UK eyes new laws as cable sabotage blurs line between war and peace www.theregister.com/2025/07/0…

Speaking to the National Security Strategy (Joint Committee) yesterday, Ministry of Defence parliamentary under-secretary Luke Pollard admitted that the Submarine Telegraph Act 1885 – which can impose £1,000 fines – “does seem somewhat out of step with the modern-day risk.”

However, he pointed out that forming legislation to mitigate the risk to undersea infrastructure is a balance between a civil and military approach, but this raises the question of how the government might prosecute a perpetrator of undersea cable sabotage.

Cl0p cybercrime gang’s data exfiltration tool found vulnerable to RCE attacks www.theregister.com/2025/07/0…

According to CIRCL’s summary: “An authenticated endpoint on the Cl0p operators' staging/collection host passes file-or directory-names received from compromised machines straight into a shell-escape sequence.”

Alexandre Dulaunoy, head of CIRCL, said he doesn’t expect the team that developed the data exfiltration tool to take any corrective action to fix the vulnerability.

Cl0p’s rivals, or other attackers, could feasibly exploit this vulnerability to disrupt the cybercrime group’s operations or even steal its data, all while using its own bespoke tool for stealing files from its targets.

Silent Push Uncovers Chinese Fake Marketplace e-Commerce Phishing Campaign Using Thousands of Websites to Spoof Popular Retail Brands www.silentpush.com/blog/fake…

Our team has uncovered thousands of domains spoofing various payment and retail brands in connection to this campaign including (but not limited to): PayPal, Apple, Wayfair, Lane Bryant, Brooks Brothers, Taylor Made, Hermes, REI, Duluth Trading, Omaha Steaks, Michael Kors, and many, many more peddling everything from luxury watches to garage doors. […] After we found a private technical fingerprint associated with the threat actor’s infrastructure, which contained Chinese words and characters, we have high confidence that the developers of this network are from China.

Can You Trust that Verified Symbol? Exploiting IDE Extensions is Easier Than it Should Be www.ox.security/can-you-t…

Integrated Development Environments (IDEs) play a major role in today’s programming landscape. They provide comprehensive environments in which programmers can write, test, and debug code efficiently. However, OX’s research, conducted in May and June 2025, reveals critical security vulnerabilities in how popular IDEs handle extension verification.

To test our theory, the OX research team created malicious extensions on three of the most popular IDEs: Visual Studio Code, Visual Studio, and IntelliJ IDEA. At the start of our test, all three extensions appeared to be verified and trustworthy, presented with the original packaging, including the number of downloads, user ratings, and the blue “verified” symbol.

Houken: Seeking a Path by Living on the Edge With Zero-Days www.cert.ssi.gouv.fr/uploads/C…

In September 2024, ANSSI observed an attack campaign seeking initial access to French entities’ etworks through the exploitation of several zero-day vulnerabilities on Ivanti Cloud Service Appliance (CSA) devices. French organizations from governmental, telecommunications, media, finance, and transport sectors were impacted.

ANSSI’s investigations led to the conclusion that a unique intrusion set was leveraged to conduct this attack campaign. The Agency named this intrusion set “Houken”.

ANSSI suspects that the Houken intrusion set is operated by the same threat actor as the intrusion set previously described by MANDIANT as UNC5174. Since 2023, Houken is likely used by an access broker to gain a foothold on targeted systems, which could eventually be sold to entities interested in carrying out deeper post-exploitation activities. Though already documented for its opportunistic exploitation of vulnerabilities on edge devices, the use of zero-days by a threat actor linked to UNC5174 is new to ANSSI’s knowledge.

Like SEO, LLMs May Soon Fall Prey to Phishing Scams www.darkreading.com/cyber-ris…

Just as attackers have exploited search engine optimization (SEO) techniques to push phishing content in search engine results, expect to soon see them leverage AI-optimized content to influence the outputs of large language models (LLMs) for the same purpose.

Making the task possible for them is the tendency by LLMs to often return incorrect domain information in response to simple natural language queries, according to a recent experiment by Netcraft.

