News Roundups

17 Cybersecurity News Worth Your Attention this Week Summarised – 04/08/2025

  1. By Jaana Metsamaa

04 Aug

1. Palo Alto Networks to Acquire CyberArk for $25 Billion, Targeting Identity Security

Palo Alto Networks announced plans to buy identity security specialist CyberArk for about $25 billion, marking its biggest acquisition to date and a strategic push into complex identity management.

Key Details

  • The $25 billion all-cash deal is roughly 25× larger than Palo Alto’s typical acquisitions.
  • CyberArk generated over $1 billion in revenue in 2024, up 33% year-over-year.
  • Machine identities now outnumber human identities 45:1, with 79% of orgs expecting a 150% spike.
  • This is the second-largest cybersecurity transaction of 2025, following Google’s $32 billion Wiz buy.

Read more at

2. New “Plague” PAM Backdoor Enables Silent SSH Credential Theft on Linux

Security researchers have identified a new Linux backdoor named “Plague” that embeds into Pluggable Authentication Modules (PAM) to bypass authentication and harvest SSH credentials undetected.  Deployed since at least July 2024 and invisible to antivirus engines, Plague persists through updates, erases session traces, and uses built-in credentials and anti-debugging techniques to maintain covert access.

Key Details

  • First spotted on VirusTotal in July 2024, none of its samples trigger AV detections.
  • Four core features: static backdoor credentials, anti-debugging, string obfuscation, SSH session erasure.
  • Erases SSH_CONNECTION/SSH_CLIENT vars and redirects HISTFILE to /dev/null to remove audit logs.
  • Deeply integrates into the PAM stack, survives system updates, and leaves minimal forensic footprints.

Next Steps

  • Audit /etc/pam.d and /lib/security for unauthorized modules
  • Enable file integrity monitoring on PAM libraries
  • Restrict write permissions on authentication modules

Read more at

3. Akira Ransomware Hits Fully-Patched SonicWall SSL VPNs via Likely Zero-Day

Researchers report a surge in Akira ransomware intrusions leveraging SonicWall SSL VPN appliances, including fully-patched devices, since mid-July 2025—indicating a probable zero-day vulnerability. Compromised VPN sessions rapidly escalate to ransomware encryption, putting business continuity at risk. Security teams should treat all SonicWall SSL VPN endpoints as high-risk until a vendor patch is available.

Key Details

  • Multiple intrusions showed VPN access to SonicWall SSL VPNs followed by ransomware within hours.
  • Some attacks targeted fully-patched devices, suggesting exploitation of an unknown zero-day flaw.
  • Akira group has extorted an estimated $42 million from 250+ victims since 2023 and was Q2 2025’s second-most active ransomware actor.

Next Steps

  • Disable SonicWall SSL VPN services until a security update is released.
  • Enforce multi-factor authentication for all remote access accounts.
  • Audit VPN logs for connections from non-ISP IP ranges (e.g., VPS hosts).
  • Remove or disable inactive local firewall user accounts.

Read more at

4. Threat Actors Impersonate 50+ Microsoft OAuth Apps with Tycoon Kit to Phish MFA

Researchers at Proofpoint have uncovered an ongoing campaign where attackers register fake Microsoft OAuth applications—masquerading as vendors like RingCentral, Adobe, SharePoint and ILSMart—and use Tycoon and ODx phishing kits to harvest credentials and MFA codes from targeted Microsoft 365 users. 

More than 3,000 account compromise attempts across 900+ Microsoft 365 tenants have been observed in 2025 alone, driven by phishing emails from compromised senders that lure victims into granting OAuth permissions or completing a CAPTCHA before landing on an adversary-in-the-middle login page.  Microsoft’s planned August 2025 update to block legacy authentication and enforce admin consent on third-party apps is expected to curtail this technique.

Key Details

  • The campaign began in early 2025 and leverages over 50 distinct fake OAuth apps.
  • Even if users deny permission, they’re redirected through a CAPTCHA to a phishing page.
  • Proofpoint observed a recent Adobe-impersonation variant sent via Twilio SendGrid.
  • Microsoft’s August 2025 changes will block legacy auth protocols and require admin-level consent for new apps.

Next Steps

  • Audit existing OAuth app consents in Azure AD.
  • Enforce admin consent for all third-party application permissions.
  • Block legacy authentication protocols via Conditional Access.

