This Week in Cybersecurity #25
This week's cybersecurity news, latest vulnerabilities and market moves. Catch everything you missed this week
Bigger picture, deeper context — and a milestone ahead 🎉
What. A. Week. From VIP-targeted data theft to KEV-listed zero-days and supply-chain traps in developer tools, this one touched every layer of the stack — identity, cloud, OT, and the people and processes in between. Use this expanded roundup to brief your execs, prioritize patches, and prep your teams. And don’t miss our 1,000th episode on Monday — we’ll celebrate with lessons learned from a decade of daily shipping and the three playbooks that consistently keep orgs resilient.
Breaches & Data Exposure
Sotheby’s confirms VIP data breach Sotheby’s disclosed a July 24 intrusion that exposed names, Social Security numbers, and financial account details for a small set of high-value clients. The risk isn’t volume but impact: attackers can weaponize this data for tailored wire-fraud and executive impersonation. If your execs transact with Sotheby’s, tighten out-of-band verification on any payment or shipping change.
American Airlines’ Envoy Air tied to Oracle EBS campaign Envoy Air said its Oracle E-Business Suite (EBS) instance was caught up in the wider Clop/FIN11 activity, including CVE-2025-61882/61884. American Airlines wasn’t breached, but partner data in EBS makes a juicy pivot point. If you run EBS, patch immediately, pull it off the open internet, and place a WAF in front of risky endpoints.
Volkswagen targeted by 8Base ransomware claims 8Base claimed it stole internal reports and customer files from VW; the company is investigating. Even if claims are inflated, brand-name extortion sparks dealer phishing and OT “maintenance” lures across Audi/Porsche/Bentley networks. Auto CISOs should check dealer SSO hygiene and restrict remote access to plant systems.
Prosper Marketplace breach hits 17.6M users Peer-to-peer lender Prosper confirmed exposure of identity data (IDs, SSNs, addresses) for 17.6 million accounts. That dataset fuels synthetic identities and account takeovers for years. Users need MFA, credit freezes, and stronger account-recovery checks now.
Supply Chain, MSP & Developer Ecosystem
ConnectWise Automate flaws allowed fake updates Recently patched Automate issues could let attackers push malicious updates across MSP fleets via man-in-the-middle. That’s a mass-deployment risk for ransomware. Patch, require signed update verification, rotate agent creds/certs, and hunt for unsigned payloads.
NPM ecosystem abused with AdaptiX C2 Attackers are implanting C2 via malicious packages and even HTML docs/CDN redirects that phish developers. Lock down dependency updates, require reviews for transitive bumps, and watch CI/CD egress for C2 traffic.
Cursor & Windsurf IDEs ship with many Chromium CVEs Unpatched Chromium inside popular AI IDEs exposes devs to RCE/XSS chains. Patch or sandbox IDEs, pin extensions by hash, and keep secrets out of dev workstations where possible.
Model Context Protocol registry exposure A flaw exposed 3k+ AI servers and API keys, risking secret theft and prompt-pipeline tampering. Rotate keys, require signed manifests, pin registries, and add prompt-telemetry locks.
Rust async-tar “Tarmageddon” RCE A parsing bug in a widely used tar library can enable code execution during extraction. Update dependencies, disable auto-unpack in pipelines, and validate headers/size/MIME.
OAuth tokens outlive password resets Attackers keep cloud access via refresh tokens even after users change passwords. Enumerate and revoke risky apps, rotate app secrets, and enforce token invalidation on reset.
Vidar Stealer 2.0 gets stealthier A full rewrite adds in-memory injection and faster credential/wallet theft with anti-sandbox features. Block unsigned extensions, restrict browser wallets, and alert on unusual vault access.
Adobe Magento “SessionReaper” exploited now Attackers are hijacking sessions via Web APIs to take over accounts and skim cards. Patch to fixed versions, add WAF JSON rules, and rotate admin tokens; monitor cart anomalies.
Patching & Vulnerabilities (Actively Exploited / High Priority)
Microsoft patches critical .NET/ASP.NET Core; bad certs revoked Microsoft fixed a high-severity takeover path in ASP.NET Core and revoked 200+ abused code-signing certs used to deliver fake Teams installers. If you expose public APIs, patch and rebuild containers; enforce app-control so only properly signed binaries can run.