We’ve All Been Wrong: Phishing Training Doesn’t Work www.darkreading.com/endpoint-…

A recent study suggests, contrary to popular belief, that most phishing awareness initiatives aren’t having a material impact on employee cybersecurity.

The group of participants with the best outcomes were those who completed interactive training — they were measured to be 19% less likely to click on phishing links thereafter. In other words, companies that deploy the most effective training courses available can expect a quarter of their employees to improve around 20%.

[A study to be introduced at Black Hat USA] leaves open the possibility that certain, unexplored kinds of training could work, like more expensive, one-on-one in-person coaching. Companies might also consider how to incentivize employees to make cybersecurity a part of their jobs — for example, by giving them some financial stake in the company’s future.

DEVMAN Ransomware: Analysis of New DragonForce Variant  - ANY.RUN’s Cybersecurity Blog

A new ransomware variant, DEVMAN, appears to be a modified version of DragonForce, utilizing its codebase but with unique traits and identifiers. The DEVMAN sample exhibits unusual behaviors, such as encrypting its own ransom notes and displaying a lack of external C2 communication. Despite its experimental nature and flaws, the DEVMAN variant highlights the evolving landscape of ransomware-as-a-service and the emergence of new threat actors.

Paywalls are common in online news, but few US adults pay for news | Pew Research Center

Qantas discloses cyberattack amid Scattered Spider aviation breaches

Qantas, Australia’s largest airline, disclosed a cyberattack that compromised a third-party customer servicing platform, potentially exposing data of 6 million customers. The attack, possibly linked to the “Scattered Spider” threat group, involved a call center breach and is part of a larger trend of attacks on the aviation industry. Qantas stated that no financial information was exposed and notified relevant authorities.

Australia’s Qantas says 6 million customer accounts accessed in cyber hack | Reuters

Qantas reported a cyber breach affecting six million customer accounts, including names, email addresses, phone numbers, birth dates, and frequent flyer numbers. The breach, which targeted a third-party customer service platform, is Australia’s largest in years and comes as a setback for Qantas, which is rebuilding trust after a reputational crisis. Qantas stated that the breach did not impact operations or safety and that they are investigating the extent of the stolen data.

Hackers Make Hay? Smart Tractors Vulnerable to Full Takeover www.darkreading.com/cloud-sec…

At this year’s Black Hat USA event in Las Vegas, Felix Eberstaller and Bernhard Rader of Limes Security GmbH will reveal the unprecedented access they obtained to connected tractors across the world, particularly in Asia and Europe. They did so through the FJD AT2, a particularly vulnerable aftermarket steering system developed by Chinese manufacturer FJDynamics.

“Once you gain control over the network traffic of the tractor — for example, you’re on the same network — or you have advanced manual capabilities like a nation-state actor, you can just exchange the updates that are being pulled from the cloud,” Eberstaller explains. “The update mechanism is really badly designed. It has no TLS encryption, it has no signatures, so you just can say: ‘Hey tractor, this is your new firmware, just download it.'”

AT&T now lets you lock down your account to prevent SIM swapping attacks www.theverge.com/news/6959…

AT&T is launching a new Account Lock feature that’s designed to protect wireless users against SIM swapping attacks. The feature, which you can enable from the myAT&T app, prevents unauthorized changes to your account, like phone number transfers, SIM card changes, and updates to billing information.

GIFTEDCROOK’s Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations arcticwolf.com/resources…

Recent campaigns in June 2025 demonstrate GIFTEDCROOK’s enhanced ability to exfiltrate a broad range of sensitive documents from the devices of targeted individuals, including potentially proprietary files and browser secrets. This shift in functionality, combined with the content of its phishing lures, coupled with observed attack timings coinciding with critical geopolitical events such as June’s Ukraine peace negotiations hosted in Istanbul, suggests a strategic focus on intelligence gathering from Ukrainian governmental and military entities.

