Featured image of post Cybersecurity Week in Review: July 22 - 28, 2025
NEWS

Cybersecurity Week in Review: July 22 - 28, 2025

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

By Samuel Monsempes

Major Data Breaches and Leaks

  • Allianz Life Insurance (1.4M customers): The U.S. arm of Allianz disclosed that a third-party cloud CRM platform was breached via social engineering on July 16, exposing personally identifiable information of the majority of its 1.4 million customers, financial professionals, and some employees. The insurer contained the incident, notified the FBI, and suspects an extortion group (potentially “ShinyHunters”) was behind the attack. No internal systems were compromised, but breach notices are being sent and credit monitoring offered.

  • Tea, a women-focused dating review app, suffered a massive data leak. Tea App (women-only platform): A misconfigured cloud storage bucket led to the leak of 59 GB of user data from the Tea app, including ~72,000 images (13,000+ user selfies with photo IDs used for verification) and tens of thousands of photos from posts, comments, and DMs. Threat actors shared the stolen images (e.g. driver’s licenses, selfies) on forums, putting users at risk of harassment or fraud. To make matters worse, a second unsecured database containing 1.1 million private chat messages between users was also discovered. Affected users (those who joined before Feb 2024) have been warned to remain vigilant.

  • AMEOS Healthcare Group (Central Europe): AMEOS, a Zurich-based operator of 100+ hospitals and clinics across Switzerland, Germany, and Austria, revealed that external hackers breached its network, potentially accessing sensitive patient, employee, and partner data. The company shut down all IT systems and network connections as a precaution and filed a police complaint. While there’s no evidence yet of data being leaked or misused, AMEOS issued public breach notices (per GDPR) and advised past patients to watch out for phishing attempts.

  • Other Notable Leaks: Luxury retailer Dior began notifying U.S. customers of a breach from May (personal data compromised in a cyber incident). Meanwhile, UK retailer Co-op confirmed that data of 6.5 million loyalty members was stolen in an April cyberattack (disclosed in mid-July), highlighting the long tail of earlier breaches.

Significant Cyberattacks and Incidents

  • Mass Exploitation of Microsoft SharePoint (ToolShell Campaign): Chinese state-backed hacking groups launched a widespread campaign exploiting newly disclosed SharePoint zero-day flaws (“ToolShell“) to infiltrate organizations globally. At least 400 government and business systems worldwide were breached. Notably, the U.S. Department of Energy’s National Nuclear Security Administration (NNSA) was compromised on July 18 via this SharePoint attack chain. While no classified data was taken and impacts were minimized, the incident prompted urgent incident response across U.S. federal agencies. Microsoft reported the China-based actor “Storm-2603” even began deploying Warlock ransomware on some compromised SharePoint servers. (Other Chinese APTs dubbed “Linen Typhoon” and “Violet Typhoon” were also exploiting these SharePoint bugs for espionage.) This supply-chain style web server attack underscores the danger of unpatched enterprise apps.

  • China’s APT41 Expands Espionage to Africa: Prolific Chinese cyber-espionage group APT41 (aka “Wicked Panda”) targeted a Southern African government IT services provider in a highly tailored attack. The hackers deployed info-stealers and credential harvesters that remarkably included hard-coded details of the victim’s internal network. They even co-opted one of the victim’s own SharePoint servers as a command-and-control server to blend in. This marks an unusual foray by APT41 into Africa (a region previously with little APT41 activity), signaling Beijing’s broadened cyber interest. The incident involved typical APT41 tactics, custom malware, embedded proxies, and stolen credentials, suggesting a long-term espionage mission rather than a smash-and-grab.