Read more at

5. Storm-2603 Deploys DNS-Based AK47 C2 Backdoor to Deliver Warlock and LockBit Ransomware

A China-linked actor exploited two SharePoint Server flaws (CVE-2025-49704, CVE-2025-49706) to install a custom DNS-controlled AK47 C2 backdoor, enabling deployment of Warlock and LockBit Black ransomware. The operation combines open-source tools and a BYOVD anti-defense driver to disable security software, illustrating a hybrid APT-style methodology with likely financial motives.

Key Details

  • AK47 C2 framework includes HTTP (AK47HTTP) and DNS (AK47DNS) clients using update.updatemicfosoft[.]com.
  • Ransomware delivered via DLL sideloading: 7z.exe/7z.dll for Warlock, MSI installer for LockBit Black.
  • Custom “VMToolsEng.exe” kills endpoint defenses using a BYOVD driver (ServiceMouse.sys).
  • Activity dates back to March 2025, targeting Latin America and APAC concurrently.

Next Steps

  • Monitor DNS queries for update.updatemicfosoft[.]com.
  • Audit use of 7z.exe, MSI installers and their DLL load paths.
  • Block ServiceMouse.sys driver loads.

Read more at

6. Secret Blizzard Conducts ISP-Level AitM Attacks on Moscow Embassies with ApolloShadow Malware

Secret Blizzard has been intercepting ISP traffic for foreign embassies in Moscow since 2024, redirecting devices to captive portals to install ApolloShadow malware. ApolloShadow implants trusted root certificates, creates backdoor accounts, and relaxes firewall rules to maintain persistent espionage access.

Key Details

  • Malware delivered via ISP-level adversary-in-the-middle using lawful intercept.
  • ApolloShadow installs two root certificates via certutil and a Firefox-compatible wincert.js.
  • Creates “UpdatusUser” admin account and switches network profiles to Private.
  • Campaign active since at least 2024 against diplomatic devices in Moscow.

Next Steps

  • Audit and revoke any untrusted root certificates immediately.
  • Enforce least-privilege access and routinely review admin group memberships.
  • Route traffic through trusted VPNs or encrypted tunnels.

Read more at

7. Silk Typhoon Hackers File Over Ten Patents for Intrusive Forensics and Data Collection Tools

SentinelLabs analysis revealed that two companies tied to China’s Ministry of State Security have lodged over ten patent applications for advanced forensics and data collection tools. The filings cover automated evidence collection across Windows, macOS, mobile, routers, and IoT, indicating a systematic build-out of Silk Typhoon’s offensive arsenal and increasing risk to enterprise networks.

Key Details

  • Patents filed by Shanghai Powerock Network Co. and Shanghai Firetech Info Science & Tech Co.
  • Tools include “remote automated evidence collection,” Apple forensics, router traffic capture, and IoT analysis
  • Applications cover FileVault bypass, hard-drive decryption, and remote mobile device evidence extraction
  • Investigation follows DOJ indictment of two MSS-affiliated hackers linked to Hafnium/Silk Typhoon

Read more at

8. Attackers Weaponize Free EDR Trials to Disable Existing Security Tools

Researchers have discovered “EDR-on-EDR violence,” where attackers enroll in free trials of endpoint detection and response software, install it on compromised hosts, and use it to silently disable existing security agents—even those protected by tamper safeguards.

Key Details

  • Security researchers Ezra Woods and Mike Manrod documented how trial EDR installs can remove exclusions and block hashes of incumbent agents without alerts.
  • Cisco Secure Endpoint trials disabled CrowdStrike Falcon and Elastic Defend cleanly, causing targets to “go offline” from the console.
  • Some products (e.g., ESET) allow full takeover of remote-management and disk-encryption controls when abused.
  • CrowdStrike’s 2024 Threat Hunting Report shows a 70% YOY increase in RMM tool abuse, accounting for 27% of hands-on-keyboard intrusions.

Next Steps

  • Enforce application control to block unauthorized EDR installations.
  • Create custom Indicators of Attack for unsolicited EDR-trial deployments.

Read more at

9. H1 2025 Sees 800% Credential Theft Spike, 179% Ransomware Surge: Flashpoint Report

Flashpoint’s midyear threat intelligence finds credential theft up 800%, ransomware incidents up 179%, and vulnerability disclosures rising 246% exposing billions of records and straining security teams.

