CyberSecurity Newsletter July 7th, 2025
In this week’s news: Hunters International ransomware gang shuts down and offers free decryption keys to all victims, Ingram Micro hit by SafePay ransomware attack that led to the shutdown of internal systems, HellCat ransomware group exploiting Jira credentials stolen through infostealer, Kelly Benefits data breach impacted approximately 550,000 individuals, Spanish police have arrested two individuals in the province of Las Palmas for their alleged involvement in cybercriminal activity, tech incubator IdeaLab has formally confirmed that sensitive data was stolen during a ransomware attack, Esse Health, the largest independent physicians’ group in the Greater St. Louis area, has disclosed a cyberattack and Cisco, Citrix and Grafana have critical CVEs.
The ransomware group Hunters International announced on its dark web site that it is shutting down, citing “recent developments” without specifying details. The group stated the decision was made after careful consideration and acknowledged the impact on affected organizations. “As a gesture of goodwill and to assist those affected by our previous activities, we are offering free decryption software to all companies that have been impacted by our ransomware. Our goal is to ensure that you can recover your encrypted data without the burden of paying ransoms.
https://securityaffairs.com/179667/cyber-crime/hunters-international-ransomware-gang-shuts-down-and-offers-free-decryption-keys-to-all-victims.html
An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned. Ingram Micro is one of the world's largest business-to-business technology distributors and service providers, offering a range of solutions including hardware, software, cloud services, logistics, and training to resellers and managed service providers worldwide.
https://www.bleepingcomputer.com/news/security/ingram-micro-outage-caused-by-safepay-ransomware-attack/
The HellCat ransomware group has once again demonstrated their relentless focus on exploiting Jira credentials stolen through infostealer malware, targeting four new organizations: HighWire Press, Asseco, Racami, and LeoVegas Group.
https://www.infostealers.com/article/hellcat-ransomware-group-strikes-again-four-new-victims-breached-via-jira-credentials-from-infostealer-logs/
The Kelly Benefits data breach impacted approximately 550,000 individuals through an orchestrated attack that employed multiple attack vectors including sophisticated spearphishing emails, obfuscated malware delivery, and advanced persistence mechanisms. During the incident, threat actors exploited technical vulnerabilities by leveraging well-documented techniques that correspond to the MITRE ATT&CK framework, such as T1566 – Phishing, T1027 – Obfuscated Files or Information, T1218 – Signed Binary Proxy Execution, T1047 – Windows Management Instrumentation, and T1041 – Exfiltration Over Command and Control Channel.
https://www.rescana.com/post/kelly-benefits-data-breach-550-000-affected-by-a-sophisticated-multi-vector-cyber-attack
A hacker is threatening to leak 106GB of data allegedly stolen from Spanish telecommunications company Telefónica in a breach that the company did not acknowledge. The threat actor has leaked a 2.6GB archive that unpacks into five gigabytes of data with a little over 20,000 files to prove that the breach occurred.
https://www.bleepingcomputer.com/news/security/hacker-leaks-telef-nica-data-allegedly-stolen-in-a-new-breach/
Cybersecurity researchers have shed light on a previously undocumented threat actor called NightEagle (aka APT-Q-95) that has been observed targeting Microsoft Exchange servers as a part of a zero-day exploit chain designed to target government, defense, and technology sectors in China.
https://thehackernews.com/2025/07/nighteagle-apt-exploits-microsoft.html
The Spanish police have arrested two individuals in the province of Las Palmas for their alleged involvement in cybercriminal activity, including data theft from the country's government. The duo has been described as a "serious threat to national security" and focused their attacks on high-ranking state officials as well as journalists. They leaked samples of the stolen data online to build notoriety and inflate the selling price.
https://www.bleepingcomputer.com/news/security/spain-arrests-hackers-who-targeted-politicians-and-journalists/
Cisco, a leading networking hardware company, has issued an urgent security alert and released updates to address a severe vulnerability in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). This critical flaw, identified as CVE-2025-20309, carries the highest possible severity rating, a CVSS score of 10.0, indicating it can be easily exploited with devastating consequences.
https://hackread.com/cisco-emergency-fix-critical-root-credential-flaw-unified-cm/
California-based tech incubator IdeaLab has formally confirmed that sensitive data was stolen during a ransomware attack discovered in October 2024. The breach, now attributed to the Hunters International ransomware group, compromised information belonging to employees, contractors, and their dependents.
https://dailysecurityreview.com/security-spotlight/idealab-confirms-data-stolen-in-ransomware-attack-linked-to-hunters-international/
A mobile ad fraud operation dubbed IconAds that consisted of 352 Android apps has been disrupted, according to a new report from HUMAN. The identified apps were designed to load out-of-context ads on a user's screen and hide their icons from the device home screen launcher, making it harder for victims to remove them, per the company's Satori Threat Intelligence and Research Team. The apps have since been removed from the Play Store by Google.
