Major Incidents or Breaches

  • AMEOS Group, a large Central European healthcare network, disclosed a security breach potentially exposing customer, employee, and partner information.
  • Dior confirmed a cyberattack from January 2025 that resulted in the theft of personal information. Payment information was not compromised.
  • Dell reported a breach of its Customer Solution Center demo environment by the World Leaks group. The company stated the leaked data was synthetic and not from real customers or partners.
  • A tech startup was found to be selling personal data stolen by infostealer malware and sourced from the dark web.

Newly Discovered Vulnerabilities

  • Microsoft SharePoint: Two critical vulnerabilities (CVE-2025-49704, CVE-2025-49706) are under active exploitation, with CISA adding them to its Known Exploited Vulnerabilities (KEV) catalog. The flaws have been exploited since at least July 7, 2025.
  • Cisco Identity Services Engine (ISE): Three recently patched critical remote code execution vulnerabilities are being actively exploited, allowing unauthenticated root access.
  • Helmholz REX 100 Industrial Routers: Eight vulnerabilities, including those enabling full device control, were discovered and patched.
  • Microsoft Windows Server: KB5062557 update is causing cluster service and virtual machine restart issues.
  • Coyote Banking Trojan: A new variant is abusing Microsoft’s UI Automation framework to identify and target banking and cryptocurrency exchange sites.

Notable Threat Actor Activity

  • Chinese APTs (Linen Typhoon, Violet Typhoon, Storm-2603): Attributed to the exploitation of SharePoint zero-day vulnerabilities (ToolShell chain) targeting internet-facing SharePoint servers, with activity traced back to early July 2025.
  • China-backed APT41: Conducted a sophisticated cyber-espionage attack on an African IT company, marking the group’s expansion into new geographic regions.
  • Russian APTs: Three groups and 18 individuals sanctioned by the UK government for involvement in cyber operations against Ukraine, NATO, and the EU.
  • Interlock Ransomware: CISA and the FBI reported escalating double extortion attacks targeting businesses and critical infrastructure.
  • AllaKore RAT, SystemBC, PureRAT, and Hijack Loader: Continued use in credential theft and remote access campaigns, particularly targeting Mexican organizations.
  • Lumma Infostealer: Resumed operations after law enforcement disruption in May 2025, with the infrastructure gradually coming back online.

Trends, Tools, or Tactics of Interest

  • Ransomware: Increased double extortion tactics and a notable rise in attacks on critical infrastructure and public sector organizations.
  • AI-Driven Threats: AI is being used to create convincing fake travel destinations and to clone voices for social engineering scams, as demonstrated in a recent AI voice scam extorting money from a victim.
  • Fake E-commerce Platforms: Surge in AI-powered scam sites used as attack vectors for data theft and fraud.
  • Infostealer Malware: The ecosystem for trading stolen personal data is expanding, with startups commercializing access to data harvested by malware.
  • Windows Accessibility Abuse: Malware such as Coyote is exploiting accessibility frameworks for more targeted credential theft.
  • Windows 11 Resilience: Microsoft introduced new recovery and resilience features, including a Black Screen of Death and automated recovery tools, in the KB5062660 update.

Regulatory or Policy Developments Affecting the Security Industry

  • UK Ransomware Payment Ban: The UK government is planning to prohibit public sector and critical infrastructure organizations from paying ransoms following ransomware attacks.
  • UK Sanctions: The UK imposed sanctions on Russian APT groups and individuals associated with high-profile cyber operations.
  • US Coast Guard Cybersecurity Rule: New cybersecurity requirements for maritime transport safety were issued, with phased implementation over two years to secure shipping ports.
  • China National Cyber ID: China launched a voluntary national Internet identity system aimed at protecting online identities, raising privacy and surveillance concerns.
  • Darktrace Acquisition: UK-based Darktrace acquired Mira Security to enhance network visibility and encrypted traffic decryption capabilities.