Russian bulletproof hosting service Aeza Group sanctioned by US for ransomware work therecord.media/russia-bu…

Aeza Group is a bulletproof hosting (BPH) services provider, the department said, that allows cybercriminals to avoid law enforcement while renting IP addresses, servers and domains used for disseminating malware, supporting darknet markets and carrying out other tasks related to fraud and cyberattacks.

In addition to targeting Aeza Group, Treasury officials said they are sanctioning two affiliated companies and four individuals who are company leaders. CEO Arsenii Aleksandrovich Penzev was cited for his role in owning and running Aeza Group. Penzev has allegedly been involved in multiple bulletproof hosting and illicit drug marketplace businesses.

Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations www.microsoft.com/en-us/sec…

This blog provides additional information on the North Korean remote IT worker operations we published previously, including Jasper Sleet’s usual TTPs to secure employment, such as using fraudulent identities and facilitators. We also provide recent observations regarding their use of AI tools. Finally, we share detailed guidance on how to investigate, monitor, and remediate possible North Korean remote IT worker activity, as well as detections and hunting capabilities to surface this threat.

Hundreds of laptops, bank accounts linked to North Korean fake IT workers scheme seized in major crackdown www.politico.com/news/2025…

The major government crackdown follows recent findings by cybersecurity experts revealing that several Fortune 500 firms were impacted by the intricate plot, which involves North Korean operatives using stolen identities and sophisticated AI tools to sail through the interview and hiring process. The cyber operation has grown more prolific as remote work in the U.S. has exploded, particularly in response to the Covid-19 pandemic.

Incident: Qilin Ransomware Group Leads June Attacks Targeting Critical Sectors

Date of Incident (ET): Not Specified in Reporting

Date of Disclosure/Publication (ET): July 1, 2025

Summary: The Qilin ransomware group emerged as the most active operator in June 2025, claiming 86 victims across high-value sectors including telecommunications, healthcare, and transportation, utilizing a sophisticated ransomware-as-a-service model.

Source: cyble.com/blog/top-…

Incident: Pro-Russian Hacktivist Group CyberVolk Deploys New Ransomware

Date of Incident (ET): June 28, 2025

Date of Disclosure/Publication (ET): July 1, 2025

Summary: The hacktivist group CyberVolk released a new Go-based ransomware strain, with samples detected in the wild encrypting files with a “.CyberVolk” extension and leaving a text file ransom note.

Source: cyble.com/blog/top-…

Incident: Nucor Steel Halts Production Following Cyberattack and Data Theft

Date of Incident (ET): Not Specified in Reporting

Date of Disclosure/Publication (ET): June 30, 2025

Summary: Steel manufacturer Nucor confirmed a cyberattack compromised its IT systems, resulting in data theft and a temporary halt to production operations at multiple critical infrastructure facilities.

Source: research.checkpoint.com/2025/29th…

Incident: Trezor Hardware Wallet Discloses Phishing Attack via Support Portal Breach

Date of Incident (ET): Not Specified in Reporting

Date of Disclosure/Publication (ET): June 30, 2025

Summary: Cryptocurrency hardware wallet maker Trezor suffered a data breach of its third-party support system, enabling threat actors to send phishing emails from an official address to steal wallet seed phrases.

Source: research.checkpoint.com/2025/29th…

Incident: INC Ransom Group Claims Attack on Ahold Delhaize, Leaks Data

Date of Incident (ET): Not Specified in Reporting

Date of Disclosure/Publication (ET): June 30, 2025

Summary: The INC Ransom group claimed responsibility for an attack against global food retailer Ahold Delhaize, publishing samples of allegedly stolen sensitive data including financial and medical information.