  • “Scattered Spider” Hijacks VMware Infrastructure (Ransomware): The Scattered Spider threat group (affiliated with UNC3944, aka 0ktapus/Octo Tempest) executed a string of fast-moving ransomware attacks against U.S. companies in retail, airlines, and transportation. Uniquely, the attackers used phone-based social engineering to trick IT help desks into resetting credentials, then leveraged privileged access to pivot from Active Directory into VMware vSphere environments. Once inside vCenter, they enabled backdoor access (via a tool called “Teleport”), turned on SSH on ESXi hypervisors, and performed a “disk swap”, detaching live domain controller virtual disks to copy the Active Directory database (NTDS.dit) for credential theft. After removing backups and snapshots, they pushed a custom ransomware binary to encrypt VMware ESXi servers and their VMs. This novel hypervisor-level attack bypassed many endpoint defenses and could go from initial breach to full encryption in mere hours. Security teams are urged to harden help-desk verification processes and lock down virtualization admin access as a result.

  • Ransomware Fallout, Company Closures: A devastating Akira ransomware attack earlier in the summer led to the collapse of KNP Logistics, a 158-year-old UK transport company, by July 2025. The breach, traced to a single weak password, wiped critical data and left the firm unable to operate, costing roughly 700 jobs. The incident, along with similar attacks on smaller municipalities and firms, underscores how ransomware can irreparably damage organizations that lack resilient backups or incident response plans.

  • Other Incidents: U.S. tech retailer Newegg suffered a targeted phishing attack on July 25 that briefly defaced its DNS records (users were redirected to a bogus site), though no customer data loss occurred (the company quickly regained control). Also, Europol coordinated an operation against a DDoS-for-hire service, resulting in arrests and disruptions of platforms enabling large-scale DDoS attacks, a reminder of the persistent threat of cybercriminal “as-a-service” offerings.

Critical Vulnerabilities and Patches

  • Microsoft SharePoint 0-Days (CVE-2025-49706 & CVE-2025-49704): Two critical SharePoint Server vulnerabilities, one authentication bypass/spoofing and one remote code execution, were actively exploited in the wild as part of the “ToolShell” attack chain. These flaws (present in on-prem SharePoint 2016, 2019, Subscription Ed.) allowed attackers to gain full access to SharePoint sites and deploy web shells. Microsoft rushed out patches and mitigations by late July, and on July 22 U.S. CISA added both CVE-2025-49704 and 49706 to its Known Exploited Vulnerabilities catalog. Federal agencies were ordered to patch within 24 hours. Administrators are urged to update SharePoint to the latest security update and ensure anti-malware is monitoring SharePoint servers, as these bugs have been used by multiple APT groups to steal data and even drop ransomware.

  • Cisco ISE Vulnerabilities (CVE-2025-20281/20282/20337): Cisco disclosed and fixed a set of three 10.0 CVSS vulnerabilities in its Identity Services Engine (ISE) software, used for network access control, which allow unauthenticated remote code execution as root on the appliance. In late July, Cisco confirmed that attackers are actively attempting to exploit these flaws in the wild. The issues stem from insufficient input validation in APIs, letting attackers either send crafted API requests or upload malicious files to take over the system. On July 28, CISA added two of these (CVE-2025-20281 and 20337) to its exploited list, giving U.S. agencies until Aug 18 to patch. Urgent action: Organizations running Cisco ISE should immediately update to fixed versions, as these bugs effectively open a network’s front door to attackers if left unpatched.

  • Google Chrome Zero-Day (CVE-2025-6558): Google released an emergency Chrome browser update (v.138.0.7204.157) after discovering a high-severity sandbox escape vulnerability being exploited in the wild. The flaw, an incorrect input validation in Chrome’s GPU/ANGLE component, could allow a malicious website to break out of Chrome’s security sandbox and execute code on the host system. Google’s Threat Analysis Group, which found the bug, hinted it may have been used in targeted attacks (possibly by nation-states). Users are advised to update Chrome (and Edge/Brave/Opera browsers) to the latest version, as simply visiting a rigged webpage could silently compromise an unpatched browser.

  • Other Patches: Multiple vendors issued fixes this week. SAP patched high-risk flaws in its industrial software. VMware warned of a critical vulnerability in an end-of-life product, urging remaining users to upgrade. Meanwhile, Sophos and SonicWall both addressed critical firewall RCE bugs (one in Sophos Firewall, one in SonicWall GMS), admins should apply those patches quickly to prevent unauthorized network access.

