Major Data Breaches and Leaks

• Qantas Airways (Australia): The airline disclosed a breach affecting about 6 million customers via a third-party call center platform. Exposed data included names, birth dates, emails, phone numbers, and frequent-flyer IDs (no passports or credit cards). Officials warned customers to beware of follow-on phishing scams posing as Qantas, as threat actors (possibly the Scattered Spider group) could exploit the leaked contact info.

• Nova Scotia Power (Canada): The utility is notifying ~280,000 people of a data breach from a cyberattack earlier this year. Hackers had access from March 19 to April 25, stealing names, addresses, driver’s license and Social Insurance numbers, bank details, and extensive customer records (power usage, billing history, etc.). The attack forced weeks-long IT restoration; while critical grid operations were not disrupted, customer portals and phone lines were impacted.

• Spanish Government Officials’ Data Leak: Spanish police arrested a 19-year-old hacker (and an accomplice) for stealing and leaking personal data of high-ranking officials, including the Prime Minister and regional leaders. The leaked info — phone numbers, addresses, national ID numbers, email accounts — was sold on far-right forums, and at least three major data leaks were shared in June. Authorities labeled the pair a serious national security threat and charged them under cyberterrorism laws.

Significant Cyberattacks and Incidents

• Ingram Micro Ransomware Outage: Global IT distributor Ingram Micro suffered a ransomware attack that knocked its systems offline around the July 4th weekend. Customers were unable to place orders for days as websites and services went down, and the company confirmed ransomware was to blame. Ingram Micro filed regulatory notices and is working to restore systems; the SafePay gang is suspected (their ransom note was found), though not confirmed publicly. The incident raised concerns about downstream impact if attackers had tried to abuse Ingram’s privileged network connections with partners.

• $100M Bank Theft via Insider (Brazil): Brazilian police arrested an IT employee at a software firm for aiding a massive digital bank heist exceeding $98 million. The insider admitted selling his login credentials (for only ~$2,700) to hackers, who then breached Brazil’s PIX instant payments system connecting banks to the central bank. At least six financial institutions were hit; authorities have frozen about $49 million and are searching for at least four other perpetrators.

• “Bert” Ransomware Emergence: Security researchers flagged a new ransomware group calling itself “Bert”, active since April and targeting organizations across Asia, Europe, and the U.S.. Bert’s malware can infect both Windows and Linux systems and was observed disabling security tools via PowerShell before encrypting files. The group’s tactics and code suggest a possible lineage to the defunct REvil gang (reusing parts of REvil’s Linux ransomware) and hints of Russian-affiliated infrastructure. Multiple variants are already in circulation, indicating rapid development of this threat.

• St. Petersburg Internet Outage: Over the weekend, Russia’s second-largest city faced a widespread mobile internet blackout amid warnings of Ukrainian drone strikes. The outage, which disrupted digital payments, ticketing, and even stalled car-sharing vehicles, is believed to be a deliberate shutdown by authorities aiming to thwart drones (by cutting networks used for coordination). Telecom firms denied technical faults. Such shutdowns have spiked across Russia (655 mobile outages in June) as the war prompts aggressive cyber defense measures, though they come at the cost of significant civilian service disruptions.

Critical Vulnerabilities and Patches

• MCP GitHub Repository Breach: A major security incident occurred when private repositories from the Model Control Platform (MCP) were accidentally exposed on GitHub. Sensitive internal tools and deployment scripts were included in the leak. The exposure happened due to a misconfigured GitHub Actions workflow, which mistakenly pushed internal assets to a public fork. Although the exposure was short-lived, threat actors cloned the repository before it was taken down. MCP has since rotated credentials, revoked exposed keys, and initiated a full security audit. Users and partners are urged to monitor for suspicious activity and update any integrations relying on MCP APIs.

• Citrix NetScaler “Bleed 2” Flaw (CVE-2025-5777): A critical vulnerability in Citrix NetScaler ADC and Gateway devices allows attackers to steal sensitive data (like session tokens) by sending malformed login requests. Nicknamed “CitrixBleed2” (for its resemblance to the 2023 Citrix Bleed bug), the flaw leaks ~127 bytes of memory per request, which can be repeated to extract credentials and session information. Public exploit code was released and researchers report active exploitation since mid-June, despite Citrix stating no evidence of attacks. Admins should patch immediately to prevent breaches.

• Cisco Unified Communications Manager Backdoor (CVE-2025-20309): Cisco revealed a maximum-severity vulnerability in its call management servers caused by a hardcoded root SSH account with static credentials. An unauthenticated attacker could remotely log in with this built-in credential and gain full control of the system. No workarounds exist – the only fix is to apply Cisco’s update (15SU3) or patch file released in July 2025, which removes the development/testing account. (Cisco noted several similar backdoor credential issues in recent years and urges prompt upgrading to mitigate this risk.)

• Google Chrome Zero-Day (CVE-2025-6554): Google rushed out an emergency Chrome update after discovering a 4th actively exploited zero-day of the year. The flaw is a high-severity type confusion bug in Chrome’s V8 JavaScript engine that could enable arbitrary code execution. Google’s Threat Analysis Group found the issue in late June and pushed a server-side config mitigation on June 26, followed by patches for all platforms by July 1. Users are strongly advised to update Chrome to version 138.0.7204.x, as attackers were already exploiting this bug in targeted espionage campaigns.

Government and Industry Cyber Responses

• Germany–Israel Cybersecurity Pact: In the wake of recent Israel-Iran conflicts, Germany announced a plan to deepen cyber defense cooperation with Israel. The initiative, dubbed “Cyber Dome,” will establish a joint German-Israeli cyber research center and increase collaboration between intelligence agencies (Germany’s BND and Israel’s Mossad). It also calls for strengthened cyber and anti-drone defenses and a nationwide emergency alert system in Germany modeled on Israel’s civil defense network. German officials noted that purely military security is insufficient without robust cyber capabilities, praising Israel’s success in foiling Iranian cyberattacks during their 12-day conflict.

