Daily Brief

Naval Group, a French state-owned defense company, is probing a potential cyberattack following the leak of 1TB of data on a hacker forum. The firm filed a complaint and is currently examining whether the leaked data indeed originated from its servers, considering it a "destabilization and reputational attack." Despite the claims, Naval Group has found no evidence of an actual breach within its IT systems, and maintains that its operational activities are unaffected. Investigations involve external cybersecurity experts and the Naval Group’s CERT, in coordination with French authorities, aiming to swiftly ascertain the authenticity and source of the data. The breach reportedly includes sensitive materials such as classified military vessel CMS, technical documents, and development virtual machines with simulation data. The cyber threat actor identified as 'Neferpitou' initially offered Naval Group a ransom negotiation deadline before publishing the entire data set publicly on DarkForums. Thales Group, a minority shareholder in Naval Group, had previously experienced a data breach in 2022, prompting speculation that the leaked data might be related to or recycled from that incident.

Allianz Life, a subsidiary of financial services company Allianz, reported a significant data breach affecting the majority of its 1.4 million customers. The breach began on July 16 and was quickly detected by July 17, with official notifications filed shortly after. Attackers gained access via a third-party, cloud-based CRM system provided to Allianz Life; the provider of this system has not been disclosed. The type of data compromised during the breach includes personally identifiable information of customers, financial professionals, and selected Allianz Life employees. It is suspected that the attackers used social engineering techniques to execute the breach, though the exact group behind the attack remains unidentified. Allianz has engaged the FBI, initiated an internal investigation to assess the extent of the impact, and taken steps to mitigate further risks. The company is reaching out to affected parties and has offered 24 months of identity protection and credit monitoring services. Uncertainty remains around whether any extortion demands have been made by the perpetrators or their affiliates.

APIs remain critical yet highly vulnerable components of IT infrastructure, frequently targeted by cybercriminals. Autoswagger, a new open-source tool, helps detect authorization flaws in APIs by scanning exposed documentation like OpenAPI or Swagger schemas. The tool revealed major vulnerabilities in large organizations, including unsecured endpoints that exposed sensitive data such as PII and credentials. Examples include exposed Microsoft Partner Program credentials, over 60,000 Salesforce records, and an unprotected internal training API that allowed SQL queries. Autoswagger's effectiveness points to continued neglect in securing API documentation, an area crucial for preventing unauthorized data access. Intruder advocates for continuous API endpoint scanning to manage exposure and address vulnerabilities promptly. The article underscores the risk of automated API documentation increasing potential attack surfaces for cyber attackers.

Russia's largest airline, Aeroflot, experienced significant service disruptions, canceling 49 flights and delaying many others due to IT system failures. Hacktivist groups, Silent Crow and Cyberpartisans BY, claimed responsibility for the disruptions, alleging a year-long compromise of Aeroflot's systems, including critical data and network operations. Affected passengers faced cancellations and delays at Moscow's Sheremetyevo Airport, with instructions to monitor flight status through various channels. Aeroflot's communication highlighted ongoing efforts by a specialist team to restore normal operations and minimize further risks. The airline provided options for refunds or rebooking, though immediate services for these actions were temporarily unavailable at airport ticket offices. This incident adds pressure on Aeroflot, already financially strained by international sanctions and the suspension of key international routes following geopolitical tensions. The hacktivists' claims, which include the destruction of servers and theft of extensive data, remain unverified but underscore significant cybersecurity vulnerabilities within critical infrastructure sectors.

Microsoft SharePoint servers were targeted globally due to newly discovered zero-day exploits, affecting over 400 organizations. The attackers, identified as Chinese hacking groups Linen Typhoon, Violet Typhoon, and a suspected actor codenamed Storm-2603, used these vulnerabilities to deploy Warlock ransomware. Exploited vulnerabilities included CVE-2025-49706, a spoofing flaw, and CVE-2025-49704, a remote code execution bug, referred to collectively as ToolShell. There is an ongoing investigation by Microsoft into whether a leak from the Microsoft Active Protections Program (MAPP) facilitated the zero-day exploit. China has officially denied any involvement in these cyberattacks. Exploitation highlighted the broader issue of legitimate-looking tools and engagements being used as vectors for sophisticated cyber threats. The incident underscores the escalating challenges that security teams face in distinguishing between trustworthy and malicious sources within their digital environments.

