Daily Brief

SonicWall is actively researching a surge in ransomware targeting its Gen 7 firewall devices, potentially exploiting a zero-day vulnerability. Multiple third-party threat research teams, including Arctic Wolf, Google Mandiant, and Huntress, have reported this suspicious activity, which involves bypassing multi-factor authentication to deploy ransomware. Recent advisories suggest that attackers have been successful even in environments with enhanced security measures, pivoting quickly from compromised VPN devices to domain controllers. The exploited vulnerability potentially allows bad actors to disable security tools, steal credentials, and deploy ransomware, with Akira ransomware specifically identified in recent incidents. SonicWall has yet to confirm the new vulnerability but has advised customers to disable SSL VPN services on affected devices and promised to release updated firmware and guidance promptly once more is known. Arctic Wolf observed an increase in ransomware exploits as of July 15, and Google reported exploitation of fully patched, end-of-life SonicWall VPNs for deploying backdoors and rootkits. The ongoing investigations aim to determine the full scope and impact of the campaign, with more details expected as the situation develops.

Researchers at Nextron Threat have discovered a harmful malware named "Plague" which sets up a resilient backdoor on Linux systems. The malware, undetected by antivirus tools, dodges detection by manipulating system authentication processes through a malicious PAM (Pluggable Authentication Module). 'Plague' is capable of bypassing user authentication, providing attackers sustained and silent SSH access, and endures through system updates. It uses advanced tactics like custom string obfuscation, log hiding, and using a disguised file name to remain hidden from debugging tools. Crucially, the backdoor leaves minimal forensic footprints by sanitizing the runtime environment, erasing session traces and redirecting command logs. Despite the severity of the threat, there have been no confirmed instances of 'Plague' detected in active use in the wild. The malware was uploaded to the VirusTotal scanning service in 2024, yet it failed to trigger any malware detection alarms. The discovery raises substantial concerns regarding the effectiveness of current antivirus solutions against sophisticated threats on Linux platforms.

Las Vegas hosts three major security conferences: BSides, Black Hat, and DEF CON, attracting a large global audience of security professionals. BSides offers a variety of talk tracks and a key focus on password security solutions, featuring discussions on high-efficiency password cracking systems. Black Hat's program includes training sessions, high-profile keynotes, and discussions on recent vulnerabilities in hardware and software, emphasizing AI and government cybersecurity strategies. DEF CON, known for its more relaxed and inclusive atmosphere, focuses on hands-on hacking, with villages dedicated to specific security topics and the infamous Wall of Sheep displaying poor security practices. Security measures at the conferences are tight, with network operations centers actively monitoring for suspicious activity and ensuring attendee security. The conferences are a hub for networking, with opportunities to engage with peers, government officials, and potential employers through various talks, workshops, and social events. DEF CON, despite its more casual environment, remains a crucial learning and networking venue, distinguishing itself with a strong focus on practical hacking techniques and security demonstrations.

Cybersecurity firm CTM360 uncovered a large-scale scam targeting TikTok Shop users, dubbed ClickTok, using AI-generated content and phishing strategies to distribute malware and steal credentials. Threat actors created over 15,000 fake TikTok Shop domains, misleadingly similar to official TikTok URLs, to host phishing pages. These fake pages either harvest user credentials or push fraudulent apps infested with SparkKitty malware, affecting both Android and iOS platforms. The malware is multifaceted, capable of device fingerprinting and using OCR techniques to steal cryptocurrency wallet seed phrases from users' screenshots. Additionally, the scheme lures users into making crypto deposits on fake storefronts advertising nonexistent products at heavy discounts. Apart from deploying fake promotions on Facebook and TikTok, the campaign also abuses Meta ads and employs AI-generated videos mimicking legitimate influencers. The targeted phishing campaign is sophisticated, selectively engaging with victims in real-time to capture two-factor authentication data during financial transactions. This disclosure is part of broader warnings about increasing phishing threats, including a separate campaign targeting Meta Business Suite users, flagged by CTM360 amidst advisories from the U.S. Financial Crimes Enforcement Network on convertible virtual currency fraud.

Top CISOs are focusing on increasing analysts' speed and visibility rather than simply adding more tools to enhance Security Operations Center (SOC) efficiency. Live, interactive threat analysis tools, like ANY.RUN, help analysts observe and interact with malicious elements in real-time within a safe, isolated environment, drastically cutting down response times. Automation in SOC processes, particularly in triage, is vital for removing repetitive tasks, speeding up responses, and reducing the overall workload. ANY.RUN’s sandbox capabilities allow for interactive engagement with malicious URLs and files, enabling analysts to uncover threats hidden behind CAPTCHAs and QR codes efficiently. High-performing SOCs achieve better results through improved collaboration and integration with existing security tools like SIEM and SOAR, which facilitates a smoother, quicker investigative process. To ensure security and compliance, modern SOC tools offer private, isolated analysis environments with role-based access control and Single Sign-On (SSO) support. Implementing these advanced strategies, SOCs report measurable improvements in operational efficiency, including faster response times and sharper visibility into threats. The combination of interactive analysis, automated triage, and strategic collaboration equips SOCs to handle emerging threats more proactively and effectively.

