Cyber OSINT Overview, Jul 14 - Jul 20, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Vulnerabilities in the Linux kernel were a predominant topic, with numerous advisories detailing flaws that could lead to Denial of Service (DoS), privilege escalation, information disclosure, and unspecified other impacts. Security updates were released for multiple distributions, including Red Hat Enterprise Linux and various Ubuntu LTS versions. The sheer volume of alerts from different agencies highlights the continuous and broad attack surface presented by the kernel in both server and desktop environments. These flaws ranged from low to high severity, affecting a wide array of kernel components and requiring constant vigilance and patching from system administrators.

• The security of enterprise network appliances and collaboration platforms was a major focus, with multiple critical, actively exploited vulnerabilities disclosed in widely used products. Flaws in Microsoft SharePoint, Citrix NetScaler, Fortinet FortiWeb, and Cisco Identity Services Engine (ISE) allowed for remote code execution, SQL injection, and information disclosure. Government agencies like CISA and CCCS issued urgent advisories, adding several of these vulnerabilities to their Known Exploited Vulnerabilities catalogs. This trend underscores the high value attackers place on these perimeter and identity management devices as initial access points into corporate networks.

• The integration and security implications of Artificial Intelligence, particularly agentic AI, were heavily debated across various sources. Discussions ranged from the operational benefits, such as Accenture’s use of an AI agent platform to streamline IT operations, to the significant security risks they introduce. Gartner predicted that 25% of enterprise breaches will stem from AI agent abuse by 2028, highlighting concerns about prompt injection, data leakage, and the expanded attack surface. The conversation reflects a critical juncture for organizations, balancing the pressure to adopt AI for competitive advantage against the urgent need to develop robust security frameworks, governance, and training to mitigate these new, autonomous threats.

• Evolving phishing and social engineering tactics remain a persistent and widely discussed threat. New campaigns demonstrate attackers’ ingenuity in bypassing both technical controls and user awareness. Notable techniques include the ‘Scanception’ campaign, which uses QR codes embedded deep within PDF documents to evade email scanners, and another campaign using weaponized WAV audio files in fake voicemail notifications to create urgency. Additionally, attackers were observed abusing Microsoft 365’s Direct Send feature to send internally spoofed emails that bypass standard security filters. These methods highlight a continuous trend of attackers shifting vectors to exploit user trust and gaps in security monitoring, particularly on mobile and unmanaged devices.

Critical Vulnerabilities #

• A critical, actively exploited zero-day remote code execution (RCE) vulnerability, CVE-2025-53770, affects on-premises Microsoft SharePoint Server. Dubbed ‘ToolShell’, the exploit allows unauthenticated attackers to gain complete server control. This flaw is a variant of previously patched vulnerabilities CVE-2025-49706 and CVE-2025-49704. While a patch is not yet available, Microsoft and CISA urgently recommend enabling Antimalware Scan Interface (AMSI) integration and deploying Microsoft Defender as immediate mitigation. Organizations are advised to hunt for indicators of compromise, as existing infections may persist even after related vulnerabilities are patched.

• A critical unauthenticated SQL injection vulnerability, CVE-2025-25257 (CVSS 9.6), in Fortinet’s FortiWeb web application firewall is being actively exploited. The flaw allows a remote attacker to execute arbitrary SQL commands via crafted HTTP requests, potentially leading to remote code execution. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to patch. Fortinet has released security updates for multiple versions of FortiWeb and confirmed active exploitation. Organizations are strongly advised to apply the necessary updates immediately or disable the administrative interface as a temporary mitigation.

• Multiple critical vulnerabilities in Citrix NetScaler ADC and Gateway (CVE-2025-5777, CVE-2025-6543) are under active exploitation. The most significant, CVE-2025-5777, dubbed ‘Citrix Bleed 2,’ is an out-of-bounds read vulnerability that can lead to information disclosure and session hijacking without authentication. CISA added this vulnerability to its KEV catalog on July 10, noting exploitation began even before a public proof-of-concept was available. Due to the risk of session token leakage, patching alone is insufficient. Administrators must terminate all active sessions after applying updates to ensure attackers who may have already compromised a device are evicted.