Traditional email security, primarily reliant on Secure Email Gateways (SEGs), is outdated, akin to 1990s-era antivirus solutions. Email remains a critical vulnerability in corporate security, serving as a primary entry point for attackers due to outdated protective measures. Modern threats in email security include compromised mailboxes that provide access to entire organizational networks through OAuth tokens and shared files. The paradigm shift from prevention to rapid detection and response in endpoint security can also enhance email security, using a similar approach to Endpoint Detection and Response (EDR) systems. Advanced email security should include capabilities such as automated message rollback, real-time visibility of mailbox changes, and rapid response measures like Multi-Factor Authentication (MFA) triggers and rule reversals. Integrating modern API-driven solutions can minimize the damage from email breaches by offering immediate remediation actions, which are essential for containing threats and reducing risk exposure. A fully integrated, modern email security solution simplifies the security management process, providing comprehensive analytics and controls through a single platform, ideal for resource-constrained security teams.

Scattered Spider, a known cybercrime group, focuses attacks on U.S. sectors such as retail, airlines, and transportation, specifically targeting VMware ESXi hypervisors. The group utilizes social engineering rather than software exploits, employing direct phone calls to IT help desks to gain initial system access. Their approach involves using trusted administrative systems and manipulating Active Directory to pivot towards victim's VMware vSphere environments for data extraction and ransomware attacks. These attacks bypass traditional security measures and are characterized by their fast execution and sneaky nature, usually completing the process within a few hours. Google highlights the need for a shift in defense strategies from endpoint detection and response (EDR) to proactive, infrastructure-centric defenses. The partnership between Scattered Spider and DragonForce ransomware program exemplifies a significant collaboration in cybercrime, demonstrating sophisticated joint operations. Google recommends re-architecting systems with enhanced security as VMware vSphere 7 nears end-of-life, to impede such high-risk ransomware attacks and secure virtualized infrastructures against severe disruptions.

Over a dozen security vulnerabilities were identified in Tridium's Niagara Framework, which could allow network attackers to compromise the system if misconfigured. The Niagara Framework, a key player in smart building and industrial system management, integrates devices like HVAC and lighting controls across various manufacturers. Nozomi Networks Labs outlined that these flaws are exploitable especially when encryption is disabled on network devices, creating opportunities for significant operational disruptions. The most critical vulnerabilities could enable an attacker with network access to perform root-level code execution, potentially taking complete control of the system. Attack methods detailed include CSRF and AitM attacks, leading to the creation of backdoor accounts and unauthorized administrative access. These security issues have been rectified in the latest updates of the Niagara Framework across several versions as per the responsible disclosure guidelines. Additionally, memory corruption flaws in the P-Net C library and other vulnerabilities in various industrial and security devices were also reported, highlighting ongoing security challenges in industrial IoT.

The US National Reconnaissance Office (NRO) experienced a security breach affecting its unclassified Acquisition Research Center (ARC) website, tasked with vendor interactions and market research. No classified data was compromised during the intrusion, though the extent of accessed unclassified information remains unclear. The breach correlates with known vulnerabilities in SharePoint, similar to other recent intrusions at U.S. government entities. The NRO is collaborating with federal law enforcement to investigate the breach, avoiding detailed comments during the ongoing investigation. Tea app, aimed at enhancing women's safety by sharing dating experiences, also reported a data breach exposing 72,000 images due to insecure data storage practices. In a related development, law enforcement seized the Blacksuit ransomware group's leak site, which was part of a broader crackdown called Operation Checkmate. British student was sentenced for selling phishing kits online, highlighting ongoing cybercrime prosecution efforts. Encrypted communication service EncroChat's breach led to the conviction of a drug dealer, further showcasing law enforcement's capability to crack extensive criminal networks.

Scattered Spider group focuses attacks on VMware ESXi hypervisors in various US industries, including retail and transportation. Attackers use sophisticated social engineering tactics to manipulate IT help desks into granting access to sensitive systems. The hacking involves multiple stages, starting from initial access by impersonating employees to full control over the virtualized environment. Methods include scanning for top-level IT documentation, resetting privileged user passwords, and executing disk-swap attacks. Attackers eventually gain control to deploy ransomware, targeting all virtual machine files within the affected systems. Google Threat Intelligence Group outlines a detailed attack process and offers strategies for early detection and defense against such threats. Despite arrests related to the group in the UK, the threat from Scattered Spider continues with ongoing malicious activities.

