48-hour Cyber Incident Summary

Incident: Fortinet FortiWeb Critical SQL Injection Vulnerability Date of Disclosure/Publication (ET): July 11, 2025 Summary: Critical SQL injection flaw in FortiWeb (CVE-2025-25257, CVSS 9.6) allows unauthenticated attackers to execute database commands and affects multiple versions. Source: thehackernews.com/2025/07/f…

Incident: PerfektBlue Bluetooth Vulnerabilities in Vehicles Date of Disclosure/Publication (ET): July 11, 2025 Summary: Four Bluetooth flaws in BlueSDK affect millions of vehicles and enable remote code execution on models from Mercedes-Benz, Volkswagen, and Skoda. Source: thehackernews.com/2025/07/p…

Incident: Wing FTP Server Critical Vulnerability Exploited Date of Disclosure/Publication (ET): July 11, 2025 Summary: Attackers exploit CVE-2025-47812 (CVSS 10.0) in Wing FTP Server for remote code execution via anonymous FTP; patched in version 7.4.4. Source: thehackernews.com/2025/07/c…

Incident: Iranian-Backed Pay2Key Ransomware Resurfaces Date of Disclosure/Publication (ET): July 11, 2025 Summary: Pay2Key.I2P ransomware, linked to Fox Kitten, resurfaces offering 80 percent profit share and targets Israel and United States entities. Source: thehackernews.com/2025/07/i…

Incident: Citrix NetScaler Vulnerability Added to CISA KEV Date of Disclosure/Publication (ET): July 10, 2025 Summary: CVE-2025-5777 (CVSS 9.3) in Citrix NetScaler enables authentication bypass; active exploits target enterprises, added to CISA known exploited vulnerabilities catalog. Source: thehackernews.com/2025/07/c…

Incident: mcp-remote Critical Vulnerability Date of Disclosure/Publication (ET): July 10, 2025 Summary: CVE-2025-6514 (CVSS 9.6) in mcp-remote allows OS command execution and impacts over 437,000 downloads, risking full system compromise. Source: thehackernews.com/2025/07/c…

Incident: UK Arrests in Scattered Spider Ransomware Group Date of Disclosure/Publication (ET): July 10, 2025 Summary: UK arrested four individuals aged 17 to 20 linked to Scattered Spider for data theft and extortion against multiple retailers. Source: krebsonsecurity.com/2025/07/u…

Turkey bans 8 global eSIM providers, curbing access for travelers - Turkish Minute

Article claims : Turkey’s Information and Communication Technologies Authority (BTK) blocked access to eight international eSIM providers, forcing travelers to rely on domestic carriers with government ties. Critics argue this move benefits pro-government telecom operators and limits access to cheaper alternatives.

Black Yak faces 1.391 billion won penalty after massive data breach - CHOSUNBIZ

Black Yak, a mountaineering equipment company, was fined 1.391 billion won for a data breach involving 340,000 customer records. The breach occurred due to a SQL injection attack on their website, highlighting the importance of robust security measures, especially for remote work environments.

Paddy Power data breach: Everything you need to know | The Standard

A data breach at Paddy Power and Betfair, owned by Flutter Entertainment, affected up to 800,000 customers in Britain and Ireland. The breach involved usernames, email addresses, and IP addresses, but no banking details were accessed. Customers were notified by email and are advised to contact customer service with any questions.

Canadian media giant Rogers named as victim of Chinese telecom hackers - Nextgov/FCW

Salt Typhoon, a Chinese threat group, has reportedly targeted Rogers Communications, Canada’s largest wireless provider, as part of a global cyber-espionage campaign. Rogers denies the breach and states the claim was disproven by two independent cybersecurity firms. Canada’s Cyber Centre confirmed three network devices belonging to a Canadian telecom provider were compromised in February 2025 using a known 2023 Cisco router vulnerability but did not name Rogers. In 2023, Rogers provided data on 162,000 customers under lawful access requests. Salt Typhoon has previously targeted telecom firms in the U.S., U.K., South Africa, and Myanmar.

AiLock ransomware: What you need to know | Fortra

AiLock is a ransomware-as-a-service operation that threatens to expose data breaches to regulators and competitors if victims do not pay the ransom within 72 hours. The ransom note, “ReadMe.txt,” warns of data publication and destruction of the recovery tool if the ransom is not paid within five days. While paying the ransom may result in data recovery and confidentiality assurances, there is no guarantee of trustworthiness from these cybercriminals.