• A zero-day vulnerability in CrushFTP, CVE-2025-54309, is being actively exploited, allowing remote unauthenticated attackers to gain administrative access. The vulnerability stems from improper validation of the AS2 protocol and affects CrushFTP versions 10 (before 10.8.5) and 11 (before 11.3.4_23). Attackers reportedly discovered the flaw by reverse-engineering a recent patch for an unrelated bug. Due to the high risk of complete system compromise, administrators are urged to update immediately and check for indicators of compromise, such as the creation of unexpected user accounts with high privileges. This marks the third major zero-day vulnerability in CrushFTP in just over a year.

• Google has patched an actively exploited high-severity zero-day vulnerability, CVE-2025-6558, affecting its Chrome browser and subsequently Microsoft Edge. The flaw is due to insufficient input validation in the ANGLE and GPU components, which could allow a remote attacker to perform a sandbox escape via a crafted HTML page. This is a significant threat as it allows attackers to break out of the browser’s security confines and potentially compromise the underlying operating system. Google has released updated versions for Windows, Mac, and Linux, and users are strongly advised to update their browsers immediately to mitigate the threat.

Major Incidents #

• Food distributor United Natural Foods (UNFI) reported losing up to $400 million in sales due to a significant cyberattack in June 2025. The incident, linked to the Scattered Spider (Octo Tempest) cybercrime group, forced the company to completely shut down its systems to contain the threat. This disruption severely impacted its ability to fulfill orders for major clients like Whole Foods Market, leading to product shortages and spoilage. The company incurred direct costs of up to $25 million for manual workarounds and remediation, highlighting the severe financial and operational impact ransomware attacks can have on critical supply chain entities.

• Thailand’s Ministry of Labour was hit by a severe cyberattack claimed by a threat actor known as ‘Devman’. The group asserted that it had maintained persistent access to the ministry’s network for over 43 days, compromising both Active Directory and Linux servers. The attackers defaced the ministry’s website, exfiltrated over 300GB of sensitive data, encrypted systems, and destroyed backups. A ransom of $15 million was demanded, showcasing a destructive attack that goes beyond simple data theft and significantly disrupts government operations.

• A significant data breach at McDonald’s AI-powered hiring platform, McHire, exposed the personal information of over 64 million job applicants. The breach was caused by a weak, guessable password (‘123456’) on an account managed by the platform provider, Paradox.ai. Exposed data included names, contact information, chat transcripts, and personality test results. While Paradox.ai claimed the issue was isolated to a test account, further investigation revealed that one of its administrators had their credentials compromised by infostealer malware, exposing poor password hygiene across multiple client accounts, underscoring significant supply chain security risks.

• An unsecured database belonging to the Gladney Center for Adoption in Texas exposed over 1.1 million sensitive records. The data, which included names of children, birth parents, and adoptive parents, along with case notes and internal communications, was publicly accessible without a password. This incident highlights the severe privacy risks associated with misconfigured cloud storage, especially when handling highly personal and sensitive information related to vulnerable individuals. The exposure could lead to identity theft, social engineering, or extortion targeting the affected families.

Emerging Threats #

• A suspected China-nexus threat actor, UNC3886, is reportedly conducting an ongoing, serious cyberattack campaign against Singapore’s critical infrastructure. A senior government official stated the group is actively targeting vital services including power, telecommunications, and transportation. This group is known for its sophistication, focusing on stealth, long-term persistence, and exploiting zero-day vulnerabilities in network devices like routers and firewalls from vendors such as Juniper, Fortinet, and VMware. The campaign highlights a strategic focus on espionage and intelligence gathering against high-value government and infrastructure targets in Southeast Asia.

