Cyber OSINT Overview, Aug 4 - Aug 10, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Multiple sources report active exploitation of SonicWall Gen 7 firewalls with SSL VPN enabled, linked to the Akira ransomware group. The attacks leverage CVE-2024-40766, an improper access control vulnerability, allowing attackers to bypass MFA and gain privileged access. Many incidents appear related to configurations migrated from older Gen 6 firewalls where local user passwords were not reset. Immediate mitigation involves updating firmware to SonicOS 7.3.0, resetting all local user account passwords with SSL VPN access, and enabling security services like Geo-IP filtering.

• A high-severity elevation of privilege vulnerability in Microsoft Exchange hybrid deployments (CVE-2025-53786) has prompted a CISA Emergency Directive. An attacker with administrative access to an on-premises Exchange server can escalate privileges to the connected Microsoft 365 cloud environment, bypassing Conditional Access policies with minimal logging. The vulnerability stems from Exchange Server and Exchange Online sharing the same service principal. Organizations are urged to apply the April 2025 hotfix or a later cumulative update and follow Microsoft’s guidance to deploy a dedicated hybrid app and reset the service principal’s keyCredentials.

• Multiple vulnerabilities in on-premises Microsoft SharePoint servers are being actively exploited by threat actors, including suspected China-based groups. The exploit chain, known as “ToolShell,” combines CVE-2025-49706 (authentication bypass) and CVE-2025-49704 (remote code execution). CISA released a Malware Analysis Report (MAR) detailing malware used in these attacks, including webshells and a cryptographic key stealer. These tools are used to gain unauthorized access, exfiltrate data, and execute malicious code.

• Numerous critical vulnerabilities have been disclosed across a wide range of Industrial Control Systems (ICS) products from major vendors. CISA issued advisories for flaws in devices from Delta Electronics, Johnson Controls, Rockwell Automation, Packet Power, and Tigo Energy, among others. These vulnerabilities could allow for remote code execution, unauthorized access, information disclosure, and system compromise. Affected sectors include energy, critical manufacturing, and transportation, highlighting the significant risk to critical infrastructure if these systems are not patched or properly isolated.

Critical Vulnerabilities #

• Trend Micro has confirmed active exploitation of two critical command injection vulnerabilities (CVE-2025-54948, CVE-2025-54987) in its Apex One on-premise Management Console. These flaws allow unauthenticated, remote attackers to execute arbitrary code. Trend Micro has released a temporary mitigation tool that blocks known exploits but disables the Remote Install Agent function. A permanent patch is expected in mid-August 2025, and organizations are strongly advised to apply the mitigation tool and restrict console access from the public internet.

• Adobe has released security updates for critical vulnerabilities in Adobe Experience Manager (AEM) Forms on JEE, versions 6.5.23.0 and prior. The company has acknowledged that exploits for CVE-2025-54253 and CVE-2025-54254 exist in the wild. These vulnerabilities could allow an attacker to perform remote code execution without user interaction, posing a severe risk to data integrity and system control. Administrators are urged to apply the necessary updates immediately.

• Multiple critical vulnerabilities have been discovered in ICS/OT equipment, potentially allowing remote attackers unauthorized access and control. In Packet Power EMX and EG devices, a missing authentication vulnerability (CVE-2025-8284) could grant full device access. Burk Technology ARC Solo devices have a similar flaw (CVE-2025-5095) in the password change mechanism. Additionally, Delta Electronics DIAView is vulnerable to path traversal (CVE-2025-53417), enabling remote file read/write access. Users are advised to update firmware immediately and isolate these devices from the internet.

• CISA has added three D-Link vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation. These include an unspecified vulnerability (CVE-2020-25078) and a command injection flaw (CVE-2020-25079) in DCS-2530L and DCS-2670L devices. The third vulnerability (CVE-2022-40799) is a code download without integrity check flaw in the DNR-322L device. As these are frequent attack vectors, organizations using these devices are urged to prioritize remediation.

• Critical vulnerabilities in Rockwell Automation Arena simulation software could allow for remote code execution and information disclosure. The flaws (CVE-2025-7025, CVE-2025-7032, CVE-2025-7033) include out-of-bounds read, stack-based buffer overflow, and heap-based buffer overflow, all resulting from improper validation of user-supplied data. An attacker could exploit these by convincing a legitimate user to open a malicious DOE file. Users of Arena versions 16.20.09 and prior should apply updates immediately.