Government and Industry Cyber Responses

  • UK Moves to Ban Ransom Payments: The UK government announced plans for a law prohibiting public sector and critical infrastructure entities from paying ransoms to cybercriminals. This ban would apply to local councils, schools, and the National Health Service, aiming to break the ransomware business model by removing criminals’ payday. Under the proposal, private-sector companies not covered by the ban must notify authorities before paying ransom, to ensure they’re not funding sanctioned groups. A mandatory reporting system for ransomware incidents is also in development. UK officials say ransomware is the country’s top cyber threat, and cite recent attacks on the NHS, British Library, and retail giant M&S as evidence of the risk. This policy shift signals a more aggressive government stance, though some experts debate whether it might push threat groups to exfiltrate and leak more data since payments could dry up.

  • Banners like this appeared after Operation Checkmate took down BlackSuit ransomware sites. Global Takedown of BlackSuit Ransomware: U.S. and European law enforcement carried out a coordinated action “Operation Checkmate,” seizing the dark web leak sites and payment portals of the BlackSuit (aka Royal) ransomware gang. On July 24, the FBI and Homeland Security Investigations, together with Europol, the UK’s National Crime Agency, German and Ukrainian police, and others, replaced BlackSuit’s Tor sites with seizure notices, effectively knocking the group’s extortion infrastructure offline. This gang had breached hundreds of organizations worldwide in recent years. Cybersecurity firm Bitdefender, which assisted in the investigation, lauded the public-private collaboration that led to this takedown. The action reflects growing international cooperation in combating ransomware operations. (Notably, Cisco Talos reported that remaining BlackSuit actors may simply rebrand as “Chaos” ransomware, so the threat persists in new form.)

  • Heightened Alerts and Advisories: Following the SharePoint hacks, CISA issued an emergency advisory with mitigation steps and is actively hunting for signs of intrusion in U.S. government networks. Industry groups like the Health ISAC also shared threat bulletins on the campaign. Separately, the FBI released public safety alerts about a loose cybercrime collective dubbed “The Com,” warning that some teen cybercriminal groups have escalated from swatting and data theft to real-world violence and extortion. And in Europe, regulators are in talks about stricter breach notification rules after a summer of significant data leaks.

  • Cyber Defense Initiatives: Governments and companies are launching new cyber defense efforts. The U.S. DOE is accelerating an initiative to improve cybersecurity at nuclear labs after the NNSA incident. NATO conducted a cybersecurity exercise in Estonia this week, involving 30 nations, to test joint responses to attacks on critical infrastructure. Meanwhile, industry players are forming alliances too, several tech firms announced an open AI-cyber defense consortium to share threat intel on how AI could both boost and threaten security.

Miscellaneous

  • AI Autonomy in Cyberattacks: Researchers at Carnegie Mellon University demonstrated that large language models (LLMs) can autonomously plan and execute sophisticated cyberattacks with minimal human guidance. In a controlled experiment (with support from AI firm Anthropic), an LLM-driven system called “Incalmo” successfully replicated major steps of the infamous 2017 Equifax breach, from finding a vulnerability to exploiting it, establishing persistence, and exfiltrating data. In tests across 10 simulated enterprise networks, the AI agent managed to partially or fully compromise 9 of them. This research highlights a potential future where threat actors could offload some attack tasks to AI, accelerating the speed and scale of attacks. It raises urgency for “AI defense”, developing automated cyber defenses that can operate at machine speed to counter AI-driven threats.

  • Trojanized Software Download (Supply Chain Risk): Niche gaming hardware maker Endgame Gear revealed that hackers had compromised a configuration software update for one of its popular computer mice, inserting malware into the installer on the official website. Anyone who downloaded the OP1w mouse driver tool between June 26 and July 9 from Endgame’s site likely got infected. The company has since removed the malicious file and is investigating the breach. This incident is a reminder that even trusted vendor downloads can be tampered with, users should monitor vendor alerts and consider verifying software hashes. Similarly, in a separate case, a threat actor managed to sneak an info-stealing malware into an indie game on the Steam platform (via the game’s update), illustrating how attackers continue to target software distribution channels to reach end users.