• A new malware backdoor named ‘GhostContainer’ is targeting Microsoft Exchange servers in high-value government and high-tech organizations in Asia. The malware, discovered during an incident response, is highly customized and leverages several open-source projects. Once deployed, likely via an N-day vulnerability, it gives attackers full control over the server, allowing for command execution, file downloads, and loading of additional malicious modules. GhostContainer employs various evasion techniques, disguises itself as a legitimate server component, and can function as a proxy to exfiltrate data from internal networks, indicating its use in sophisticated APT campaigns.

• A financially motivated group, dubbed Greedy Sponge, is targeting Mexican organizations with a customized version of the AllaKore RAT. The campaign uses trojanized Microsoft software installers (MSI) to deliver the malware. Recent updates to their tactics include delivering SystemBC as a secondary payload and moving geofencing checks from the initial downloader to the server-side to better evade detection. The modified AllaKore RAT is designed to exfiltrate specific banking credentials and authentication data, indicating a clear focus on financial fraud against a wide range of sectors in Mexico.

• The popular open-source remote access trojan, AsyncRAT, has spawned a complex ecosystem of over 30 variants and forks, significantly increasing its threat. ESET researchers observed tens of thousands of infections over the past year involving AsyncRAT and its derivatives like DcRat and VenomRAT. These variants are commonly distributed via spam, phishing, and malvertising. The constant evolution, with each fork introducing new obfuscation layers or functionalities, makes consistent detection challenging for security teams. This highlights the growing problem of open-source malware being adopted and modified by a wide range of cybercriminals for diverse campaigns.

• A new social engineering technique dubbed ‘FileFix’ is being used to deliver the Interlock RAT. Similar to the ‘ClickFix’ method, FileFix tricks users into executing malicious commands, but uses the Windows File Explorer’s ‘file open’ dialog instead of the ‘Run’ dialog. Victims are guided to a fake verification page, where a malicious command is copied to their clipboard. They are then instructed to open File Explorer, paste the command into the address bar, and execute it, leading to the download of malware. This evolving tactic is effective against unsuspecting users and demonstrates how threat actors adapt social engineering pretexts to bypass user awareness and security controls.

Regulatory and Policy Updates #

• The United Kingdom has imposed sanctions on 18 Russian military intelligence (GRU) officers and three GRU units (Unit 74455/Sandworm, Unit 26165/Fancy Bear, and Unit 29155) for conducting a sustained campaign of malicious cyber activities. These operations allegedly include cyber reconnaissance that facilitated missile strikes killing civilians in Ukraine, such as the attack on the Mariupol Theatre. The sanctions also target individuals involved in historical operations, including hacking the personal device of Yulia Skripal years before the Novichok assassination attempt. This action, supported by statements from the EU and NATO, signals a coordinated Western effort to hold Russian state-sponsored cyber actors accountable for actions with real-world kinetic consequences.

• The Cybersecurity Information Sharing Act of 2015 (CISA 2015), a foundational U.S. law enabling threat intelligence sharing between the government and private sector, is set to expire on September 30, 2025. Industry groups like the Health-ISAC are advocating for its reauthorization, highlighting its critical role in fostering collaboration and enabling rapid response to large-scale cyberattacks, such as the 2017 NotPetya incident. The potential lapse of this legislation could create a significant gap in the national cybersecurity framework, hindering the flow of actionable threat data and weakening collective defense capabilities across critical infrastructure sectors.

• US lawmakers are raising national security concerns over Spain’s use of Huawei technology for its judicial wiretap system. Chairs of the House and Senate Intelligence panels sent a letter to the Director of National Intelligence, urging a review of intelligence sharing with the NATO ally. The letter argues that China’s national security laws could compel Huawei to provide backdoor access to Spain’s lawful intercept system, potentially exposing sensitive investigations and intelligence activities to the Chinese government. This development could strain intelligence partnerships and forces a re-evaluation of how allies handle technology from high-risk vendors.