Misconfiguration and vulnerabilities differ significantly, impacting SaaS security risk exposure. Misconfigurations are user-driven setups, such as access levels and third-party integrations, while vulnerabilities are inherent platform code flaws only fixable by the vendor. The shared responsibility model in SaaS implies vendors secure infrastructure, whereas customers manage the application's security settings. Data shows over half of organizations overly trust vendors for SaaS security, overlooking their responsibility, increasing the risk of breaches via misconfiguration. Traditional threat detection tools fail to capture risks originating from misconfiguration, as they primarily monitor user activities, not setup statuses. Real-world incidents reveal critical misconfiguration risks in platforms like Salesforce’s OmniStudio, often undetectable by conventional security measures. Building a "Secure-by-Design" SaaS framework involves proactive posture management and high-fidelity threat detection to mitigate known and unknown risks in tandem. The 2025 State of SaaS Security Report emphasizes the need for awareness and improved configuration management to prevent security breaches effectively.

Chanel experienced a data breach affecting U.S. customers' personal information including names, emails, and phone numbers. The breach occurred via a Chanel database hosted by a third-party service provider and was detected on July 25th. The breach is part of a broader trend involving Salesforce data thefts attributed to the ShinyHunters group. Threat actors have been using social engineering, particularly vishing and malicious OAuth apps, to access Salesforce customer data. Salesforce has stated that their platform remains secure and urged customers to apply best practices for cybersecurity. The accessed data included only a subset of details from individuals who contacted Chanel’s U.S. client care center. No financial information or other sensitive data beyond contact information was exposed in the breach. Affected Chanel clients have been informed, and there is no indication that the stolen data has been publicly leaked yet.

Microsoft has increased the prize pool for its Zero Day Quest hacking contest to $5 million to encourage discovery of vulnerabilities in cloud computing and AI. The contest will take submissions from August 4 to October 4, 2025, and is part of Microsoft's ongoing Secure Future Initiative aimed at overhauling security practices. Participants can receive a 50% bonus for reporting Critical severity vulnerabilities, with the potential for additional multipliers. A select group of top researchers will be invited to a live hacking event at Microsoft's campus in spring 2026 to collaborate on security enhancements. Microsoft plans to support participants with training sessions focused on AI system testing, bug bounty programs, and security research methodologies. The rewards for identifying vulnerabilities in Microsoft's various platforms, including .NET, AI Copilot, and ASP.NET Core, have also seen significant increases. Microsoft commits to sharing critical vulnerability information through the CVE program as part of its transparency efforts under the Secure Future Initiative.

Google released security patches addressing six vulnerabilities in its August 2025 Android update. Two critical flaws in Qualcomm components were actively exploited in targeted attacks. CVE-2025-21479 and CVE-2025-27038 involved memory corruption in GPU rendering and command execution. Qualcomm had previously warned of the exploitation of these vulnerabilities and issued recommendations for OEMs to update affected devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to apply these security measures by late June 2025. Google's latest patches also fix a critical system component vulnerability enabling remote code execution without user interaction. Android updates vary in rollout times, with Google Pixel devices receiving immediate updates, while other vendors may delay for testing and adaptations. Previous patches in March and November addressed other zero-day vulnerabilities used by Serbian authorities in targeted spyware attacks.

SonicWall has issued a warning to administrators to disable SSLVPN services on Gen 7 firewalls due to potential exploitation by ransomware gangs, leveraging a possible zero-day vulnerability. Arctic Wolf Labs observed multiple Akira ransomware attacks since July 15, suggesting the use of a SonicWall zero-day vulnerability for initial network breach. The modes of initial access, including brute force and credential stuffing, have not been conclusively determined in these incidents. Cybersecurity firm Huntress affirmed Arctic Wolf's findings and issued a report with indicators of compromise, advising immediate disabling of the VPN service or severe access restrictions. Threat actors exploiting this vulnerability are reportedly pivoting to domain controllers within hours of gaining initial access, compounding the risk of broader network compromise. SonicWall is actively investigating these incidents to ascertain if they are linked to a previously known vulnerability or if a new one has surfaced, urging customers to apply recommended mitigations urgently. In the face of these threats, SonicWall has also highlighted a critical vulnerability, CVE-2025-40599, in SMA 100 appliances, recommending urgent patching to prevent potential remote code execution attacks.

