Cyber OSINT Overview, Jul 28 - Aug 3, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Multiple government agencies and security vendors issued a high volume of advisories for vulnerabilities in various Linux distributions and the Linux Kernel itself. These flaws ranged in severity from denial-of-service to privilege escalation and remote code execution. Products from Red Hat, SUSE, and Ubuntu were frequently mentioned, indicating widespread patching efforts across the ecosystem to address ongoing security risks in core operating system components.

• Social engineering was identified as the primary initial access vector in a significant portion of security incidents over the past year. Threat actors like Scattered Spider are successfully using techniques such as phishing, vishing, and MFA bombing to target privileged accounts and IT help desks. This trend highlights a strategic shift by adversaries to exploit human behavior and organizational process gaps rather than solely relying on technical vulnerabilities, leading to major data breaches and ransomware events.

• A significant focus has been placed on securing industrial control systems (ICS) and operational technology (OT) environments. CISA released numerous advisories detailing vulnerabilities in products from major vendors like Schneider Electric, Honeywell, Rockwell Automation, and Delta Electronics. These advisories, along with a joint CISA/USCG report on cyber hygiene, underscore the growing need for enhanced security measures, such as network segmentation and secure credential management, to protect critical infrastructure from potential disruption.

• The security of AI systems and the use of AI in cyberattacks are rapidly growing concerns. Discussions revolved around vulnerabilities in AI-generated code, the risk of prompt injection attacks against LLMs, and the necessity of strong AI governance policies to prevent data breaches. IBM’s latest report highlighted that a majority of organizations lack AI governance, leading to costly breaches. Simultaneously, new AI security features and tools are being developed to counter these threats, indicating a burgeoning arms race in the AI security domain.

Critical Vulnerabilities #

• A critical zero-day vulnerability (CVE-2025-53770) in on-premises Microsoft SharePoint Server is being actively exploited, allowing unauthenticated remote code execution. With a CVSS score of 9.8, this flaw enables attackers to achieve full system compromise. Microsoft and CISA have issued emergency guidance and patches, urging organizations to update immediately and check for signs of compromise, as threat actors, including Chinese state-sponsored groups, are leveraging it for widespread data theft.

• A suspected zero-day vulnerability in SonicWall firewall devices is being actively exploited by the Akira ransomware group for initial network access. The attacks leverage the SonicWall SSL VPN feature, and in some cases have successfully bypassed multi-factor authentication on fully patched devices. Due to the high risk of compromise, security researchers recommend disabling the SSL VPN service until a patch is released by the vendor.

• A new, sophisticated Linux backdoor named ‘Plague’ has been discovered targeting Pluggable Authentication Modules (PAM) to establish persistent SSH access. The malware is notable for its complete evasion of all major antivirus engines on VirusTotal, achieving a zero-detection rate. It operates by manipulating core authentication mechanisms, allowing it to remain stealthy while subverting system security controls.

• Multiple critical vulnerabilities have been disclosed in Apple’s ecosystem, affecting iOS, iPadOS, macOS, watchOS, and other products. The most severe of these flaws could allow for arbitrary code execution. The patches address numerous issues, many within the WebKit engine, which could lead to memory corruption or unexpected application termination when processing malicious web content. Users are strongly advised to apply the latest security updates immediately.

• VMware has addressed multiple critical vulnerabilities in its ESXi, Workstation, and Fusion products that could lead to arbitrary code execution on the host machine from a guest virtual machine. The flaws include out-of-bounds write and integer overflow/underflow issues in components like the VMXNET3 virtual network adapter and the Virtual Machine Communication Interface (VMCI). These vulnerabilities carry high CVSS scores, and successful exploitation could allow an attacker to escape the virtual machine environment and compromise the underlying host system.

• Multiple vulnerabilities have been reported in various Industrial Control Systems (ICS) products, posing significant risks to critical manufacturing and other sectors. A critical flaw (CVSS 9.3) in Güralp Systems’ seismic monitoring devices exposes an unauthenticated Telnet interface, allowing remote attackers to modify configurations or reset the device. Other advisories from CISA cover products from Delta Electronics, Samsung HVAC, and National Instruments, with vulnerabilities ranging from deserialization of untrusted data to memory buffer errors that could lead to remote code execution.