Dolby Digital Plus zero-click on Android A media decoder bug allows code execution via malicious .ec3/.mp4 with no user tap. Patch affected Android builds, disable auto-download/autoplay in messengers, and alert on media pipeline crashes.
WatchGuard Firebox/Firewalls RCE widely exposed Nearly 75k appliances remain vulnerable to a critical IKEv2 RCE. Attackers can take over devices and tamper VPNs. Patch now, remove public admin, disable unneeded IKE peers, and restrict admin access by IP/geo.
CISA adds new Microsoft/Oracle/Apple bugs to KEV Items added to the Known Exploited catalog are being attacked in the wild. Move them to the front of your patch queue and hold teams to 24–72-hour SLAs.
More KEV adds: Windows SMB, Kentico CMS, Apple core Privilege escalation in SMB, admin takeovers in Kentico, and an older Apple code-execution bug are all active. Patch servers and CMS first; millions of user devices lag Apple updates.
Oracle’s 374-fix mega update Oracle’s October CPU includes 230 unauthenticated RCEs across Communications, Middleware, MySQL, and Java. Patch internet-facing Oracle first, and add WAF coverage around administrative APIs.
TP-Link Omada gateway command injection (auth required) A critical flaw allows command execution after admin login—compromised creds equal full takeover. Patch firmware, rotate admin passwords, and close public management ports.
China keeps chaining old SharePoint bugs Despite patches, unmaintained on-prem SharePoint remains a reliable foothold for domain escalation. Patch, isolate from Tier-0, and align your cadence to CISA KEV deadlines.
Critical Infrastructure, OT & Telecom
SnappyBee backdoor hits European telecom China-linked actors used a Citrix NetScaler zero-day and signed drivers to plant a stealthy backdoor and harvest lawful-intercept and partner data. This is long-term infrastructure mapping, not smash-and-grab. Monitor edge appliances and east-west traffic closely.
Nuclear weapons supplier breached via SharePoint zero-day Attackers exploited an on-prem SharePoint flaw to access the NSA’s Kansas City supplier’s IT environment; OT stayed segmented. Collaboration servers remain soft spots. Patch, hunt for web shells, kill legacy auth, and validate IT/OT separation.
Muji halts online sales after supplier ransomware Ransomware at logistics partner Askul forced Muji to suspend domestic e-commerce while stores stayed open. A single-threaded vendor equals business outage. Build redundant fulfillment paths and contract for clear RTO/RPOs.
Dairy Farmers of America data leak confirmed A June ransomware attack exposed SSNs, bank, and Medicare data for 4,546 people tied to the U.S. dairy co-op. Food/ag continues to be a high-impact target. Segment ERP from plant OT and prepare for long-tail fraud monitoring.
PolarEdge backdoor spreads to routers/NAS A stealth implant targeting Cisco/ASUS/QNAP/Synology provides remote access and web-shell injection. Disable remote management, check firmware integrity, and look for odd TLS beacons.
Platform & Ecosystem Resilience
AWS outage shows resilience gaps An internal DNS issue cascaded into service disruptions across major apps and sites. Not a cyberattack—just fragility. If a single cloud hiccup stalls your business, rehearse failovers, diversify DNS, and map service dependencies.
TikTok lures push infostealers Threat actors are using clickbait TikTok ads to drive “free activations” that install Vidor/Stealc malware. These campaigns thrive on curiosity and weak MFA. Block TikTok on work devices and monitor for credential-reuse spikes tied to social logins.
Government, Policy & Enforcement
NSO Group fined and barred from WhatsApp A U.S. court permanently barred the Pegasus spyware vendor from WhatsApp and imposed a $4M penalty. The fine is small, but the injunction sets precedent on platform abuse. Expect tighter platform controls on automated or surveillance-linked traffic.
Europol dismantles SIM farm network Police in Europe seized 1,200 SIM boxes and arrested seven people tied to OTP interception and fraud. It’s a win, but operators will retool quickly. Refresh OTP policies and watch for new SMS gateways in your telemetry.
Russia mandates local search engines on iPhone Apple must preinstall Yandex/Mail.ru defaults in Russia, tightening data localization and censorship. Expect impacts to telemetry, content controls, and app behavior.