Source: research.checkpoint.com/2025/29th…

Iran Threatens To Release 100GB of Trump Aides' Emails: What To Know  - Newsweek

An Iran-linked hacking group has threatened to release approximately 100 gigabytes of stolen emails from President Donald Trump’s longtime aides, including White House chief of staff Susie Wiles and adviser Roger Stone, according to Reuters. The hackers, operating under the pseudonym “Robert,” also claim to have emails from Trump attorney Lindsey Halligan and adult film actress Stormy Daniels, having previously released some material during the 2024 presidential campaign that included details about financial arrangements and settlement negotiations. The U.S. Cybersecurity and Infrastructure Security Agency called it a “calculated smear campaign” and “digital propaganda” by a hostile foreign adversary, with FBI Director Kash Patel warning of full prosecution for national security breaches. The threat comes amid heightened U.S.-Iran tensions following Trump’s June strikes on Iranian nuclear facilities, with the hackers stating they changed their post-election stance after Trump’s intervention in the Iran-Israel crisis.​​​​​​​​​​​​​​​​

Android threats rise sharply, with mobile malware jumping by 151% since start of year www.malwarebytes.com/blog/news…

Recent Malwarebytes threat research data reveals a sharp rise in mobile threats across the board, with malware targeting Android devices up 151%.

We’ve seen a 147% increase in spyware, a broad category of apps that collect user data without consent, with a notable spike in Feb and March. In fact, the February/March levels represent nearly a 4x multiplication of the baseline.

Perhaps even more alarming is a 692% spike in SMS-based malware between April and May, a jump that we can’t just chalk up to coincidence. It could be due to seasonal scams like those we always see around tax season, which hit consumers hard this year, or widespread campaigns like toll fee scams, which also come in surges.

Sophos: The State of Ransomware 2025 assets.sophos.com/X24WTUEQ/…

For the third year running, victims identified exploited vulnerabilities as the most common technical root cause of attack, used in 32% of incidents.

Multiple operational factors contribute to organizations falling victim to ransomware, with the most common being a lack of expertise, named by 40.2% of victims. It is followed in very close succession by having security gaps that the organization was not aware of, which was a contributing factor in 40.1% of attacks. In third place was lack of people/capacity, which contributed to 39.4% of attacks.

49% of victims paid the ransom to get their data back. While this represents a slight drop from last year’s 56%, it is the second highest ransom payment rate in six years.

EU reinforces its cybersecurity with post-quantum cryptography digital-strategy.ec.europa.eu/en/news/e…

All Member States should start transitioning to post-quantum cryptography by the end of 2026. At the same time, the protection of critical infrastructures should be transitioned to PQC as soon as possible, no later than by the end of 2030.

Geopolitical Environment www.cisa.gov/news-even…

Today, CISA, in collaboration with the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA), released a Fact Sheet urging organizations to remain vigilant against potential targeted cyber operations by Iranian state-sponsored or affiliated threat actors.

Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events. These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices.

Facebook is starting to feed its AI with private, unpublished photos | The Verge

Meta is testing a new “cloud processing” feature that asks Facebook users to allow the platform to regularly upload photos from their camera roll to generate AI-powered content suggestions like collages and themed recaps. While Meta states it’s not currently training AI models on these unpublished photos, the company declined to answer whether it might do so in the future or what rights it holds over camera roll images. The opt-in feature grants Meta permission to analyze “media and facial features” of unpublished photos and “retain and use” that personal information under Meta AI terms, despite the company’s vague privacy protections compared to competitors like Google Photos. Although Meta claims it only accesses 30 days of camera roll data, some themed suggestions may include older photos, and users have reported receiving AI restyling suggestions on previously uploaded photos without their knowledge, raising concerns about expanded access to previously private data.​​​​​​​​​​​​​​​​

Ottawa orders Chinese tech firm to close Canadian operations over national security - National | Globalnews.ca

The Canadian government has ordered Chinese surveillance camera manufacturer Hikvision Canada Inc. to shut down and leave the country following a national security review under the Investment Canada Act. Industry Minister Mélanie Joly said the decision was based on intelligence community findings that the company’s continued operations would harm national security. Hikvision, the world’s largest surveillance equipment manufacturer operating in Canada since 2014, has faced similar sanctions in the U.S., Australia, and U.K. over allegations it supplied cameras used in China’s Xinjiang region where Uyghurs face human rights abuses. The company strongly disputed the decision, claiming it reflects geopolitical bias against Chinese companies, while the government is also banning federal departments from using Hikvision equipment.​​​​​​​​​​​​​​​​