• Cisco has added two injection vulnerabilities in its Identity Services Engine (CVE-2025-20281, CVE-2025-20337) to the Known Exploited Vulnerabilities (KEV) catalog. These flaws are actively being exploited in the wild. Additionally, a Cross-Site Request Forgery (CSRF) vulnerability in PaperCut NG/MF (CVE-2023-2533) has also been added to the KEV catalog. Federal agencies are required to patch these vulnerabilities by the specified due dates to mitigate significant risks posed by these frequent attack vectors.

Major Incidents #

• Russian airline Aeroflot suffered a major cyberattack claimed by the Belarusian pro-Ukrainian hacktivist group Cyber Partisans. The attack caused mass flight disruptions, with over 100 flights canceled or delayed, affecting approximately 20,000 passengers. The hackers claim to have exfiltrated the airline’s entire flight history, internal call recordings, and employee monitoring data, leaking some purported data of the CEO to substantiate their claims while Russian authorities denied a data breach had occurred.

• The city of St. Paul, Minnesota, declared a state of emergency following a “deliberate, coordinated” cyberattack that disrupted internal systems and city services. The incident was severe enough to warrant the deployment of the Minnesota National Guard’s cyber protection teams to assist with response and recovery efforts. To contain the threat, the city proactively shut down affected networks, leading to widespread service outages including Wi-Fi in government buildings and library systems.

• Insurance giant Allianz Life disclosed a data breach that exposed the personal information of the majority of its 1.4 million U.S. customers, as well as financial professionals and some employees. The company stated the breach occurred after an attacker used social engineering to gain access to a third-party, cloud-based Customer Relationship Management (CRM) system. The incident is suspected to be linked to threat groups like Scattered Spider, which specialize in vishing campaigns targeting corporate help desks to compromise CRM platforms.

• A cyberattack on the UK’s Legal Aid Agency in May has caused prolonged disruption, pushing the sector into chaos. Three months later, systems remain offline, preventing lawyers from accessing records and billing for services, with many barristers going unpaid. The attack, which compromised the personal data of hundreds of thousands of applicants, has forced a reliance on a contingency payment system that practitioners report is inadequate, fueling fears that legal aid firms may abandon this line of work entirely.

• The women-only dating safety app ‘Tea’ suffered multiple data breaches, exposing highly sensitive user information. Initially, over 72,000 private images, including selfies and photo IDs used for verification, were leaked. A second breach, discovered shortly after, exposed more than a million private user messages containing discussions about abortions, cheating partners, and other personal matters. The incidents highlight severe security and privacy failures at the company.

Emerging Threats #

• The Russian state-sponsored actor Secret Blizzard (also known as Turla or VENOMOUS BEAR) is conducting an ongoing espionage campaign against foreign embassies in Moscow. The group has established an adversary-in-the-middle (AiTM) position within local Internet Service Providers, likely facilitated by lawful intercept systems. This allows them to intercept and manipulate traffic, tricking diplomatic staff into installing a custom malware called ApolloShadow by masquerading it as a trusted security certificate, enabling deep and persistent access for intelligence collection.

• CISA and international partners have released an updated advisory on the cybercriminal group Scattered Spider, detailing their evolving tactics. The group continues to rely heavily on social engineering, targeting IT help desks and privileged accounts to gain initial access. They have been observed using various ransomware strains, most recently DragonForce, and are known for their speed and adaptability, often listening in on incident response calls to evade detection and develop new intrusion methods.

• A newly identified threat actor, Storm-2603, has been linked to the recent ‘ToolShell’ SharePoint exploitation campaign. This group utilizes a custom Command and Control (C2) framework named ‘ak47c2’, which supports both HTTP and DNS-based communication for resilience. A notable tool in their arsenal is a custom ‘Antivirus Terminator’ that uses the Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint security products at the kernel level before deploying ransomware like LockBit and Warlock.

• Attackers are exploiting Microsoft 365’s ‘Direct Send’ feature to launch internal phishing campaigns that bypass conventional security filters. This technique allows malicious emails to appear as if they originate from within the organization without requiring compromised credentials. The emails are relayed through unsecured third-party appliances to Microsoft 365 tenants, leveraging the implicit trust of an internal sender to increase the likelihood of success.

• A new attack vector dubbed ‘Man in the Prompt’ demonstrates how malicious browser extensions can hijack interactions with generative AI tools like ChatGPT and Google Gemini. These extensions can read or alter user prompts, inject hidden instructions, and exfiltrate sensitive data from AI responses without requiring special permissions. This threat is significant as organizations increasingly integrate these AI tools into workflows involving confidential corporate data, potentially turning them into ‘hacking copilots’ for attackers.