https://thehackernews.com/2025/07/mobile-security-alert-352-iconads-fraud.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a severe vulnerability in Google Chrome—CVE-2025-6554—to its Known Exploited Vulnerabilities (KEV) catalog, marking it as a critical security issue currently being leveraged by malicious actors. This flaw, found in the V8 JavaScript and WebAssembly engine, represents the fourth zero-day vulnerability in Chrome discovered and patched in 2025 alone.
https://undercodenews.com/google-scrambles-to-patch-actively-exploited-chrome-zero-day-vulnerability/
Pakistan-based threat actor APT36, also known as Transparent Tribe, has significantly evolved its cyber-espionage capabilities by launching a sophisticated campaign specifically targeting Indian defense personnel through weaponized ZIP files designed to compromise BOSS Linux systems.
https://cybersecuritynews.com/apt36-attacking-boss-linux-systems/
Esse Health, the largest independent physicians’ group in the Greater St. Louis area, has disclosed a cyberattack that compromised the personal and health information of 263,601 patients. The breach was detected after several patient-facing systems, including phones and digital portals, went offline on April 21, 2025.
https://dailysecurityreview.com/security-spotlight/esse-health-data-breach-impacts-over-263000-patients-in-prolonged-cyber-incident/
North Korea-linked threat actors are targeting Web3 and crypto firms with NimDoor, a rare macOS backdoor disguised as a fake Zoom update. Victims are tricked into installing the malware through phishing links sent via Calendly or Telegram. NimDoor is written in Nim, uses encrypted communications, and steals data like browser history and Keychain credentials. The malware can persist on systems, reinfect itself if killed, and mimics legitimate AppleScript tools to avoid detection.
https://securityaffairs.com/179643/malware/north-korea-linked-threat-actors-spread-macos-nimdoor-malware-via-fake-zoom-updates.html
Taiwan's National Security Bureau (NSB) has warned that China-developed applications like RedNote (aka Xiaohongshu), Weibo, TikTok, WeChat, and Baidu Cloud pose security risks due to excessive data collection and data transfer to China. The alert comes following an inspection of these apps carried out in coordination with the Ministry of Justice Investigation Bureau (MJIB) and the Criminal Investigation Bureau (CIB) under the National Police Agency.
https://thehackernews.com/2025/07/taiwan-nsb-alerts-public-on-data-risks.html
Grafana Labs has released urgent security updates for its widely used Image Renderer plugin and Synthetic Monitoring Agent after critical vulnerabilities stemming from Chromium were found exploitable within its components. These vulnerabilities could allow attackers to execute arbitrary code, read and write memory, or corrupt system memory through malicious HTML content.
https://dailysecurityreview.com/security-spotlight/grafana-issues-critical-security-fixes-for-image-renderer-plugin-and-synthetic-monitoring-agent/
Threat actors are weaponizing exposed Java Debug Wire Protocol (JDWP) interfaces to obtain code execution capabilities and deploy cryptocurrency miners on compromised hosts. "The attacker used a modified version of XMRig with a hard-"coded configuration, allowing them to avoid suspicious command-line arguments that are often flagged by defenders," Wiz researchers Yaara Shriki and Gili Tikochinski said in a report published this week. "The payload used mining pool proxies to hide their cryptocurrency wallet address, thereby preventing investigators from pivoting on it."
https://thehackernews.com/2025/07/alert-exposed-jdwp-interfaces-lead-to.html
Cybersecurity researchers disclosed two vulnerabilities in the Sudo command-line utility for Linux and Unix-like operating systems. Local attackers can exploit the vulnerabilities to escalate privileges to root on affected systems.
https://securityaffairs.com/179637/security/critical-sudo-bugs-expose-major-linux-distros-to-local-root-exploits.html
A San Jose jury ruled that Google misused Android users’ cell phone data and must pay over $314.6 million in damages to affected users in California. Google is liable for collecting data from idle Android phones without consent, placing unfair costs on users for its own benefit. The class action, filed in 2019, represents around 14 million Californians and claims the company used the data for ads while consuming users’ cellular data.
https://securityaffairs.com/179628/laws-and-regulations/google-fined-314m-for-misusing-idle-android-users-data.html
Citrix has released patches addressing two serious vulnerabilities affecting NetScaler ADC and Gateway appliances—CVE-2025-5777 and CVE-2025-6543. The first, dubbed Citrix Bleed 2, allows attackers to hijack user sessions and bypass authentication. The second is already being exploited in denial-of-service attacks.
https://dailysecurityreview.com/security-spotlight/citrix-patch-for-critical-netscaler-vulnerabilities-causes-login-issues-for-some-customers/
A critical vulnerability in the Forminator WordPress plugin has exposed more than 600,000 websites to potential full-site takeover attacks. The flaw, tracked as CVE-2025-6463, has been assigned a high CVSS score of 8.8 and affects all Forminator versions up to 1.44.2.
https://dailysecurityreview.com/security-spotlight/forminator-plugin-flaw-leaves-600000-wordpress-sites-at-risk-of-full-takeover/