Happy Friday Security Gang,

The week also demonstrates the increasing convergence of geopolitical warfare and enterprise cybersecurity. Organizations in infrastructure, media, or supply chain sectors are now pawns in modern conflict. Building incident response playbooks that account for geopolitical tensions and potential kinetic escalation from cyber incidents is no longer optional—it's essential for organizational resilience.

🧨 Major Breaches & Ransomware

• Allianz Life disclosed a significant breach impacting 1.4 million customers, financial professionals, and employees. The incident involved advanced social engineering tactics, likely orchestrated by the ShinyHunters threat group. This was notably not a Snowflake-related incident, correcting earlier misreporting.

• NASCAR confirmed that their March cyber incident resulted in unauthorized access to customer data. The intrusion occurred between March 31 and April 3, with breach notifications sent on July 24. Affected customers are being offered one year of credit monitoring.

• Ingram Micro SafeBase ransomware gang claims responsibility for a massive attack on Ingram Micro, allegedly exfiltrating 3.5 terabytes of data. The July 5th attack caused global outages and forced company-wide MFA resets.

• Dollar Tree denied breach reports, clarifying the leaked data belonged to now-defunct 99 Cents Only Stores.

• BlackSuit ransomware gang In a major international operation led by HSI across nine countries, law enforcement seized BlackSuit ransomware gang's dark web domains and negotiation portals. The group had extracted over $500 million in ransom demands before the takedown.

• Christina Marie Chapman was sentenced for helping North Korean IT workers infiltrate 309 U.S. companies.

🔧 Critical Vulnerabilities & Exploits

• SharePoint “ToolShell” zero-day led to Warlock ransomware deployments; 420+ servers still vulnerable.

• Fire Ant Chinese espionage group is exploiting VMware and F5 for persistent infrastructure access.

• Cisco ISE (CVE-2024-22881) exploit chain now public—admin execution inside Docker containers.

• PaperCut NG/MF vulnerability from 2023 still exploited; CISA mandates patching by August 18.

• Lenovo BIOS flaws (CVE-2025-4421 to 4426) threaten persistent rootkits—IdeaCentre patches released.

• SAP NetWeaver (CVE-2025-31324) exploited to deploy Autocolor Linux malware in chemical sector.

🤖 AI & Regulation

• California’s diluted AI rules contrast sharply with President Trump’s AI Action Plan: a federal push for AI leadership, infrastructure investment, and a single national regulatory framework. Tech giants like Meta and NVIDIA are already investing hundreds of billions.

  President Trump launched AI.gov and signed three executive orders forming the "AI Action Plan," focusing on infrastructure development, global AI exports, and establishing a single federal regulatory standard to supersede state-level AI regulations.

• Google Gemini CLI Researchers discovered a severe vulnerability in Google's Gemini CLI tool allowing attackers to silently execute malicious commands through poisoned README.md files. Google patched the flaw in version 0.1.14.

• Apple & Google patched CVE-2025-6558 after discovering the zero-day was used in targeted WebKit/Chrome attacks.

🌐 Global Cyber Warfare & Nation-State Threats

• Aeroflot, Pro-Ukrainian hacker groups Silent Crow and Belarusian CyberPartisans claimed responsibility for attacking Russia's largest airline, disrupting over 50 flights and causing significant operational impact.

• Russian pharmacies were taken offline in another civil-impacting cyber strike.

• Orange Telecom France France's largest telecom operator Orange disclosed a cyberattack impacting operations across Europe and Africa. Serving 290 million people, the attack has triggered involvement from France's cybersecurity agency ANSSI.

• Thai media Thailand's Nation Group media network reported over 200 million cyberattacks in three days amid rising tensions with Cambodia, involving DDoS, spam, and fake content campaigns.

• Naval Group (France) State-owned Naval Group suffered a cyberattack resulting in the alleged theft of 1 terabyte of sensitive defense data. Portions of the stolen data have already appeared on hacker forums.

• Poland arrested 32 individuals tied to Russian sabotage campaigns involving arson and infrastructure attacks.

🔓 Identity, Supply Chain & Insider Threats

• Scattered Spider targeted Snowflake customers again using AnyDesk, MFA resets, and help desk impersonation.

• ShinyHunters used voice phishing to compromise Salesforce OAuth apps, hitting major brands like Dior and Tiffany.

• PyPi phishing campaign aimed to steal developer credentials and compromise Python supply chain packages.

💼 Business Moves & Federal Leadership

• Palo Alto acquired CyberArk for a jaw-dropping $25B—sparking concerns of overvaluation and legacy tech consolidation.

• IBM’s breach cost report showed U.S. breaches averaging $9.9M—double the global average.

• CISA nominee Sean Planky cleared the Senate committee vote and is likely to be confirmed soon.

✅ Weekly Action List

• 🔒 Patch all SharePoint, Cisco ISE, SAP, and Lenovo BIOS vulnerabilities

• 🧠 Reinforce help desk and MFA re-authentication procedures to combat social engineering

• 🚨 Block unauthorized remote tools like AnyDesk if not in use

• 💬 Audit secure messaging in apps like Tee and any consumer-facing platforms

• 📡 Monitor Snowflake integrations, Salesforce OAuth apps, and PyPi credentials

• 🍎 Update Apple and Google devices to fix actively exploited CVE-2025-6558

• 📖 Refresh IR plans for hybrid warfare, DDoS, and cross-border threats

• 💰 Evaluate cyber insurance limits—does $10M still suffice for today’s U.S. breach costs?

🧠 James Azar’s CISO Take

This week reflects how deeply entangled cybersecurity has become with geopolitics. We saw cyber strikes paralyze Russian infrastructure and influence public opinion, hybrid warfare tactics unfold in Poland, and telecom and defense industries targeted across Europe and Asia. It’s no longer theory— this is a global chessboard, and organizations are pawns. If you haven’t accounted for these risks in your incident response playbooks, you’re behind the curve.

Meanwhile, our own tools and platforms are now being weaponized against us. From Salesforce OAuth abuse to Gemini CLI exploits and AnyDesk bypasses, the adversaries are skipping zero-days in favor of human vulnerabilities and configuration weaknesses. That means controls—not just tools—must take center stage. This is where security maturity makes or breaks your defense posture. Get your processes in shape before the next breach hits.

Stay Cyber Safe, Security Gang!
We'll be back Monday from Las Vegas, NV and Hacker Summer Camp at 9 AM Eastern Live—don’t miss it.