• The Lazarus Group, a North Korean state-sponsored actor, has been conducting a widespread supply chain attack by publishing 234 malicious packages on the npm and PyPI open-source repositories. These packages impersonate legitimate developer tools to infect software developers with espionage malware. The campaign, active since January 2025, aims to steal sensitive credentials, profile systems, and establish persistent backdoors in developer environments, affecting over 36,000 potential victims.

• Chinese-speaking actors are scaling a Malware-as-a-Service operation using the PlayPraetor Android Remote Access Trojan (RAT). This campaign has compromised over 11,000 devices globally by distributing malicious apps that impersonate the Google Play Store. The malware uses Android’s Accessibility Services to gain full device control, enabling on-device fraud targeting nearly 200 banking and cryptocurrency applications.

Regulatory and Policy Updates #

• A bipartisan bill, the ‘National Quantum Cybersecurity Migration Strategy Act,’ has been introduced in the U.S. Senate. The legislation aims to prepare the federal government for threats posed by quantum computing by mandating the development of a national strategy for migrating to post-quantum cryptography. It directs federal agencies to define what constitutes a cryptographically relevant quantum computer and establish pilot programs to upgrade high-impact systems to quantum-safe encryption standards by 2027.

• New provisions of the EU AI Act are set to take effect, continuing the phased rollout of the comprehensive regulation. These new rules will cover governance standards for AI systems, impose requirements on general-purpose AI (GPAI) models, and activate the sanctions regime for non-compliance. The Act’s risk-based approach, with stricter rules for high-risk applications, continues to be a global benchmark, though its implementation faces challenges from the rapid pace of AI evolution.

• The enforcement of the UK’s Online Safety Act has led to a massive surge in VPN usage, with traffic increasing by up to 2,000%. The act mandates stringent age verification controls for websites offering adult content, including social media and search engines, to protect children. In response, many UK users are turning to VPNs to bypass these new restrictions, highlighting the tension between online safety legislation and user privacy concerns.

• Sean Cairncross has been confirmed by the U.S. Senate as the new National Cyber Director. This appointment fills a key leadership role in the Trump administration’s cybersecurity apparatus. As director, Cairncross will be responsible for coordinating federal cybersecurity policy and strategy across various government agencies.

Security Operations #

• CISA has released two new free tools to aid cyber defenders in incident response and malware analysis. The ‘Eviction Strategies Tool’ includes a playbook (Playbook-NG) and a countermeasures database (COUN7ER) to help organizations contain and evict adversaries from their networks. The second tool, ‘Thorium’, is a scalable and distributed platform developed with Sandia National Laboratories for automated file analysis, supporting functions like digital forensics and incident response.

• CISA and the U.S. Coast Guard issued a joint advisory detailing common cyber hygiene risks identified during a proactive threat hunt at a U.S. critical infrastructure organization. Key findings included insufficient logging, insecure storage of plaintext credentials, shared local administrator accounts, and inadequate network segmentation between IT and OT environments. The advisory provides specific mitigations to help other critical infrastructure organizations strengthen their defensive posture against these prevalent weaknesses.

• Google’s Project Zero has updated its vulnerability disclosure policy in an effort to accelerate patching timelines. The team will now publicly share limited details about a new vulnerability within one week of privately reporting it to the affected vendor. This initial disclosure will include the product and vendor but will omit technical details to prevent exploitation, aiming to increase transparency and encourage faster integration of fixes by downstream dependents.

• NIST has released Revision 4 of its Digital Identity Guidelines (Special Publication 800-63), updating the federal standards for identity proofing, authentication, and federation. This revision is the result of a multi-year collaborative process and aims to address the evolving digital landscape since the last major update in 2017. The guidelines provide a framework for organizations to manage digital identities securely and effectively.

• CISA has published the first part of its guidance on implementing microsegmentation as a core component of a zero trust architecture. Titled ‘Microsegmentation in Zero Trust, Part One: Introduction and Planning,’ the document is aimed at Federal Civilian Executive Branch agencies but is applicable to any organization. It provides an overview of microsegmentation concepts, benefits, and challenges, helping security teams to reduce their attack surface and limit lateral movement.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.