Key Details

  • 1.8 billion credentials stolen via info-stealers like Lumma, Redline, StealC and Acreed.
  • 9.45 billion records exposed in breaches, 78% due to unauthorized access.
  • 20,000+ vulnerabilities disclosed H1 2025; 2,447 remotely exploitable with public exploits.
  • 2,160 ransomware attacks in the US; manufacturing, technology and legal hardest hit.

Next Steps

  • Enforce multifactor and adaptive authentication to curb credential misuse

Read more at

10. 17,000 SharePoint Servers Exposed Online; 840 Vulnerable to Critical Zero-Day

Shadowserver Foundation has found over 17,000 on-premises SharePoint servers exposed to the internet, including 840 vulnerable to the critical CVE-2025-53770 zero-day that enables unauthenticated remote code execution. 

Chinese threat actors have exploited this flaw since July 7—deploying webshells, stealing machine keys and delivering Warlock ransomware—posing immediate risk to government, healthcare, finance and education organizations.

Key Details

  • The “ToolShell” exploit chain carries a CVSS score of 9.8 and bypasses authentication.
  • At least 20 compromised servers host webshells (e.g., “spinstall0.aspx”), indicating active intrusion.
  • Victims include U.S. federal agencies (DOE’s NNSA, DHS, HHS, Education) and multiple sectors.
  • CISA added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog with an emergency deadline.

Next Steps

  • Apply Microsoft’s emergency SharePoint patches immediately
  • Rotate ASP.NET machine keys after patching
  • Enable AMSI and scan servers for webshell artifacts

Read more at

11. Scattered Spider Exploits Help Desk to Hijack VMware vSphere and Deploy Ransomware

Google’s Threat Intelligence Group warns that UNC3944 (Scattered Spider) is using phone-based social engineering to reset Active Directory passwords and gain hypervisor access on VMware vSphere, enabling undetectable data theft and direct ransomware deployment.  Their five-step method bypasses traditional EDR by operating at the ESXi hypervisor layer, manipulating VCSA bootloaders, and using Teleport for persistent SSH channels.

Key Details

  • Attack chain moves from low-privilege AD foothold to root ESXi control in five phases.
  • Two-step phone fraud tricks help desk into resetting standard then admin AD credentials.
  • Teleport open-source tool establishes encrypted SSH channels, bypassing firewalls.
  • Offline disk detachment of VMs steals Active Directory database and disrupts backups.

Next Steps

  • Enforce multi-factor verification for all help desk password resets.
  • Restrict and audit Teleport or similar SSH tooling on vSphere hosts.
  • Regularly test immutable backup restores from isolated snapshots.

Read more at

12. Critical “Man-in-the-Prompt” Vulnerability Lets Malicious Extensions Hijack AI Prompts

Researchers have uncovered a flaw in how AI assistants like ChatGPT, Google Gemini, Copilot and others integrate with browsers, allowing any basic browser extension to inject or alter prompts via the DOM and exfiltrate sensitive data—all without special permissions. This “Man-in-the-Prompt” attack affects billions of users and evades traditional security tools, exposing enterprises to IP theft, regulatory compliance failures, and undetected data leakage.

Key Details

  • Attack works through DOM manipulation in prompt input fields by malicious extensions.
  • Impacts 5 billion monthly ChatGPT visits, 400 million Gemini users; 99% of enterprises vulnerable.
  • Proof-of-concepts opened background tabs, injected prompts, exfiltrated responses, and erased histories.
  • Existing CASBs, SWGs and DLP tools lack visibility into real-time DOM-level interactions.

Next Steps

  • Disable installation of unauthorized browser extensions

Read more at

13. Critical RCE in Alone Charity WordPress Theme Actively Exploited

A critical remote code execution flaw (CVE-2025-5394, CVSS 9.8) in the Alone charity-focused WordPress theme (≤7.8.3) is being actively exploited to deploy webshells and gain full site control. Over 120,900 attack attempts have been blocked since July 12, underscoring the need for immediate updates and forensic review.

Key Details

  • Vulnerability in alone_import_pack_install_plugin AJAX action allows unauthenticated plugin installs.
  • Attackers deliver obfuscated backdoors via malicious ZIPs (e.g., wp-classic-editor.zip).
  • Top offending IPs: 193.84.71.244 (39,900+ requests), 87.120.92.24 (37,100+ requests).
  • Alone theme v7.8.5 (released July 14) patches the flaw; Wordfence firewall rules available since May 30.

