Cybersecurity Newsletter August 4th, 2025
In this week’s news: Nation-state group CL-STA-0969 targeted Southeast Asian telecoms, New Face of DDoS is Impacted by AI, Akira Ransomware targets SonicWall VPNs in likely zero-day attacks, Law enforcement has seized the dark web extortion sites, China questioned Nvidia over suspected backdoors, Attackers exploit link-wrapping services to steal Microsoft 365 logins, and IBM released its Cost of a Data Breach Report, which revealed AI adoption is greatly outpacing AI security and governance.
Arctic Wolf Labs researchers reported that Akira ransomware is exploiting SonicWall SSL VPNs in a likely zero-day attack, targeting even fully patched devices. Arctic Wolf Labs observed multiple intrusions via VPN access in late July 2025. Evidence suggests a likely zero-day in SonicWall VPNs, as fully patched devices with MFA and rotated credentials were still compromised in some attacks.
https://securityaffairs.com/180724/cyber-crime/akira-ransomware-targets-sonicwall-vpns-in-likely-zero-day-attacks.html
A stealthy Linux backdoor named Plague, hidden as a malicious PAM module, allows attackers to bypass auth and maintain persistent SSH access. The Plague backdoor includes advanced features such as antidebugging to prevent analysis, string obfuscation to hide sensitive data, a static password for covert access, and the ability to erase session artifacts to avoid detection, making it a stealthy and persistent threat.
https://securityaffairs.com/180701/malware/new-linux-backdoor-plague-bypasses-auth-via-malicious-pam-module.html
A new and deceptive multi-stage malware campaign has been identified by the Lat61 Threat Intelligence team at security firm Point Wild. The attack uses a clever technique involving malicious Windows Shortcut, or LNK, files, a simple pointer to a program or file, to deliver a dangerous remote-access trojan (RAT) known as REMCOS.
https://hackread.com/attack-windows-shortcut-files-install-remcos-backdoor/
Attackers exploit link-wrapping services to steal Microsoft 365 logins. A threat actor has been abusing link wrapping services from reputed technology companies to mask malicious links leading to Microsoft 365 phishing pages that collect login credentials. The attacker exploited the URL security feature from cybersecurity company Proofpoint and cloud communications firm Intermedia in campaigns from June through July.
https://www.bleepingcomputer.com/news/security/attackers-exploit-link-wrapping-services-to-steal-microsoft-365-logins/
AI-generated npm package @kodane/patch-manager drained Solana wallets; 1,500+ downloads before takedown on July 28, 2025. “The package @kodane/patch-manager, is a sophisticated cryptocurrency wallet drainer with multiple malicious functions. The drainer is designed to steal funds from unsuspecting developers and their applications’ users.”
https://securityaffairs.com/180680/malware/malicious-ai-generated-npm-package-hits-solana-users.html
Pi-hole, a popular network-level ad-blocker, has disclosed that donor names and email addresses were exposed through a security vulnerability in the GiveWP WordPress donation plugin. Pi-hole acts as a DNS sinkhole, filtering out unwanted content before it reaches the users' devices. While initially designed to run on Raspberry Pi single-board computers, it now supports various Linux systems on dedicated hardware or virtual machines.
https://www.bleepingcomputer.com/news/security/pi-hole-discloses-data-breach-via-givewp-wordpress-plugin-flaw/
Cybersecurity researchers have detailed a new cluster of activity where threat actors are impersonating enterprises with fake Microsoft OAuth applications to facilitate credential harvesting as part of account takeover attacks. "The fake Microsoft 365 applications impersonate various companies, including RingCentral, SharePoint, Adobe, and Docusign," Proofpoint said in a Thursday report.
https://thehackernews.com/2025/08/attackers-use-fake-oauth-apps-with.html
Microsoft has uncovered a new cyber espionage campaign by the Russian state actor Secret Blizzard, which is targeting embassies located in Moscow. The attacks are assisted by official Russian domestic intercept systems and involve the use of malicious files masquerading as Kaspersky anti-virus software.
https://www.infosecurity-magazine.com/news/secret-blizzard-moscow-embassies/
Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years. The U.S. Department of Justice confirmed the takedown in an email earlier today, saying the authorities involved in the action executed a court-authorized seizure of the BlackSuit domains.
https://www.bleepingcomputer.com/news/security/law-enforcement-seizes-blacksuit-ransomware-leak-sites/
Insurance company Allianz Life was breached, exposing the data of most of its 1.4 million American customers. According to Allianz, an attacker gained access to a third-party, cloud-based Customer Relationship Management (CRM) system through social engineering. The company filed a data breach notification with the Attorney General of the US state of Maine on Friday July 25, 2025.
https://www.malwarebytes.com/blog/news/2025/07/allianz-life-says-majority-of-1-4-million-us-customers-info-breached
China questioned Nvidia over suspected backdoors in its H20 chips, adding to rising tensions in the tech fight between the U.S. and Beijing. Nvidia H20 chips are AI GPUs tailored for the Chinese market, based on Hopper architecture. They deliver strong AI performance but with reduced features to comply with U.S. export controls, balancing China’s AI demands and geopolitical restrictions.
https://securityaffairs.com/180694/intelligence/china-presses-nvidia-over-alleged-backdoors-in-h20-chips-amid-tech-tensions.html
Storm-2603 Deploys DNS-Controlled Backdoor in Warlock and LockBit Ransomware Attacks. The threat actor linked to the exploitation of the recently disclosed security flaws in Microsoft SharePoint Server is using a bespoke command-and-control (C2) framework called AK47 C2 (also spelled ak47c2) in its operations.
https://thehackernews.com/2025/08/storm-2603-exploits-sharepoint-flaws-to.html
Palo Alto Networks reported that a nation-state actor, tracked as CL-STA-0969, targeted telecom firms in Southeast Asia, with attacks on critical infrastructure from February to November 2024. Threat actor CL-STA-0969 overlaps with the China-linked cyber espionage group Liminal Panda.
https://securityaffairs.com/180737/apt/nation-state-group-cl-sta-0969-targeted-southeast-asian-telecoms-in-2024.html
The New Face of DDoS is Impacted by AI. DDoS used to mean, simply speaking, the overwhelming of targets with massive amounts of traffic. But now, DDoS attacks have evolved into precision-guided threats – and this transformation can be partly attributed to AI.
https://thehackernews.com/expert-insights/2025/08/the-new-face-of-ddos-is-impacted-by-ai.html
IBM released its Cost of a Data Breach Report, which revealed AI adoption is greatly outpacing AI security and governance. While the overall number of organizations experiencing an AI-related breach is a small representation of the researched population, this is the first time security, governance and access controls for AI have been studied.
https://www.helpnetsecurity.com/2025/08/04/ibm-cost-data-breach-report-2025/
(PoC) exploiting CVE-2025-24813, a Remote Code Execution (RCE) vulnerability in Apache Tomcat. The vulnerability allows an attacker to upload a malicious serialized payload to the server, leading to remote code execution:
https://github.com/absholi7ly/POC-CVE-2025-24813
(PoC) CVE-2025-0282 is a critical vulnerability found in Ivanti Connect Secure, allowing Remote Command Execution (RCE) through a buffer overflow exploit. This vulnerability enables attackers to upload malicious files (e.g., web shells) and execute commands on the target system with elevated privileges:
https://github.com/absholi7ly/CVE-2025-0282-Ivanti-exploit