• Interpol on West African Scam Compounds: INTERPOL warned that West Africa may become a new hotspot for cybercrime “scam centers” – large compounds where human-trafficking victims are forced to run online fraud schemes. In a report this week, Interpol noted recent raids against such scam call centers in Nigeria and neighboring countries. This mirrors a trend seen in Southeast Asia, where criminal syndicates operate slave-like scam mills for investment fraud, romance scams, crypto swindles, etc. Thousands of victims from 66 countries have been trafficked into these operations. Law enforcement globally is on alert as these abusive scam operations spread beyond Asia to Africa, the Middle East, and Latin America.

• Russian Crackdown on “Cyber Traitors”: A Russian court sentenced Andrei Smirnov to 16 years in a high-security prison for launching pro-Ukraine cyberattacks on Russian critical infrastructure. Smirnov was arrested in late 2023 and charged with treason for allegedly joining a hacker group at the behest of Ukrainian intelligence. Investigators say he deployed malware in 2022 to disrupt regional company websites and infrastructure (exact targets not disclosed). His harsh sentence is part of hundreds of treason or espionage cases Russia has opened since the Ukraine invasion, as authorities clamp down on anyone aiding Ukraine’s cyber efforts. (In a separate case in May, another Russian IT worker got 14 years for leaking military personnel data to Ukrainians.)

Miscellaneous

• Scattered Spider’s Broader Targets: U.S. authorities and researchers are sounding alarms about the Scattered Spider threat actor expanding its scope. Throughout Q2 2025 the group (a sophisticated social-engineering gang) pivoted to attack aviation companies, after focusing on the telecom, insurance, and tech sectors. In late June, several U.S. airlines were targeted via help-desk vishing (voice phishing) to reset multifactor authentication, letting hackers hijack employee accounts. These tactics – impersonating staff to trick IT support – mirror Scattered Spider’s earlier breaches. The FBI issued an alert to the aviation industry, and experts urge organizations to harden identity verification processes to counter such social engineering.

• “Hunters International” Ransomware Group Quits: The Hunters International ransomware/extortion gang announced it is shutting down operations and released free decryption keys for past victims. In a darknet post on July 3, the group claimed “recent developments” led to its closure and expressed a (perhaps ironic) desire to help victims recover data. However, industry analysts are skeptical: Hunters had falsely promised to close before, and evidence suggests it rebranded as an extortion outfit called “WorldLeaks”. Notably, Hunters International (suspected to be a rebirth of the notorious Hive gang) targeted hundreds of organizations over two years – including a major Seattle cancer center and even the U.S. Marshals Service. Its apparent “exit” may simply be a tactical regrouping rather than a true retirement from cybercrime.

• Cybersecurity Workforce and Training Initiatives: (No major global conferences took place this week, but efforts to bolster cyber talent continued.) For example, industry and government leaders highlighted training at events like the NATO Locked Shields 2025 exercise, where multinational teams (a Germany–Singapore coalition, aided by platforms like CrowdStrike Falcon) tested their cyber-defense skills. Meanwhile, new reports (e.g., CrowdStrike’s mid-year threat updates) underscored the need for more skilled defenders in cloud security and identity protection as adversaries innovate. These developments show a growing recognition that human expertise and international collaboration are as crucial as technology in staying ahead of threats.

Conclusion

• Defense in Depth: This week’s incidents reinforce the importance of layered defenses. Basic steps like prompt patching (e.g. for critical flaws in Citrix, Cisco, and Chrome) and rigorous access controls (to thwart social engineering and insider abuse) could have prevented many incidents. Organizations should ensure software is up to date and employ strong authentication/verification, especially for IT helpdesk processes, to blunt attacks.

• Third-Party and Insider Risks: Major breaches (Qantas, Nova Scotia Power) highlight that an organization’s security is only as strong as its partners’ and employees’ vigilance. Breach responses included offering credit monitoring and engaging law enforcement, but the damage to customer trust and potential legal repercussions are significant. Companies must vet the security of vendors and provide regular training to staff to spot phishing and bribery attempts.

• Threat Actors Evolving: From new ransomware like Bert adopting cross-platform tactics to state-aligned hackers targeting critical infrastructure, cyber adversaries are constantly adapting. The shutdown of one criminal group (Hunters Intl.) and emergence of others underscores a fluid threat landscape. Security teams should stay alert to threat intelligence updates – such as FBI/Interpol warnings and industry reports – to adjust defenses against the latest techniques (e.g. deepfake voice phishing, human-trafficking-fueled scam operations).

• Collaboration is Key: On a positive note, this week showed increased global cooperation against cyber threats – whether through international partnerships (Germany-Israel cyber center), cross-border law enforcement actions (arrests in Spain, Brazil), or multi-nation training exercises. Sharing information and best practices across borders and sectors will be vital as threats know no boundaries. Organizations and nations alike are recognizing that cybersecurity is a team sport, requiring collective effort and transparency.

Sources

darkreading.com

• Qantas Airlines breached 6M customers
• Ingram Micro ransomware attack outage

therecord.media

• Nova Scotia Power breach
• Spain arrests over government official data leaks
• Brazil insider bank theft
• Bert ransomware identified
• Russia St. Petersburg internet outage
• Germany-Israel cyber pact
• Interpol on West Africa scam compounds
• Russia jails cyber traitor
• Hunters International shutdown

bleepingcomputer.com

• CitrixBleed 2 exploit released
• Cisco backdoor root account
• Chrome zero-day vulnerability

crowdstrike.com

• Scattered Spider expands targets