• The Russian government is moving to restrict foreign messaging applications following an order from President Putin. This policy shift aims to increase state control over digital communications within the country. Ukraine’s intelligence services have reported on this development, which could impact the privacy and security of Russian citizens and organizations that rely on popular international platforms for communication. The move is part of a broader trend of digital sovereignty efforts by Russia, which could further isolate its internet ecosystem and increase surveillance capabilities.

Security Operations #

• CISA has actively updated its Known Exploited Vulnerabilities (KEV) Catalog, adding several high-impact flaws based on evidence of in-the-wild exploitation. Recent additions include CVE-2025-53770 (‘ToolShell’ in Microsoft SharePoint), a critical RCE; CVE-2025-25257, a Fortinet FortiWeb SQL injection flaw; and CVE-2025-47812, an RCE in Wing FTP Server. These updates trigger Binding Operational Directive (BOD) 22-01, mandating federal agencies to remediate the vulnerabilities within a specified timeframe. CISA strongly urges all organizations to use the KEV catalog as a prioritization tool for their own vulnerability management programs to defend against active threats.

• The release of NIST Cybersecurity Framework (CSF) 2.0 provides a more accessible and scalable approach for small and mid-sized businesses to build effective security programs. The updated framework introduces a new ‘Govern’ function, emphasizing the importance of cybersecurity risk management alignment with enterprise-level strategy. Its flexible, risk-based methodology helps organizations with limited resources to prioritize actions that deliver the greatest impact. Adopting NIST CSF 2.0 can help growing businesses meet client expectations, prepare for compliance audits, and establish a common language for discussing security posture with leadership and external partners.

• AI-powered tools are rapidly transforming Security Operations Centers (SOCs), shifting the role of analysts from manual investigation to managing AI agents. Products like Microsoft Security Copilot, now generally available in Intune and Entra, automate tasks such as policy analysis and threat data correlation. This trend prompts discussions around the future of SOC roles and the need for new skills focused on AI governance and automation. While full AI-driven SOCs are not yet the norm, security teams are increasingly adopting AI to improve efficiency, reduce alert fatigue, and accelerate response times, making it a critical area for professional development.

Wins #

• An international law enforcement effort, ‘Operation Eastwood’, has successfully disrupted the pro-Russian hacktivist group NoName057(16). The operation, coordinated by Europol and Eurojust, involved agencies from 12 countries and resulted in the takedown of over 100 servers worldwide. Additionally, authorities made two arrests, issued seven international arrest warrants, and conducted 24 house searches. The group, known for its widespread DDoS attacks against entities in Ukraine and NATO countries, used a botnet and the ‘DDoSia’ platform to orchestrate its campaigns, often recruiting members through gamified tactics on Telegram.

• A free decryption tool for victims of the Phobos and 8Base ransomware families has been released by Japan’s National Police Agency. Developed with support from the FBI and Europol, the tool aids organizations impacted by these groups, which have extorted over $16 million from approximately 1,000 victims since 2019. This release follows a series of international law enforcement actions against the ransomware-as-a-service operations, including arrests and indictments of key affiliates in early 2025. The decryptor provides a crucial recovery path for victims, undermining the ransomware groups’ business model.

• Law enforcement has successfully extradited an Armenian national, Karen Serobovich Vardanyan, to the United States to face charges for his alleged role in the Ryuk ransomware gang. The group is accused of extorting over $15 million in Bitcoin from hundreds of victims, including critical infrastructure and healthcare organizations, between 2019 and 2020. Vardanyan faces charges of conspiracy, computer fraud, and extortion. This extradition marks a significant step in holding international cybercriminals accountable for their attacks on U.S. entities.

• Authorities in the United Kingdom have arrested four individuals believed to be members of the ‘Scattered Spider’ cybercrime group. This group is known for its social engineering tactics, particularly calling IT helpdesks to reset employee passwords to gain initial access for ransomware deployment and data theft. These arrests represent a significant blow to the highly effective and notorious gang responsible for numerous high-profile corporate breaches. The successful operation highlights the ongoing efforts by international law enforcement to dismantle prolific cybercriminal networks.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.