From the cybersecurity policy and law enforcement front,

• NextGov/FCW tells us,
  • “The Senate confirmed Sean Cairncross to serve as national cyber director in a 59-35 vote on Saturday night [August 2], making him the first Senate-approved cybersecurity official of President Donald Trump’s second term.
  • “Cairncross is a former Republican National Committee official and was CEO of the Millennium Challenge Corporation agency during Trump’s first term. As national cyber director, he will be tasked with overseeing an office first stood up under the Biden administration, which serves as the key White House cyber policy interlocutor across federal agencies and Capitol Hill.” 

• Cyberscoop adds,
  • “Sean Cairncross took his post this week as national cyber director at what many agree is a “pivotal” time for the office, giving him a chance to shape its future role in the bureaucracy, tackle difficult policy issues, shore up industry relations and take on key threats.
  • “The former White House official, Republican National Committee leader and head of a federal foreign aid agency became just the third Senate-confirmed national cyber director at an office (ONCD) that’s only four years old. He’s the first person President Donald Trump has assigned to the position after the legislation establishing it became law at the end of his first term.”

• Cybersecurity Dive informs us,
  • “The Cybersecurity and Infrastructure Security Agency [CISA] has continued its work to protect federal networks and support critical infrastructure providers despite massive job cuts and resource constraints, two senior CISA officials said during the Black Hat USA cybersecurity conference here Thursday.
  • “We are not retreating, we’re advancing in a new direction,” CISA CIO Robert Costello said during a panel discussion.
  • “Chris Butera, the acting head of CISA’s Cybersecurity Division, added that, while the agency “did lose people” to the Trump administration’s downsizing program — roughly a third of its employees — CISA still has “a very talented workforce.” He cited the agency’s around-the-clock response to major vulnerabilities in Microsoft SharePoint as an example of CISA’s continued capacity.”
• and
  • “The U.S. government is still pushing agencies to adopt zero-trust network designs, continuing a project that gained steam during the Biden administration, a senior cybersecurity policy official said on Wednesday.
  • “It must continue to move forward,” Michael Duffy, the acting federal chief information security officer, said during a panel at the Black Hat cybersecurity conference. “That architectural side of it is very important for us to get right as we integrate new technologies [like] artificial intelligence into the ways we operate.”
  • “Zero-trust networking emphasizes the concept of throwing up hurdles to hackers who penetrate a computer system, limiting the damage they can do by sealing off parts of the network and requiring strict user authentication.”

• Per Dark Reading,
  • “As the Department of Defense (DoD) continues to make deeper strides in implementing its Cybersecurity Maturity Model Certification (currently CMMC 2.0), we find ourselves at the cusp of what feels like its next iteration, CMMC 3.0, marking the next evolution in its efforts to strengthen cybersecurity across the defense industrial base (DIB). While the updated framework builds on the structure of CMMC 2.0, this new update would include clearer expectations and stricter enforcement, particularly for organizations handling controlled unclassified information (CUI). The DoD’s message is clear: Reducing risk and enhancing resilience are now mission-critical for any company supporting national defense.”

• Cybersecurity Dive adds,
  • “The Chinese government has such vast hacking resources that it’s targeting tiny companies in the U.S. defense industrial base that never imagined they would end up on Beijing’s radar, a National Security Agency official said here Wednesday.
  • “China’s hacking resources outnumber those of the U.S. and [its] allies combined, and China has stolen more corporate data from the United States than any other nation in the world,” Bailey Bickley, chief of DIB defense at the NSA’s Cybersecurity Collaboration Center, said during a session at the Black Hat USA cybersecurity conference.
  • “Although best known for its intelligence-collection role, the NSA is also responsible for helping defense contractors safeguard their systems. Recently, the agency has been doing that through free security services — including classified information sharing and a protective DNS offering — from the Cybersecurity Collaboration Center.
  • “When we engage with small companies” in the defense industrial base, “they often think that what they do is not important enough to be targeted” by China, Bickley said. “But when you have the significant resources like that to conduct mass scanning and mass exploitation, there is no company and no target too small.”
• and
  • “The Defense Advanced Research Projects Agency on Friday [August 8] unveiled the winners of a competition to spur the development of artificial intelligence tools designed to autonomously find and fix software vulnerabilities.
  • “Team Atlanta, Trail of Bits and Theori claimed the top three spots in DARPA’s AI Cyber Challenge, agency officials said at the DEF CON cybersecurity conference here. They will receive prizes of $4 million, $3 million and $1.5 million, respectively.
  • “All seven finalist teams will open source their AI tools so that the entire world can use them. Four of the tools debuted on Friday, while the remaining three will be released in the next few weeks.’