• Android’s August 2025 security bulletin addresses six vulnerabilities, including two critical flaws. One vulnerability, CVE-2025-48530, affects Android 16 and could lead to remote code execution without user interaction. The second, CVE-2025-21479, is an unauthorized command execution flaw in the GPU micronode that can cause memory corruption. Users are strongly advised to apply the August 2025 security patches as soon as they become available for their devices to mitigate these risks.

Major Incidents #

• The threat actor group ShinyHunters, also tracked as Muddled Libra, has successfully breached multiple high-profile companies by targeting their Salesforce instances. Victims include Google, Adidas, Louis Vuitton, Chanel, and Pandora. The attackers use voice phishing (vishing) to trick employees into providing access credentials or connecting to a fraudulent version of Salesforce’s “Data Loader” app. Once inside, the actors exfiltrate sensitive customer and business data and attempt to extort the victims.

• Pro-Ukrainian hacktivist groups have claimed responsibility for a major cyberattack against Russia’s largest airline, Aeroflot, causing severe flight delays and technical disruptions. The attackers allege they exfiltrated extensive databases and wiped over 22TB of data from 7,000 servers. This disruptive incident highlights the ongoing cyber warfare dimension of the Russia-Ukraine conflict, directly impacting critical national infrastructure.

• Recent research reveals that over 1.2 million internet-connected healthcare devices and systems are publicly accessible, leaking sensitive patient data. Misconfigured devices are exposing confidential medical images such as MRI scans and X-rays, along with protected health information (PHI) and personally identifiable information (PII). This widespread exposure creates significant risks of fraud, blackmail, and severe privacy violations for patients worldwide. The findings underscore the urgent need for healthcare organizations to implement robust asset visibility and vulnerability management programs.

• French telecommunications provider Orange experienced a cyberattack that caused operational disruptions for its French customers and some business services. While the company stated that no evidence of customer or company data exfiltration has been found, the incident caused service interruptions. This attack, along with multiple denial-of-service attacks against Estonian government and infrastructure websites, highlights ongoing disruptive cyber activities targeting European critical infrastructure.

Emerging Threats #

• A new variant of the DarkCloud stealer is being distributed through a multi-stage infection chain that begins with phishing emails. The attack leverages obfuscated JavaScript or Windows Script Files, which download a PowerShell loader. This loader uses process hollowing to inject the final payload, a VB6-based stealer, into a legitimate process like RegAsm.exe. The entire chain, including the use of ConfuserEx for obfuscation, is designed for stealth and avoids dropping files directly to disk, making it difficult to detect.

• Threat actors are increasingly using Linux Pluggable Authentication Modules (PAM) for stealthy credential theft and persistence. One method involves registering malicious PAM modules that exfiltrate credentials during user logins via services like SSH. Another technique, used by the ‘Plague’ backdoor, involves hooking the ‘pam_authenticate’ function via LD_PRELOAD to capture credentials and establish a hardcoded password for backdoor access. These fileless, memory-resident techniques are difficult to detect, but EDR tools can identify suspicious PAM module registrations and hooking behaviors.

• A new social engineering tactic dubbed “ClickFix” is being used by threat actors, including the Lazarus group, to deliver malware. In this scheme, victims are tricked into running malicious scripts under the guise of fixing a technical issue, such as a non-functional camera during a fake job interview or a broken CAPTCHA. The script then downloads and executes malware like the PyLangGhost RAT. This method exploits user trust and the appearance of legitimacy to bypass technical defenses and gain initial access.

• The FBI is warning of a new phishing trend where attackers send unsolicited physical packages containing malicious QR codes. With no sender information, recipients are prompted by curiosity to scan the code to identify the package’s origin. The QR code directs victims to a phishing site designed to steal personal information or download malware. This tactic blends physical delivery with digital attack vectors (quishing), exploiting the common use of QR codes and the relative lack of security on mobile devices.

• AI-powered answer engine Perplexity has been observed using undeclared, stealth crawlers to bypass website no-crawl directives. When its declared user agents (PerplexityBot, Perplexity-User) are blocked via robots.txt or WAF rules, Perplexity deploys crawlers with a generic browser user agent (e.g., Chrome on macOS) from different IP ranges to scrape content. This behavior violates established web crawling norms and allows the service to access and index content from sites that have explicitly opted out, raising ethical and privacy concerns.

