Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.
By Samuel Monsempes
Major Data Breaches and Leaks
ManpowerGroup (global staffing firm) – Disclosed a breach affecting ~144,000 individuals, after attackers accessed its network in late Dec 2024. The RansomHub ransomware group claimed responsibility, stealing ~500GB of data including client personal identifiers (IDs, SSNs, addresses) and confidential corporate documents.
Allianz Life (insurance) – Hackers leaked 2.8 million records of Allianz Life’s customers and partners, stolen via a July 16 breach of the company’s Salesforce CRM system. The leaked data (dumped by the ShinyHunters extortion group) includes names, contact info, dates of birth, tax IDs and other sensitive personal details from the Salesforce “Accounts” and “Contacts” databases.
Workday (HR software) – Revealed a data breach (identified Aug 6) where attackers accessed a third-party CRM platform via social engineering. The incident, part of a wider Salesforce-targeted campaign by the ShinyHunters group, exposed business contact information (names, emails, phone numbers) of Workday customers. Workday emphasized no core customer databases were compromised, but the stolen contacts could be used for follow-on phishing attempts.
Canadian House of Commons – Suffered a cyberattack in which a threat actor exploited a recent Microsoft vulnerability to access an internal IT database. The breach, disclosed to Parliament staff on Aug 14, exposed non-public employee data (names, job titles, office locations, and email addresses), prompting warnings of potential impersonation scams targeting officials. The incident is under investigation by Canada’s Cyber Centre, with no attribution named yet.
Significant Cyberattacks and Incidents
Colt Telecom (UK) – Major telecom provider Colt Technology Services was hit by a ransomware attack starting August 12, causing multi-day outages of customer support systems (hosting, portals, voice platforms). A hacker claiming to be from the “WarLock” gang took credit, offering to sell ~1 million stolen internal documents for $200,000, including Colt’s financial records, customer data, employee info, emails, and software code. Investigators noted the attackers likely exploited a known SharePoint server RCE vulnerability to gain initial access.
Pennsylvania Attorney General’s Office – A cyberattack knocked the state AG’s office offline, disabling its website, email, and even phone lines. Staff announced on Aug 13 that IT teams and law enforcement were working to restore systems and determine the cause. Although no ransomware group has claimed responsibility, the widespread outage bears the hallmarks of a ransomware incident. Notably, security experts observed that the office had unpatched Citrix NetScaler servers vulnerable to a critical exploit, raising suspicion that a known flaw may have been leveraged in the attack.
Critical Vulnerabilities and Patches
Microsoft Patch Tuesday (August 2025) – Microsoft released fixes for 107 security vulnerabilities, with at least 13 rated “critical” (remote code execution risks) across Windows and Office products. These include CVE-2025-53786, an Exchange Server flaw allowing on-premises compromise to spread into cloud (Exchange Online) environments, and “BadSuccessor” Kerberos vulnerability CVE-2025-53779 that could let an unauthenticated attacker gain domain admin privileges. Users are urged to apply updates promptly given the severity of these bugs.
Cisco Firewall Manager (CVE-2025-20265) – Cisco warned of a CVSS 10.0 critical flaw in its Secure Firewall Management Center (FMC) software. The bug in the RADIUS authentication module could let an unauthenticated remote attacker inject system commands and take over the device. No workarounds exist; admins must update FMC to prevent possible firewall management takeover.
Fortinet FortiSIEM (CVE-2025-25256) – Fortinet alerted users to a critical pre-auth OS command injection vulnerability in FortiSIEM (security monitoring platform) being actively targeted. The flaw (CVSS 9.8) allows remote code execution on unpatched servers, and while Fortinet didn’t confirm if it was a zero-day, functional exploit code has been found in the wild. Admins should immediately apply the available patch, as attacks leave few traces for detection.
Citrix NetScaler ADC/Gateway (CVE-2025-5777) – New details emerged on a critical Citrix appliance vulnerability (nicknamed “Citrix Bleed 2”) that was exploited as a zero-day since May. The flaw, a code injection in NetScaler, was patched on July 21 after attackers had already used it to breach multiple organizations in the Netherlands and elsewhere. CISA added CVE-2025-5777 to its Known Exploited list and directed U.S. agencies to patch devices within 24 hours, given reports of mass scanning and exploitation.
WinRAR Zero-Day (CVE-2025-8088) – A path traversal bug in the popular WinRAR archive utility was confirmed to have been exploited in the wild by at least two threat actors. The Russian group “RomCom” (aka Tropical Scorpius) leveraged it in phishing attacks to drop malware from specially crafted archives, and another actor (“Paper Werewolf”) also abused it to target organizations. WinRAR issued a patch (v7.13 on July 30) for the flaw; users should update their WinRAR software, as opening a malicious archive could silently run hidden payloads on their system.
Government and Industry Cyber Responses
U.S. Sanctions Russian Hacktivists – The U.S. Treasury imposed sanctions on two individuals identified as leaders of the pro-Russia hacktivist group “Cyber Army of Russia Reborn (CARR)”. The sanctioned hackers allegedly coordinated disruptive cyber campaigns against Western critical infrastructure, including DDoS attacks on civilian services. The sanctions freeze any U.S.-linked assets of the actors and bar transactions with them, aiming to deter state-aligned hacktivism.
