Major Incidents or Breaches

  • Salesloft Drift Supply Chain Attack: Multiple organizations, including Cloudflare, Palo Alto Networks, and Zscaler, were impacted by a supply chain attack stemming from the compromise of OAuth tokens via Salesloft Drift, a marketing SaaS application. Attackers leveraged the compromised tokens to access Salesforce instances, exposing customer data and support cases.
  • Jaguar Land Rover Cyberattack: Jaguar Land Rover reported a cyberattack that severely disrupted production and required the shutdown of certain systems.
  • Evertec/Sinqia Attempted Bank Heist: Hackers breached Sinqia S.A., the Brazilian subsidiary of fintech firm Evertec, and attempted to steal $130 million via unauthorized access to the central bank’s Pix real-time payment system.
  • Pennsylvania Attorney General’s Office Ransomware Attack: The Pennsylvania AG’s office confirmed a ransomware attack responsible for a two-week service outage.

Newly Discovered Vulnerabilities

  • WhatsApp Zero-Day (CVE-2025-55177): A zero-day vulnerability in WhatsApp was exploited in attacks targeting Apple users, including iOS and macOS, reportedly as part of suspected spyware operations. CISA added this flaw to its Known Exploited Vulnerabilities catalog.
  • TP-Link TL-WA855RE Flaw: CISA added a high-severity vulnerability affecting TP-Link TL-WA855RE Wi-Fi Range Extender devices to its KEV catalog amid reports of active exploitation.
  • Sangoma FreePBX Zero-Day (CVE-2025-57819): Sangoma patched a critical zero-day vulnerability (CVSS 10.0) in FreePBX servers involving insufficient sanitization of user-supplied data, which had been exploited in the wild.
  • WatchDog Anti-malware Driver Vulnerability: The Silver Fox threat actor exploited a previously unknown vulnerability in a Microsoft-signed WatchDog Anti-malware driver as part of a Bring Your Own Vulnerable Driver (BYOVD) attack to deploy ValleyRAT malware.
  • Azure Active Directory Credential Exposure: Researchers highlighted risks from leaked JSON configuration files containing Azure Active Directory credentials, potentially allowing attackers to authenticate via Microsoft OAuth 2.0 endpoints and infiltrate Azure environments.

Notable Threat Actor Activity

  • Lazarus Group: North Korea-linked Lazarus Group expanded its malware arsenal, distributing cross-platform malware strains PondRAT, ThemeForestRAT, and RemotePE via social engineering campaigns.
  • Silver Fox: This threat actor abused a vulnerable WatchDog driver to deploy ValleyRAT malware, leveraging BYOVD techniques.
  • Midnight Blizzard/APT29: Russian state-linked group APT29 conducted a credential theft campaign by redirecting victims to fake Cloudflare verification pages and exploiting Microsoft’s device code authentication flow. Amazon disrupted this campaign.
  • Ukrainian Network FDN3: Researchers observed FDN3 launching massive brute-force and password spraying attacks against SSL VPN and RDP devices between June and July 2025.
  • MystRodX Backdoor: Researchers disclosed a new backdoor, MystRodX, capable of using DNS and ICMP triggers for stealthy command and control, with features for capturing sensitive data.

Trends, Tools, or Tactics of Interest

  • Large-Scale DDoS Attacks: Cloudflare mitigated the largest recorded volumetric DDoS attack, peaking at 11.5 Tbps, part of a broader wave of UDP flood attacks originating from IoT and cloud infrastructure.
  • Supply Chain Risk: The Salesloft Drift incident demonstrates ongoing risks associated with SaaS supply chain dependencies and OAuth token abuse.
  • WordPress Threat Landscape: Continued exploitation of vulnerable and malicious WordPress plugins enables attackers to compromise sites and leverage them for further cyber threats and scams.
  • Shadow AI Usage: MIT’s State of AI in Business report revealed that while 40% of organizations have enterprise LLM subscriptions, over 90% of employees are using AI tools outside sanctioned platforms, increasing shadow AI risks.
  • TagNabIt Tool: TagNabIt released as an offensive security tool enabling enumeration of AWS cloud resources via metadata tags, exposing potential attack surfaces.
  • Cookie & Session Hijacking Risks: Kaspersky highlighted risks associated with improper cookie management and session hijacking, underscoring the need for secure configuration.

Regulatory or Policy Developments Affecting the Security Industry

  • NIST Security Controls Update: NIST released Security and Privacy Control version 5.2.0, introducing enhancements to help organizations improve patch management practices.
  • CISA Leadership Change: CISA announced Nicholas Andersen as the new Executive Assistant Director for Cybersecurity.
  • UAE Cyber Education Initiative: The United Arab Emirates launched a cyber education initiative aimed at improving cybersecurity preparedness among students.
  • Varonis Acquisition: Varonis announced the acquisition of email security firm SlashNext for up to $150 million, expanding its security offerings.