• The threat actor behind the SharePoint ToolShell exploit chain is using a custom toolset named Project AK47. This toolset, linked to the group Microsoft calls Storm-2603 and Unit 42 tracks as CL-CRI-1040, includes a backdoor (AK47C2), ransomware (AK47/X2ANYLOCK), and loaders that abuse DLL side-loading. This activity cluster has previously been associated with LockBit 3.0 affiliate operations and the Warlock Client double-extortion site, indicating a financially motivated actor with sophisticated custom malware.

• SmartLoader malware is being distributed on a large scale via GitHub repositories disguised as legitimate projects like game cheats and software cracks. These repositories use well-crafted README files to deceive users into downloading a malicious ZIP file. The infection chain uses a legitimate Lua loader (luajit.exe) to execute an obfuscated Lua script, which ultimately installs SmartLoader. The malware establishes persistence via the Task Scheduler and exfiltrates system information and screenshots to a command-and-control server.

Regulatory and Policy Updates #

• In response to the high-severity vulnerability in Microsoft Exchange hybrid deployments (CVE-2025-53786), CISA has issued Emergency Directive (ED) 25-02. The directive mandates that all Federal Civilian Executive Branch (FCEB) agencies implement required mitigations by 9:00 AM EDT on Monday, August 11, 2025. Although the directive applies only to FCEB agencies, CISA strongly urges all organizations with hybrid Exchange configurations to prioritize patching and apply Microsoft’s configuration guidance to prevent potential compromise.

• The UK’s National Cyber Security Centre (NCSC) has released version 4.0 of its Cyber Assessment Framework (CAF). The update is designed to help organizations managing critical infrastructure defend against growing threats. Key changes include new sections on understanding attacker motivations and ensuring software supply chain security. The framework also features updated guidance on security monitoring and threat hunting, and incorporates coverage of AI-related cyber risks.

• Google’s Project Zero has updated its vulnerability disclosure policy to increase transparency. While maintaining its 90-day disclosure deadline (with a 30-day grace period for patch adoption), the team will now publicly release limited details of a new vulnerability within one week of reporting it to the vendor. This initial disclosure will include the vendor, the affected product, and the disclosure deadline. The change aims to give downstream maintainers and security teams earlier awareness to prepare for patches.

• The UK government is advancing its anti-ransomware legislative proposals following a public consultation period. The proposals include a targeted ban on ransom payments for public sector bodies and critical national infrastructure operators, a new payment prevention regime, and a mandatory incident reporting regime. While the government summarized public feedback as generally positive, responses indicated measured concern over the practical implications and potential negative consequences of a payment ban. The government will continue to develop these proposals before introducing legislation.

Security Operations #

• CISA has released a detailed Malware Analysis Report (MAR-251132.c1.v1) on the malware used in recent SharePoint server exploits. The report provides technical analysis of webshells and a key stealer used by threat actors to exfiltrate data and execute code. The MAR includes Indicators of Compromise (IOCs) in STIX format and SIGMA rules to help security teams detect and respond to this threat activity. This release provides defenders with actionable intelligence to hunt for related intrusions in their environments.

• Cisco’s Foundation AI team is partnering with Hugging Face to enhance AI supply chain security by scanning every public file uploaded to the platform for malware. The collaboration leverages an updated version of the open-source ClamAV engine, which now includes capabilities to detect malicious code and deserialization risks in common AI model file formats like .pt and .pkl. This initiative aims to provide more rigorous model vetting and democratize AI model antimalware capabilities, making them available to the entire community.

• A new white paper series from a cross-industry collaboration including Health-ISAC offers actionable guidance on the role of the Business Information Security Officer (BISO). The series defines the BISO function as a critical liaison between business units and the central cybersecurity team, responsible for translating security risks into business context. The papers provide a framework for structuring a successful BISO program, defining responsibilities, and measuring performance, helping organizations to mature their security capabilities and better manage cyber risk.

Wins #

• The founders of Samourai Wallet, a cryptocurrency mixing service, have pleaded guilty to conspiracy to commit money laundering. The service facilitated over $2 billion in illicit transactions and laundered more than $100 million in criminal proceeds from various cybercrime operations, including ransomware and dark web markets. As part of their plea deal, the founders will forfeit over $200 million, marking a significant victory for law enforcement in disrupting the financial infrastructure that supports cybercrime.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.