices, with evidence of 500+ routers infected globally—including industrial utility networks. The campaign highlights risks from unmanaged edge devices in botnet provisioning. Link

CISA Adds CrushFTP, Chrome & SysAid Flaws to Exploited Catalog: CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) list: critical zero‑day in CrushFTP (CVE‑2025‑54309) enabling admin takeover; Chrome ANGLE/GPU sandbox‑escape (CVE‑2025‑6558); and two XML external entity flaws in SysAid On‑Prem (CVE‑2025‑2775/2776). These active exploits expose organizations to remote code and privilege escalation. Link

Mozilla Fixes Critical Firefox Vulnerabilities: Mozilla issued patches for Firefox to address critical flaws, including remote code execution and sandbox escapes. Unpatched systems may be exploited by malicious websites to compromise users. Link

📈 Breaches and Incidents

Ameos Data Breach Triggers GDPR Disclosure: Healthcare provider Ameos confirmed unauthorized access to sensitive patient data. As mandated under GDPR Article 34, the company issued a disclosure notice. Medical identity theft and privacy risks for affected individuals are a concern.
Link

Fitify Leak Exposes User Photos and Personal Data: Fitify fitness app exposed over 600,000 personal files, including user-submitted photos, due to unsecured cloud storage. The breach could lead to reputational harm, identity theft, and targeted scams for users.
Link

Qantas Wins Legal Block on Hackers’ Data Leak: Qantas obtained a court injunction to stop cybercriminals from leaking stolen employee data. The breach reportedly included payroll and HR information, which could lead to identity fraud if released. Link

BBC Covers Live Cyberattack Across UK: A large-scale ransomware campaign impacted UK public and private sectors. BBC covered the unfolding crisis live, highlighting disruptions to services and emergency responses. Link

Seychelles Bank Confirms Client Data Breach: Seychelles Commercial Bank disclosed a breach that exposed client records. Financial fraud and identity theft are likely risks, especially for international account holders. Link

Air Serbia Confirms Coordinated Cyberattacks: Air Serbia reported ongoing cyberattacks affecting operational systems. While flight operations remain intact, customer data and backend infrastructure may be compromised. Link

BigONE Exchange Hit by Security Breach: Crypto exchange BigONE revealed a breach impacting platform integrity. Trading was paused temporarily; while no major financial loss was reported, user confidence has been shaken. Link

U.S. Nuclear Agency Breached via Microsoft SharePoint: Hackers exploited a SharePoint flaw to breach the Department of Energy’s nuclear division. This exposure of a critical system poses serious national security and infrastructure threats. Link

BBC Subdomain Used for Crypto Scams: A BBC subdomain was hijacked to promote crypto investment scams. The phishing campaign misused brand trust to steal funds and personal information from victims. Link

🚨 Threat Intel & Info Sharing

Spyware Campaign Targets Iranians Ahead of Potential War: Iranians were targeted with spyware disguised as fake messaging apps in an advanced campaign likely tied to rising tensions with Israel. Security researchers say this surveillance could enable preemptive strikes, dissident tracking, or disinformation efforts. The spyware had full access to device data and communications. Link

Dark Web Travel Agencies Help Criminals Evade Capture: Trustwave exposed underground services offering forged passports, fake IDs, and custom travel plans to cybercriminals seeking to evade law enforcement. These services facilitate global movement post-breach or post-ransom, compounding the difficulty of tracking fugitives. Link

CISA Flags Exploited Flaws in Ivanti and ConnectWise: CISA’s advisory warns of active exploitation of Ivanti EPM and ConnectWise vulnerabilities. Attackers can bypass authentication, take over systems, and deploy malware. Public and private sector IT systems are at elevated risk without urgent patching. Link

Global Ransomware Evolution Traced from Mamona: Picus Security’s report follows a ransomware group from its low-level beginnings to becoming a sophisticated operation. The evolution includes enhanced automation, use of RaaS (ransomware-as-a-service), and more aggressive extortion tactics, posing greater risk to enterprises worldwide. Link

⚖️ Laws, Policies and Regulations

UK to Lead Crackdown on Cyber Criminals with Ransomware Measures: The UK has announced new legislation banning public sector bodies and critical infrastructure operators from paying ransomware demands; private firms must notify authorities before paying, enabling support and sanctions compliance checks.

House Committee Holds ‘Stuxnet 15 Years Later’ Hearing on Infrastructure Threats: On July 22, 2025, the U.S. House Homeland Security Subcommittee convened a hearing titled “Fully Operational: Stuxnet 15 Years Later and the Evolution of Cyber Threats to Critical Infrastructure,” examining industrial‑control vulnerabilities and threat evolution.

⚖️ Cybersecurity Start Ups and VCs

Darktrace Buys Mira to Improve Network Visibility: Cybersecurity firm Darktrace acquired Mira Security to bolster its deep packet inspection capabilities. This move strengthens its threat detection across encrypted traffic. Link

📊 Trends, Reports, Analysis

Crypto Crime Down in 2025, Chainalysis Finds: Chainalysis reports a mid-year decline in crypto crime due to better tracing tools and enforcement. Ransomware still accounts for a large share of illicit crypto flows. Link

Android Malware Surge Detailed in Irish Cyber Report: The Irish NCSC’s report outlines BadBox 2.0’s tactics, which include device hijacking, ad fraud, and persistent surveillance. The malware is often pre-installed on off-brand Android devices. Link

📅 Upcoming Events

If you would like to sponsor any of our future in person or virtual events then please email us on [email protected] 

Virtual Event: Generative AI & Cybersecurity: Risks and Opportunities

Generative AI is reshaping the cybersecurity landscape, empowering Security Operations Centers (SOCs) with intelligent automation, predictive analytics, and faster incident response. However, with this innovation comes a new class of threats: AI-generated phishing campaigns, polymorphic malware, and code exploits crafted by LLMs.

Register your interest to join here.

We hope you enjoyed our email briefing! ☕🥮If you want to sponsor our next edition or advertise on our site, drop us an email [email protected].

Thank you for being a part of our newsletter community and you can be part of the community by joining our LinkedIn Group.