• Cyberscoop reports,
  • “BlackSuit’s technical infrastructure was seized in a globally coordinated takedown operation last month that authorities touted as a significant blow in the fight against cybercrime. The ransomware group’s leak site has displayed a seizure notice since July 24.
  • “The takedown followed a long investigation, which allowed authorities to confiscate “considerable amounts of data,” and identify 184 victims, German officials said in a news release last week. The group’s total extortion demands surpassed $500 million by August 2024, with demands typically in the range of $1 million to $10 million, the Cybersecurity and Infrastructure Security Agency said in an advisory last year. 
  • “U.S. authorities were heavily involved in the operation, but have yet to share details about the investigation or its results. BlackSuit’s extortion site was seized by the Department of Homeland Security’s Homeland Security Investigation department, a unit of U.S. Immigration and Customs Enforcement. 
  • “A spokesperson for ICE told CyberScoop the Justice Department has been waiting for court documents to be unsealed before releasing any information about the law enforcement action dubbed “Operation Checkmate.” The FBI, Secret Service, Europol and cyber authorities from the United Kingdom, Germany, France, Ireland, Ukraine, Lithuania and Romania-based cybersecurity firm Bitdefender were also involved in the operation.” 

• Dark Reading relates,
  • “Two senior executives and founders of the Samourai Wallet cryptocurrency mixer have pleaded guilty to charges involving washing more than $200 million for cybercriminals and other nefarious types.
  • “CEO Keonne Rodriguez and chief technology officer William Lonergan Hill admitted to operating a money-transmitting business that handled criminal proceeds. They have pleaded guilty to conspiracy and face a maximum sentence of five years in prison in addition to the fine.
  • “The US Department of Justice first arrested Rodriguez and Hill in April of last year on two counts of conspiracy: operating an unlicensed money-transmitting business and money laundering, the latter of which carries a maximum sentence of 20 years.”

From the cybersecurity breaches and vulnerabilities front,

• FedScoop reports,
  • “The U.S. judiciary announced plans to increase security for sensitive information on its case management system following what it described as “recent escalated cyberattacks of a sophisticated and persistent nature.”
  • “In a Thursday [August 7] statement, the federal judiciary said it’s “taking additional steps to strengthen protections for” that information. It also said it’s “further enhancing security of the system and to block future attacks, and it is prioritizing working with courts to mitigate the impact on litigants.”
  • “The statement from the third branch comes one day after a Politico report revealed that its case filing system had recently been breached. That report cited unnamed sources who were concerned that the identities of confidential court informants may have been compromised.”

• Cyberscoop tells us,
  • “Federal cyber authorities issued an alert Wednesday evening about a high-severity vulnerability affecting on-premises Microsoft Exchange servers shortly after a researcher presented findings of the defect at Black Hat. 
  • “Microsoft also issued an advisory about the vulnerability — CVE-2025-53786 — and said it’s not aware of exploitation in the wild. 
  • “While the public disclosure and advisories about the defect came late in the day amid one of the largest cybersecurity conferences, Tom Gallagher, VP of engineering at Microsoft Security Response Center, told CyberScoop the timing was coordinated for release following Mollema’s presentation.
  • “Gallagher stressed that exploitation requires an attacker to achieve administrative access to an on-premises Exchange server in a hybrid environment.” 
• and
  • “SonicWall warned customers to disable encryption services on Gen 7 firewalls in the wake of an active attack spree targeting a yet-to-be identified vulnerability affecting a critical firewall service. Attacks have increased notably since Friday, the company said in a blog post.
  • “Threat hunters and incident responders from Arctic Wolf, Google and Huntress have observed a wave of ransomware attacks beginning as early as July 15. Mounting evidence points to a zero-day vulnerability affecting the secure sockets layer (SSL) VPN protocol as the initial attack vector.
  • “A financially motivated threat actor is actively compromising victim environments and deploying Akira ransomware,” Charles Carmakal, CTO at Mandiant Consulting, said in a LinkedIn post Tuesday. “The speed and scale of the compromises suggests a potential zero-day vulnerability in SonicWall Gen 7 firewalls.”
  • “SonicWall said an ongoing investigation has yet to determine if the attacks involve a previously disclosed vulnerability or a zero-day. “If a new vulnerability is confirmed, we will release updated firmware and guidance as quickly as possible,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop.”

• Per Bleeping Computer,
  • “Trend Micro has warned customers to immediately secure their systems against an actively exploited remote code execution vulnerability in its Apex One endpoint security platform.
  • “Apex One is an endpoint security platform designed to automatically detect and respond to threats, including malicious tools, malware, and vulnerabilities.
  • “This critical security flaw (tracked as CVE-2025-54948 and CVE-2025-54987 depending on the CPU architecture) is due to a command injection weakness in the Apex One Management Console (on-premise) that enables pre-authenticated attackers to execute arbitrary code remotely on systems running unpatched software.
  • “Trend Micro has yet to issue security updates to patch this actively exploited vulnerability, but it has released a mitigation tool that provides short-term mitigation against exploitation attempts.”
• and
  • “A recently fixed WinRAR vulnerability tracked as CVE-2025-8088 was exploited as a zero-day in phishing attacks to install the RomCom malware.
  • “The flaw is a directory traversal vulnerability that was fixed in WinRAR 7.13, which allows specially crafted archives to extract files into a file path selected by the attacker.
  • “When extracting a file, previous versions of WinRAR, Windows versions of RAR, UnRAR, portable UnRAR source code and UnRAR.dll can be tricked into using a path, defined in a specially crafted archive, instead of user specified path,” reads the WinRAR 7.13 changelog.”
    