Next Steps

  • Upgrade the Alone theme to version 7.8.5 or later immediately.
  • Scan /wp-content/plugins and /wp-content/upgrade for unfamiliar installs.
  • Review access logs for admin-ajax?action=alone_import_pack_install_plugin requests.

Read more at

14. Lazarus Group Plants 234 Malicious Packages in npm and PyPI to Spy on Developers

Between January and July 2025, North Korea’s Lazarus Group deployed 234 weaponized packages across npm and PyPI, exposing over 36,000 developers to malware that steals credentials, profiles hosts, and establishes persistent backdoors. By hiding espionage implants in everyday dependencies and leveraging CI/CD workflows, the campaign turns trusted open source components into long-term attack vectors against critical infrastructure.

Key Details

  • Packages masqueraded as legitimate developer tools on npm and PyPI.
  • Campaign duration: January–July 2025, identified by Sonatype analysts.
  • Multi-stage payloads used dormant code, activating during development tasks.
  • Stealthy backdoors exfiltrated API tokens, credentials, and proprietary code.

Next Steps

  • Audit and block unverified or suspicious npm/PyPI packages.
  • Enforce cryptographic signature checks and maintain an SBOM for all dependencies.
  • Isolate CI/CD agents in ephemeral, sandboxed environments to contain threats.

Read more at

15. Attackers Leverage Proofpoint and Intermedia Link Wrappers to Evade Phishing Detection

Cybercriminals have begun embedding malicious URLs inside Proofpoint Protect and Intermedia LinkSafe wrappers to bypass email gateways and deliver credential-harvesting pages. By exploiting how these services validate or ignore signature mismatches, attackers slip phishing links past sandbox and URL-reputation checks, targeting finance, legal, and higher-ed sectors.

Key Details

  • Since August 1, over 180,000 wrapped-link phishing emails hit financial services, law firms, and universities.
  • Proofpoint uses a base64 “u=” parameter plus an HMAC “k=” token but still forwards on signature mismatch.
  • Intermedia’s LinkSafe lacks any integrity token, allowing unvalidated redirects to attacker sites.
  • Standard sandbox detonations and static URL-reputation checks are bypassed until the user’s session resolves the link.

Next Steps

  • Configure gateways to strip or rewrap Proofpoint/LinkSafe URLs before user delivery.
  • Hunt for base64 “u=” parameters that decode to external domains in email logs.
  • Enforce on-endpoint URL detonations and block suspicious redirects at browser level.

Read more at

16. Luxembourg Probes Cyberattack on Huawei-Based Routers That Caused Nationwide Telecom Outage

Luxembourg’s government is investigating a deliberate cyberattack on POST Luxembourg’s Huawei-supplied routers that knocked out 4G/5G networks for over three hours, overloading fallback systems and preventing many emergency calls. Officials say the incident exploited a vulnerability in a standardised software component and is now accelerating a national resilience review and exploring multi-operator failover regulations.

Key Details

  • Outage on July 23 lasted 3+ hours; 2G fallback overloaded, blocking emergency services calls.
  • Attackers targeted a “standardised software component” in Huawei VRP OS–based routers.
  • National alert system also failed, as it relies on the same mobile infrastructure.
  • CSIRT and public prosecutor conducting forensic and legal investigations.
  • Authorities accelerating critical-infrastructure resilience review and fallback procedures.

Read more at

17. Minnesota Activates National Guard to Assist St. Paul’s Cyberattack Response

Governor Tim Walz has deployed National Guard cyber units to support the City of St. Paul after a persistent attack disabled online payments and disrupted library and recreation services. The incident, which began on Friday and surpassed both internal and vendor response capacities, has left critical systems offline while emergency services remain unaffected.

Key Details

  • Attack onset Friday persists through weekend, impacting digital services and critical systems.
  • Online payments and some library/recreation services are down; emergency response remains operational.
  • City teams are coordinating with Minnesota IT Services and an external cybersecurity vendor.
  • An executive order notes the incident exceeded the city’s internal and commercial response capabilities.

Read more at

Related

06 Jun

Cybersecurity news June 2025
13 Cybersecurity News Worth Your Attention –

16 May

this week in cybersecurity may 2025
13 Cybersecurity News Worth Your Attention This We

21 Jul

18 Cybersecurity News Summarised – 21/07/202

Platform

Overview

Product Updates

Book a demo

Resources

Straightforward GRC Blog

Privacy Notice

Company

Contact Us

Follow Us

Linkedin
en_US English
en_US English et Estonian