Allianz Life Insurance experienced a significant data breach, impacting the personal data of most of its 1.4 million customers. A malicious actor accessed their third-party cloud-based CRM system on July 16, 2025, utilizing social engineering techniques. The breach was localized to the CRM system; there is no indication of further access to Allianz Life’s network or other systems. The breach was disclosed to the FBI, and Allianz Life has commenced outreach to the affected customers with dedicated resources for assistance. The ShinyHunters hacking group, known for various high-profile breaches, is believed to be behind this attack. Arrests of ShinyHunters members have occurred over the past years, but they continue to target companies, recently shifting focus to Salesforce CRM customers. Allianz has not confirmed the identity of the CRM system involved but is continuing the investigation and response to the breach.

A security flaw in the Post SMTP plugin for WordPress, affecting over 200,000 sites, enables hijacking of administrator accounts. Post SMTP, which replaces the default wp_mail() function, boasts over 400,000 installations but has a critical vulnerability identified as CVE-2025-24000. The vulnerability, due to inadequate access control in the plugin's API, allows even low-privileged users to view and exploit email logs. Subscribers can exploit the flaw to perform password resets for administrators, intercepting reset emails and gaining unauthorized access. The vulnerability was reported to PatchStack by a security researcher on May 23, and a fix was issued in version 3.3.0 of the plugin on June 11. Despite the release of the patched version, only 48.5% of users have updated, leaving many sites exposed to potential security breaches. Older versions, especially from the 2.x branch, are still in use on nearly 100,000 sites, posing additional security risks.

Two Democratic Congress members have introduced a bill to ban AI surveillance in setting prices and wages. Delta Airlines has begun using AI for dynamic pricing, covering 3% of its customers, with plans to expand to 20% by year-end. The proposed legislation, called the Stop AI Price Gouging and Wage Fixing Act, aims to protect consumers from AI-driven price manipulation based on personal data. The Federal Trade Commission (FTC) has reported the prevalence of "surveillance pricing," where prices are adjusted based on consumer data such as location, device type, and shopping habits. The bill seeks enforcement by the FTC, the Equal Employment Opportunity Commission, and states, and allows for private actions against violating companies. Despite broad concerns, the legislation faces significant challenges due to Republican control of Congress, which may hinder its passage.

Microsoft announced incomplete fixes for SharePoint bugs in July, enabling attackers to exploit vulnerabilities. Researchers suspect a leak, possibly from the Microsoft Active Protections Program (MAPP), helped attackers bypass new security patches. Initial exploitation occurred before the patches were publicly released, raising questions about the source of the leak. Attacks were executed by various groups including Chinese government-backed hackers and ransomware gangs. Eye Security detected large-scale exploitation shortly after the flawed patches were announced by Microsoft. Over 400 organizations were compromised, exploiting flaws for which patches were insufficient. Microsoft refrained from disclosing specific details about the incident but promised to review and improve their response processes. Alternative theories suggest attackers might have independently discovered the exploits without relying solely on a leak.

Hacker named 'lkmanka58' infiltrated Amazon's generative AI tool, Amazon Q, designed for Visual Studio Code, with a non-destructive wiper code. The code was intended to warn about AI coding security rather than cause actual damage, displayed data-wiping commands on users' screens. The breach occurred after the hacker submitted a pull request to Amazon's GitHub repository, exploiting potential workflow misconfigurations. Amazon unknowingly published the compromised version (1.84.0) on the Visual Studio Code marketplace, which was downloaded by its near-million user base. Security researchers alerted Amazon on July 23, after which Amazon confirmed the issue and released a patched version (1.85.0) on the following day. AWS assured that the defective code was non-operational in user environments, although there were unconfirmed reports of the code executing without causing harm. Latest advice to users is to update their Amazon Q extension to version 1.85.0 promptly to avoid any potential risks from the compromised version. This incident highlights the need for rigorous security protocols in handling contributions to publicly accessible software repositories.