Threat Actor Targeting Indian Defense Sector | Security Magazine

APT36, a Pakistan-based threat actor, has launched a sophisticated cyber-espionage campaign targeting India’s defence sector, with a notable shift toward Linux-based environments, particularly BOSS Linux—a system widely used by Indian government agencies. According to CYFIRMA, the group uses phishing emails containing malicious .desktop files within ZIP attachments to deploy ELF binaries for unauthorized access, masked by legitimate PowerPoint files. Experts like Shane Barney (Keeper Security) and Jason Soroko (Sectigo) emphasize the evolving threat landscape and call for layered security strategies, including behavioural detection, email security, endpoint visibility, and user awareness. The campaign underscores the need for modern, automated defences capable of identifying multi-stage, deceptive attack vectors.

ServiceNow security advisory (AV25-410) - Canadian Centre for Cyber Security

ServiceNow published a Security Advisory on July 8, 2025, addressing a vulnerability in the Now Platform. The Cyber Centre recommends reviewing the advisory and applying necessary updates.

Citrix security advisory (AV25-411) - Canadian Centre for Cyber Security

Citrix published a security advisory on July 8, 2025, addressing a vulnerability in Citrix Virtual Apps and Desktops versions prior to 2503 and 2402 LTSR CU2. Users and administrators are advised to review the advisory and perform the suggested mitigations.

GitLab security advisory (AV25-412) - Canadian Centre for Cyber Security

GitLab published a security advisory on July 9, 2025, addressing vulnerabilities in GitLab Community Edition and Enterprise Edition versions prior to 18.1.2, 18.0.4, and 17.11.6. Users and administrators are advised to review the provided links and apply the necessary updates.

Jenkins security advisory (AV25-413) - Canadian Centre for Cyber Security

Jenkins published a security advisory on July 9, 2025, addressing vulnerabilities in multiple plugins. The Cyber Centre recommends reviewing the advisory and applying necessary updates.

New AI Malware PoC Reliably Evades Microsoft Defender

A new AI malware PoC, trained using reinforcement learning, can reliably evade Microsoft Defender for Endpoint. The model, built on a general-purpose open-source model, was trained to generate malware that triggers alerts of lesser severity, bypassing Microsoft Defender about 8% of the time. The program, small enough to run on a consumer graphics card, demonstrates the potential for criminals to develop evasive malware using AI.

Palo Alto Networks security advisory (AV25-414) - Canadian Centre for Cyber Security

Palo Alto Networks published security advisories on July 9, 2025, addressing vulnerabilities in multiple products. Updates are available for various versions of Autonomous Digital Experience Manager, GlobalProtect App, and Prisma Access Browser.

Serious Flaws Patched in Model Context Protocol Tools

Two critical vulnerabilities were discovered in tools related to the Model Context Protocol (MCP), a standard for connecting AI tools to external systems. The flaws, CVE-2025-6514 and CVE-2025-49596, existed in mcp-remote and MCP Inspector, respectively, and could be exploited for remote code execution. Both vulnerabilities have been patched in recent MCP releases, but researchers warn of potential risks associated with insecure MCP server connections and lack of authentication.

Customer Names, Addresses & Device IDs Leaked in Paddy Power, Betfair Data Breach - CasinoBeats

Flutter Entertainment, the parent company of Paddy Power and Betfair, suffered a cyberattack compromising customer data. The breach involved usernames, email addresses, contact information, and recent account activity, but no passwords or payment details were affected. Flutter is investigating the incident and has informed regulators.

Avantic Medical Lab hacked; patient data leaked by Everest Group – DataBreaches.Net

Avantic Medical Lab in Edison, NJ was hacked by Everest Group, who leaked 31GB of patient data on July 3rd. The leaked data included sensitive patient information such as names, addresses, social security numbers, medical records, and test results.

Nearly 250,000 records leaked in major tax consultancy breach - here’s what we know | TechRadar

A Texas-based tax credit consulting agency, Rockerbox, inadvertently exposed sensitive data on thousands of customers through an open database. The database, containing personally identifiable information, was discovered by a cybersecurity researcher and has since been locked down.

‘This Is Scary’: Iranian Hack Leaks Data on Thousands of Israelis With Military Ties - National Security & Cyber - Haaretz.com

A database leak exposed CVs of Israelis with military ties, including classified roles, potentially endangering them as targets. The leak highlights the risks of disclosing sensitive information in resumes.

Nearly 300,000 people were impacted by cyberattack on Nova Scotia Power therecord.media/thousands…

Canadian utility Nova Scotia Power is notifying about 280,000 people of a data breach that occurred following a cyberattack earlier this year.

In letters to victims, the company said an investigation revealed that hackers had access to critical systems from March 19 to April 25, allowing them to steal names, addresses, driver’s license numbers, Canadian Social Insurance numbers, bank account details and troves of information from the Nova Scotia Power program including power consumption, service requests, customer payment, billing and credit history, and customer correspondencе.