DOJ Takedown of Ransomware Infrastructure – The Justice Department announced a coordinated international operation against the BlackSuit (Royal) ransomware group. Law enforcement seized four servers and nine domains used by the gang to distribute malware and leak victim data, following an investigation into Royal’s attacks. The action (conducted in late July and revealed Aug 12) is part of a broader crackdown on ransomware-as-a-service operators and their infrastructure.
OT Security Guidance Collaboration – A coalition of government agencies from the U.S. and allies released new guidelines to bolster operational technology (OT) cybersecurity for critical infrastructure. On Aug 13, CISA, the NSA, the FBI and partners in the UK, Canada, Australia, and Germany published “Foundations for OT Cybersecurity: Asset Inventory Guidance,” which advises operators on identifying and protecting industrial control system assets. This joint guidance comes amid heightened concerns about cyber threats to utilities and manufacturing (underscored by incidents like the Norway dam hack), and it provides a blueprint for developing robust OT asset inventories and network segmentation to reduce risks.
Calls to Renew Cyber Info-Sharing Law – U.S. industry groups and officials are urging Congress to reauthorize the Cybersecurity Information Sharing Act (CISA) of 2015, set to expire at the end of September. The law established legal protections for companies to share threat intelligence with each other and the government. Experts warn that if it lapses, it could lead to an “80–90% reduction” in the exchange of cyber threat data due to liability fears. Bipartisan lawmakers have signaled support to extend the law (with potential tweaks), recognizing that its sunset could erode hard-won trust and hamper joint defenses against attacks.
Miscellaneous
Hackers Breach North Korean Spies – In an ironic twist, the North Korean APT group Kimsuky fell victim to a data breach by hacktivists. Two hackers calling themselves “Saber” and “cyb0rg” infiltrated Kimsuky’s systems for “ethical” reasons and leaked an 8.9 GB cache of the group’s internal files on the DDoSecrets platform. The dump includes Kimsuky’s phishing logs (targeting military and government emails), source code for a South Korean ministry’s email system, lists of targeted individuals, malware tools (Cobalt Strike beacons, custom backdoors), and even the hackers’ VPN and forum activity. This exposure of Kimsuky’s tactics and infrastructure (publicized during the DEF CON conference) could disrupt the group’s operations and give defenders new intelligence on North Korean cyber campaigns.
“Blue Report” – Data Theft on the Rise – New research from Picus Security (Blue Report 2025) highlights a shift in cybercriminal tactics from traditional file encryption to stealthy data exfiltration. In ransomware-related breaches studied, only a small fraction of incidents involved encrypting files; instead, attackers focus on stealing data and passwords. The report found that 46% of enterprise environments had at least one password compromised during simulations (nearly double the rate from the prior year). With infostealer malware and credential abuse proliferating, the findings underscore the need for organizations to detect data theft and credential attacks that might fly under the radar of legacy defenses.
Adversaries Weaponize AI and Cloud – CrowdStrike’s mid-year Threat Hunting Report painted an evolving threat landscape marked by the use of AI and “malware-free” techniques. State-sponsored and criminal groups are leveraging generative AI for automation and social engineering at scale – for example, a North Korean cluster (FAMOUS CHOLLIMA) used deepfake videos and AI-generated resumes to fraudulently get hired at companies and gain insider access. Meanwhile, 81% of the intrusions tracked by CrowdStrike’s team involved hands-on-keyboard activity with no malware, as attackers exploited valid credentials and built-in tools to avoid detection. The report also noted a 136% surge in cloud service intrusions year-over-year, and a doubling of voice-phishing (“vishing”) attacks, indicating that threat actors are broadening their targets to identity and cloud platforms and blending tactics across domains.
Conclusion
Data exposure is widespread – Large breaches (e.g. customer records at Allianz, personal data at Manpower) show that adversaries continue to access troves of sensitive information. Organizations must prioritize data governance, encryption of personal identifiers, and continuous monitoring for leaks on criminal forums.
Patch urgency and zero-day defense – This week’s events underscored the critical importance of timely patching. Threat actors rapidly exploit unpatched flaws – from WinRAR to Fortinet and Citrix appliances – often within days or weeks of disclosure. Maintaining an effective vulnerability management program (especially for internet-facing systems) and monitoring threat intelligence for exploited CVEs are essential measures to preempt attacks.
Evolving attack tactics – Incidents illustrate that many attackers are bypassing traditional perimeter defenses. Social engineering and credential abuse were common threads (as seen in the Workday breach and numerous “malware-free” intrusions). Multi-factor authentication, robust identity/access management, and user awareness training are key to thwarting phishing and impersonation attempts that technology alone may miss.
Operational resilience – High-impact disruptions (ransomware at Colt and government offices, critical infrastructure sabotage in Norway) highlight the need for robust incident response and continuity planning. Organizations should regularly test backups and restore procedures, segment networks to contain damage, and have coordinated response playbooks that involve cross-team and law enforcement communication. Speedy detection and isolation of attacks can significantly reduce downtime and losses.
Collective cybersecurity efforts – The news also brought positive examples of defense: governments and industry are increasingly acting in concert. Joint advisories (like the OT security guide), law enforcement crackdowns on threat groups, and public-private intel sharing initiatives all contribute to raising the cost for attackers. Enterprises should engage with information sharing programs and heed official cybersecurity advisories. A culture of transparency and collaboration – between companies and agencies and across international partners – has proven crucial in mitigating large-scale cyber threats.