Cisco disclosed a data breach involving basic profile information of Cisco.com user accounts following a voice phishing attack. An attacker accessed a third-party cloud-based Customer Relationship Management (CRM) system through social engineering, targeting a Cisco employee. Stolen data included names, organization names, addresses, Cisco-assigned user IDs, email addresses, phone numbers, and account metadata. The breach did not impact Cisco's products, services, or other CRM system instances, nor did it involve passwords or sensitive corporate information. Cisco terminated the attacker's access to the CRM system upon discovery and initiated an investigation. Measures are being implemented to enhance security and educate employees on recognizing and preventing vishing attacks. Cisco has engaged with data protection authorities and has begun notifying affected individuals as required by law. The exact number of affected users and whether attackers demanded a ransom remains undisclosed.

Ransomware groups are exploiting a Microsoft SharePoint vulnerability chain known as "ToolShell", compromising numerous global organizations. Palo Alto Networks' Unit 42 identified the 4L4MD4R ransomware variant, associated with Chinese nation-state hacking groups Linen Typhoon, Violet Typhoon, and Storm-2603. The attacks focus on internet-facing SharePoint servers, using malware loaders to knock down security defenses and encrypt files on compromised systems. Organizations targeted include the U.S. National Nuclear Security Administration, the Department of Education, and various European and Middle Eastern government networks. Microsoft has patched the vulnerabilities (CVE-2025-53770 and CVE-2025-53771) used in these attacks as of their July 2025 Patch Tuesday. The infected servers demanded a ransom in Bitcoin, generating ransom notes directly on the victim's systems. CISA has mandated federal agencies to secure their systems against the CVE-2025-53770 vulnerability within 24 hours.

Man-in-the-middle (MITM) attacks involve intercepting communications between two parties to steal sensitive data such as credit card numbers and login credentials. MITM attacks exploit weaknesses in communication protocols, often using unsecured Wi-Fi environments in public spaces like coffee shops to initiate attacks. Techniques used in MITM attacks include spoofing service set identifiers (SSIDs), ARP spoofing, and both mDNS and DNS spoofing to intercept or manipulate data. Protecting against MITM involves encrypting all web traffic using HTTPS and TLS, implementing certificate pinning for apps, and using HTTP Strict Transport Security (HSTS). Network security can be enhanced by avoiding public Wi-Fi or using trusted VPNs, segmenting networks, and using DNS security measures such as DNSSEC, DoH, and DoT. Authentication measures such as mutual TLS and strong multi-factor authentication (MFA) are essential to prevent impersonation and interception. Implementing advanced security monitoring tools, such as intrusion detection systems and endpoint detection and response (EDR) solutions, can detect and mitigate MITM tactics. Education for users and developers about the importance of adhering to security practices and using tools like Specops Password Policy can further protect against data breaches.

Wilhelm Einhaus, head of Einhaus Group, confirmed that parts of his company are undergoing insolvency proceedings due to a ransomware attack in 2023. The ransom payment, made in cryptocurrency, was seized by authorities investigating the cyberattack but has not been returned, significantly affecting company finances. Einhaus Group, which had annual revenues of €70 million at its peak, partnered with major telcos like Deutsche Telekom and offered services across over 5,000 retail outlets. Despite attempts to stabilize the company by selling assets and reducing staff from more than 100 employees to just eight, financial recovery was unsuccessful. The disruption from the ransomware attack caused severe operational halts, locking staff out of systems and resulting in seven-figure losses. Following the financial and operational impacts of the attack, three of the 13 companies under Einhaus Group have started insolvency proceedings. The plight of Einhaus Group highlights the broader, devastating impact ransomware can have on businesses, with similar collapses reported by other companies in different sectors.

Microsoft France's legal director admitted to the French Senate that U.S. laws could force them to surrender French data, regardless of its storage location. Microsoft has attempted to address EU concerns about data sovereignty with enhanced service agreements, promising to legally challenge any U.S. requests for data access. The concept of data sovereignty complicates international relations, as states must balance sovereignty with the realities of global interdependence. The UK government's failed attempt to require Apple to create an encryption backdoor highlights the difficulty of maintaining data control amidst international pressures. The European Union is considering regulations to prevent non-EU entities from accessing sensitive data, which could significantly impact U.S.-based cloud providers reliant on AI strategies. The emerging legal and regulatory changes worldwide introduce unpredictability in data management and storage, necessitating robust on-premises solutions to ensure data security. The discussed changes underscore a global trend towards a balkanized internet, where data sovereignty laws could inhibit international commerce and digital innovation.