The investigation is ongoing and the information stolen varied from customer to customer. Victims are being given two years of credit monitoring services.

Law enforcement and regulatory agencies have been notified of the cyberattack and breach, according to the company.

Nova Scotia Power says it manages $5 billion worth of power generation, transmission and distribution. Its parent company, Halifax-based Emera, serves more than 2.5 million utility customers across Canada, the U.S. and the Caribbean. It reported about $849 million in net income for 2024.

Beware of Bert: New ransomware group targets healthcare, tech firms therecord.media/bert-rans…

A new ransomware group has been breaching organizations across Asia, Europe, and the U.S., with victims reported in the healthcare, technology and event services sectors, researchers have found.

The group, calling itself Bert, was first identified in April by researchers at cybersecurity firm Trend Micro, who detailed their findings in a report published Monday.

The ransomware has infected both Windows and Linux systems, the researchers said. Although the initial access method remains unknown, analysts discovered a PowerShell script that disables security tools on victims' systems before downloading and executing the ransomware.

Once inside a system, the malware drops a ransom note that reads: “Hello from Bert! Your network is hacked and files are encrypted,” followed by instructions for contacting the attackers to negotiate payment.

Researchers said the ransomware is actively being developed, with multiple variants already observed. While no specific threat actor has been formally linked to the attacks, the use of Russian infrastructure may suggest ties to groups operating in or affiliated with the region. Trend Micro said.

Android malware Anatsa infiltrates Google Play to target US banks www.bleepingcomputer.com/news/secu…

The Anatsa banking trojan has sneaked into Google Play once more via an app posing as a PDF viewer that counted more than 50,000 downloads.

The malware becomes active on the device immediately after installing the app, tracking users launching North American banking apps and serving them an overlay that allows accessing the account, keylogging, or automating transactions.

According to Threat Fabric researchers who spotted the latest campaign and reported it to Google, Anatsa shows users a fake message when they open the targeted apps, informing of a scheduled banking system maintenance.

The notification is displayed on top of the banking app’s UI, obscuring the malware’s activity in the background and preventing victims from contacting their bank or checking their accounts for unauthorized transactions.

Malicious Chrome extensions with 1.7M installs found on Web Store www.bleepingcomputer.com/news/secu…

Almost a dozen malicious extensions with 1.7 million downloads in Google’s Chrome Web Store could track users, steal browser activity, and redirect to potentially unsafe web addresses.

Most of the add-ons provide the advertised functionality and pose as legitimate tools like color pickers, VPNs, volume boosters, and emoji keyboards.

Users should check for the following add-ons in Chrome browser and remove them as soon as possible:

Color Picker, Eyedropper — Geco colorpick Emoji keyboard online — copy&paste your emoji Free Weather Forecast Video Speed Controller — Video manager Unlock Discord — VPN Proxy to Unblock Discord Anywhere Dark Theme — Dark Reader for Chrome Volume Max — Ultimate Sound Booster Unblock TikTok — Seamless Access with One-Click Proxy Unlock YouTube VPN Unlock TikTok Weather

NERC CIP-015-1 Is Approved—Here’s What Asset Owners Need to Do www.dragos.com/blog/nerc…

On June 26, 2025, the Federal Energy Regulatory Commission (FERC or the Commission) issued Order No. 907 1 formally approving North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Standard CIP-015-1, which will require Internal Network Security Monitoring (INSM) (east-west monitoring) for network traffic inside Electronic Security Perimeters (ESPs) across the North American electric sector.

FERC has also directed NERC to develop modifications to CIP-015-1 to increase the scope to include Electronic Access Control or Monitoring Systems (EACMS) and Physical Access Control Systems (PACS) outside of the ESP. NERC is required to develop and submit modifications within one year.

Registered Entities should begin aligning resources and internal plans to meet the CIP-015-1 requirements within the implementation timeline.

6 free onboarding checklists to set new hires up for success (+ extra tips) | Proton

A structured onboarding process, guided by a checklist, is crucial for new hire success and retention. The checklist should cover preboarding, first day essentials, first week setup, first month support, and 30-60-90 day reviews. Free templates and tips are available to help create a consistent and welcoming onboarding experience.

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

Italian police arrested Zewei Xu, a Chinese national, at Milan’s Malpensa Airport on a U.S. warrant for cyberespionage. Xu is accused of being part of the Hafnium APT group, linked to attacks on the U.S. government and COVID-19 vaccine research. Xu faces extradition proceedings in Italy.