Major Incidents or Breaches

  • SonicWall SSL VPN devices: Huntress reported a widespread compromise of SonicWall SSL VPN devices, with threat actors authenticating into over 100 customer environments to access internal systems.
  • Gladinet CentreStack and TrioFox: Active exploitation of a zero-day vulnerability (CVE-2025-11371) in Gladinet CentreStack and TrioFox products has been observed, allowing unauthenticated local file access and potential escalation to remote code execution. The flaw remains unpatched.
  • BreachForums Takedown: The FBI seized all domains of the BreachForums hacking forum operated by the ShinyHunters group, which was used for leaking data from ransomware and extortion attacks, including recent Salesforce-related incidents.
  • AI Companion Apps Data Leak: Two AI “girlfriend” apps exposed millions of private chat logs belonging to over 400,000 users.
  • Oracle EBS Zero-Day Attacks: Sophisticated malware was deployed in attacks exploiting a zero-day in Oracle E-Business Suite (EBS), affecting dozens of organizations since at least 10 July.
  • Discord Age-Verification Data Exposure: A hack exposed sensitive age-verification data of Discord users.
  • Manufacturing Sector Ransomware: Reports highlight continued ransomware attacks targeting the manufacturing industry, with attackers exploiting unpatched vulnerabilities.
  • US Universities Payroll Attacks: US universities were targeted by attackers hijacking HR SaaS accounts to divert payroll payments, attributed to the Storm-2657 threat actor.

Newly Discovered Vulnerabilities

  • Juniper Networks Junos Space: More than 200 vulnerabilities, including nine critical-severity flaws, were patched in Junos Space and Junos Space Security Director.
  • Ivanti Endpoint Manager: The Zero Day Initiative (ZDI) disclosed 13 unpatched vulnerabilities in Ivanti Endpoint Manager, enabling remote code execution and privilege escalation.
  • GoAnywhere MFT (CVE-2025-10035): Fortra detailed active exploitation of this critical flaw in GoAnywhere Managed File Transfer, which has since been patched.
  • Node.js SEA Feature Abuse: The Stealit malware campaign uses Node.js’ Single Executable Application feature to distribute payloads via trojanized game and VPN installers.
  • Malicious npm Packages: 175 malicious npm packages with over 26,000 downloads were found harvesting credentials as part of a phishing campaign.

Notable Threat Actor Activity

  • North Korean IT Worker Schemes: North Korean threat actors have expanded fraudulent remote employment operations to target a broad range of industries, including architectural design, using fake identities and documentation.
  • LockBit/Storm-2603: The LockBit ransomware group (Storm-2603) has been observed abusing the Velociraptor DFIR tool to maintain persistence and facilitate attacks.
  • Storm-2657: This actor is actively hijacking HR SaaS accounts to redirect payroll payments, targeting a variety of organizations, including universities.
  • Coordinated Attacks on Network Devices: Infrastructure linked to coordinated attacks is being used to exploit vulnerabilities in Cisco, Fortinet, and Palo Alto Networks devices.
  • RondoDox Botnet: The RondoDox botnet employs over 50 exploits in a “shotgun” approach to compromise routers, DVRs, NVRs, CCTV systems, and other edge devices globally.
  • Aisuru DDoS Botnet: The Aisuru botnet is responsible for record-setting DDoS attacks against US ISPs, leveraging large numbers of compromised IoT devices.

Trends, Tools, or Tactics of Interest

  • Abuse of Legitimate Tools: Increased weaponization of legitimate digital forensics and incident response tools (e.g., Velociraptor) by ransomware groups for persistence and post-exploitation.
  • AI and Deepfake Threats: OpenAI’s new video and audio generation system raises concerns about the proliferation of deepfakes. Organizations report high awareness but insufficient investment in deepfake detection capabilities.
  • AI in Security Operations: Advancements in AI-powered Security Operations Center (SOC) platforms, with Microsoft introducing agentic AI capabilities in Sentinel, and the emergence of AI browser agents presenting new authentication challenges.
  • Supply Chain Risks: Discovery of malicious packages in npm and abuse of Node.js SEA highlight ongoing supply chain threats to software development environments.
  • Password Guidance: NIST updates suggest a shift away from overly complex password requirements, focusing on usability and security balance.

Regulatory or Policy Developments Affecting the Security Industry

  • Apple Bug Bounty Expansion: Apple has doubled its maximum bug bounty payout to $2 million for zero-click RCE vulnerabilities, introduced new research categories, and increased transparency in its rewards structure. Total payouts have reached $35 million, with bonuses for iPhone exploits potentially raising rewards to $5 million.
  • Windows 11 23H2 End of Support: Microsoft reminded users that Home and Pro editions of Windows 11 23H2 will stop receiving security updates next month.
  • Chrome Notification Permissions: Google Chrome will automatically revoke notification permissions for inactive websites to reduce notification spam.
  • Age-Verification Law Privacy Concerns: Apple raised privacy concerns regarding proposed age-verification laws, citing risks associated with increased sensitive data collection.