  • Cybersecurity Market and Events: The second quarter of 2025 saw a surge in cybersecurity venture funding (over $4.2B, +25% from Q1) as investors pour money into AI-driven security startups. Major industry conferences are in full swing, Black Hat USA 2025 kicks off next week in Las Vegas, where experts will present on AI in cyber defense, critical infrastructure threats, and the latest hacking techniques. And looking ahead, global cyber insurance rates are expected to rise after this year’s string of high-profile incidents, as underwriters reassess the risk of widespread exploits like the SharePoint 0-day and supply-chain attacks. Overall, the cybersecurity community is on high alert, using this week’s developments as lessons to drive improvements in defenses and policy.

Conclusion

  • Patch and Protect Critical Systems: This week’s events underscored the importance of prompt patching and rigorous maintenance of critical software. Unpatched enterprise apps (like SharePoint or Cisco ISE) were prime targets, organizations must keep systems updated and employ virtual patching or mitigation if immediate updates aren’t possible. Regular vulnerability assessments and network segmentation can limit the blast radius of such exploits.

  • Strengthen Identity and Access Management: Many incidents leveraged compromised credentials or abused legitimate access (weak passwords at KNP Logistics, help-desk social engineering at Scattered Spider victims, cloud vendor access at Allianz). Companies should enforce strong password policies and multi-factor authentication (MFA) everywhere, and train IT support staff to verify identities for any access requests. Privileged accounts (especially for domain admins or vSphere admins) should be tightly monitored and isolated to prevent lateral movement.

  • Assume Breach and Plan Resilience: The complete shutdown of a 158-year-old firm and emergency response at government agencies are stark reminders that any organization can fall victim. Incident response plans and data backups must be in place and tested. Segmented, offline backups could make the difference between a ransomware attack being a recoverable incident or a company-ending event. Drills (including ransomware tabletop exercises) should be conducted regularly, and business continuity plans updated for worst-case scenarios.

  • Collaborate and Share Intelligence: On a positive note, the takedown of BlackSuit’s infrastructure and CISA’s rapid advisories show that information sharing and public-private collaboration can yield results. Organizations should engage with industry ISACs/ISAOs and law enforcement so they’re aware of emerging threats (e.g. details of “The Com” group or new phishing tactics). Early warning from peers or government can help defenders move quickly to blunt an attack.

  • Stay Ahead of Emerging Threats: Finally, defenders must prepare for the next wave of threats, from AI-driven attacks to novel supply-chain compromises. Investing in advanced threat detection (behavioral EDR, anomaly detection in network and identity systems) is critical as attacks become faster and stealthier. Security leaders should also track legislative and policy changes (like the UK ransom ban) that may affect response options in a crisis. The key takeaway this week: a proactive, resilient and well-informed security posture is more crucial than ever for organizations and users alike.

Sources

  • BleepingComputer (cybersecurity news site), multiple articles by Lawrence Abrams, Sergiu Gatlan, Bill Toulas (July 2025)
  • The Record, Recorded Future News (reporting by Jonathan Greig, etc., on SharePoint attacks)
  • Dark Reading (InformationWeek cybersecurity media), news briefs and analysis (July 2025)
  • Cybersecurity Dive (Industry Dive), cybersecurity news and analysis (July 2025)
  • The Hacker News, security news platform (reports by Ravie Lakshmanan on July 22–28, 2025)
  • CyberScoop, cybersecurity news (coverage of FBI alerts and cyber policy)
  • SecurityWeek, cybersecurity news site (July 2025 articles on ransomware and vulnerabilities)
  • KrebsOnSecurity, security blog by Brian Krebs (analysis of July 2025 SharePoint 0-day and other issues)
  • Distributed Denial of Secrets (DDoSecrets), leak archive and reports (context on data leaks)
  • BankInfoSecurity, information security news (breach reports in financial sector, July 2025)
  • CrowdStrike, threat intelligence blog (insights on Scattered Spider and threat actor tactics)
  • Cybersecurity Ventures, cyber economics research (cybercrime cost projections for 2025)
© 2025 Senthorus Blog