Dataminer buys ThreatConnect; Veeam buys Security.AI TIP/SOAR and DSPM/AI are consolidating into bigger platforms. Re-assess roadmap fit and integration risk before signing multi-year deals.
UK intelligence warns of unprecedented contest GCHQ says significant incidents quadrupled YoY and is leaning into AI for defense, governance, and adversary tracking. Expect model-governance expectations to trickle into private compliance.
Public Sector & Healthcare Incidents
Hospitals in multiple states disrupted by cyberattacks Facilities in MA, TX, TN, and IN diverted patients and delayed labs after coordinated incidents. Flat networks and legacy systems made lateral movement easy. Segment clinical networks and maintain offline, immutable backups.
Municipal governments hit across TX, TN, IN, PA County/city services and libraries went down in a run of likely ransomware events. Shoestring budgets and legacy portals create soft targets. States should standardize minimum controls and audit cadence.
Threat Actors, Trends & Geopolitics
China accuses U.S. of hacking its National Time Center Beijing claims the U.S. hacked its time-keeping infrastructure, amid rising trade tensions. Regardless of attribution, timing networks are strategic targets that underpin telecom and finance. Expect propaganda-driven phishing to track the headlines.
Microsoft: AI is supercharging phishing volume Microsoft says states and criminals are using AI to scale lure creation and “industrialize” phishing, not to write zero-days. The result is 10–100× more believable messages. Faster detection, automated triage, and behavioral analytics now matter as much as training.
Iran’s MuddyWater plays the long game Energy, logistics, and government targets face months-long living-off-the-land persistence. Kill legacy auth, require phishing-resistant MFA, and hunt WMI/PSExec/SMB from admin shares.
Phantom CAPTCHA campaign targets Ukraine NGOs Russian-linked lures spoof Zoom invites and use fake CAPTCHAs to drop malware or join live sessions, even impersonating the president’s office. Train staff on hybrid social-engineering tells and block known lure infra.
Crypto & Financial Infrastructure
Libbitcoin Explorer flaw exposed 120k wallet keys Predictable randomness in older BX versions generated weak crypto keys. If you ever used BX 3.x to make wallets, assume compromise and re-key immediately. Use hardware RNG and FIPS-validated modules going forward.
Quick Action List (print this)
🔒 Patch first: ASP.NET Core, ConnectWise Automate, WatchGuard IKEv2, Oracle CPU, Magento SessionReaper, on-prem SharePoint; align to CISA KEV.
🪪 Kill risky OAuth: inventory and revoke high-scope apps; enforce token invalidation on password reset.
🧱 Harden edge/OT: remove public mgmt, geo-allowlist admins, validate IT/OT segmentation, baseline east-west traffic.
🧬 Secure the dev chain: lock dependency updates, sandbox IDEs, pin extensions, monitor build egress.
☁️ Test resilience: multi-region DNS/failover drills; vendor-outage tabletop.
🧪 Anti-fraud: step-up auth for recovery/payments; dual-control wires/payroll.
🔐 Rotate secrets: certs/API keys (esp. MCP/CI/CD).
📵 Mobile: update iOS/Android; disable auto media fetch paths targeted by zero-clicks.
James Azar’s CISO Take
Two truths this week: resilience beats perfection and identity/dev are the new perimeter. Outages (AWS), single-vendor dependencies (Muji), and flat hospital networks show the business cost of brittle architectures. Treat patch SLAs as business SLAs, and rehearse failovers like fire drills. As I said on the show, “If your entire business halts when AWS sneezes, you’ve built your castle on rented sand.” Attackers are also shifting left — OAuth persistence, poisoned NPM docs, unpatched IDEs, and KEV-listed edge bugs are how they land and linger. Shift defenses left too: govern tokens, verify provenance, instrument the build. Or, in my words: “Our dev tools are becoming the new frontline — the war isn’t in your SOC anymore; it’s in your IDE.”
Outro — and a milestone 🎙️
That’s your weekend brief, Security Gang. Patch what’s hot, pressure-test your resilience, and invest where it pays compounding dividends: identity, segmentation, and the build pipeline.
Join us Monday for our 1,000th episode — we’ll count down the most useful defensive habits we’ve seen actually work, share a few behind-the-mic war stories, and thank the community that’s made this ride possible.
Stay Cyber Safe.