• CISA added three known exploited vulnerabilities to its catalog this week.
  • August 5, 2025
    • “CVE-2020-25078 D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability
    • “CVE-2020-25079 D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability
    • “CVE-2022-40799 D-Link DNR-322L Download of Code Without Integrity Check Vulnerability”
      • The Hacker News discusses these KVEs.

• Per SC Media,
  • “Dormant service accounts with privileges were found in more than 70% of enterprise environments according to new research released by BeyondTrust on Aug. 4 at BlackHat in Las Vegas.
  • “The researchers also reported that overly permissive Entra Service Principals create direct pathways to Global Admin privileges, exposing entire Microsoft 365 environments to potential takeover.
  • “According to BeyondTrust, credentials reused across multiple service accounts by human administrators can also let a single compromised password hack numerous non-human accounts.”
  • “Our data shows that many organizations lack the complete story when it comes to their identity attack surface,” said Marc Maiffret, chief technology officer at BeyondTrust. “For many, overlooked hygiene issues silently open the door to attackers. And with the rise of Agentic AI, the stakes have never been higher, especially as most organizations lack visibility into how compromised accounts can be leveraged to seize control of application secrets, which often carry elevated privileges.”

• Security Week points out,
  • “Five vulnerabilities in the ControlVault3 firmware and the associated Windows APIs expose millions of Dell laptops to persistent implants and Windows login bypasses via physical access, Cisco Talos reports.
  • “The issues, tracked as CVE-2025-24311, CVE-2025-25215, CVE-2025-24922, CVE-2025-25050, and CVE-2025-24919, were initially disclosed on June 13, when Dell announced that patches for them were rolled out for over 100 Dell Pro, Latitude, and Precision models.
  • “The affected component, ControlVault3 (and the ControlVault3+ iteration), is a hardware-based system meant to securely store passwords, biometric information, and security codes.”

From the ransomware front,

• Bleeping Computer reports,
  • “Ransomware gangs have recently joined ongoing attacks targeting a Microsoft SharePoint vulnerability chain, part of a broader exploitation campaign that has already led to the breach of at least 148 organizations worldwide.
  • “Security researchers at Palo Alto Networks’ Unit 42 have discovered a 4L4MD4R ransomware variant, based on open-source Mauri870 code, while analyzing incidents involving this SharePoint exploit chain (dubbed “ToolShell”).
  • “The ransomware was detected on July 27 after discovering a malware loader that downloads and executes the ransomware from theinnovationfactory[.]it (145.239.97[.]206).
  • “The loader was spotted following a failed exploitation attempt that revealed malicious PowerShell commands designed to disable security monitoring on the targeted device.
  • “Analysis of the 4L4MD4R payload revealed that it is UPX-packed and written in GoLang. Upon execution, the sample decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new thread to execute it,” Unit 42 said.”
• and
  • “A new Endpoint Detection and Response (EDR) killer that is considered to be the evolution of ‘EDRKillShifter,’ developed by RansomHub, has been observed in attacks by eight different ransomware gangs.
  • “Such tools help ransomware operators turn off security products on breached systems so they can deploy payloads, escalate privileges, attempt lateral movement, and ultimately encrypt devices on the network without being detected. 
  • “According to Sophos security researchers, the new tool, which wasn’t given a specific name, is used by RansomHub, Blacksuit, Medusa, Qilin, Dragonforce, Crytox, Lynx, and INC.”

• CISA issued an Analysis report about Exploitation of SharePoint Vulnerabilities on August 6.

• InfoSecurity Magazine explains how ransomware actors have expanded tactics beyond encryption and exfiltration.

• Halcyon warns us,
  • “Ransomware remains one of the most destructive and expensive threats facing organizations today. With average ransom demands hitting $3.5M, victims are forced into high-stakes decisions under intense pressure: pay up or risk catastrophic disruption. 
  • “Nearly half of all targeted organizations end up paying, even after negotiations. The impact doesn’t end with encryption: recovery takes weeks, services stall, regulators circle, and trust erodes. Ransomware isn’t just a cybersecurity problem; it’s a full-blown operational crisis.  
  • “The Halcyon team of ransomware experts has put together this extortion group power rankings guide as a quick reference for the extortion threat landscape based on data from throughout Q2-2025, which can be reviewed along with earlier reports here: Power Rankings: Ransomware Malicious Quartile.”

• MSPP Alert adds,
  • “Ransomware doesn’t play fair—and now, neither are the defenders. Sophos and Halcyon are teaming up with a direct integration that goes far beyond traditional intel feeds or industry sharing forums. This partnership isn’t about exchanging threat data after the fact. It’s about coordinating active defenses in real time, within live customer environments.
  • “What makes this different? According to Simon Reed, Chief Research and Scientific Officer at Sophos, it’s not just another “threat feed” dropped into a dashboard. “Sophos and Halcyon’s approach to threat intelligence sharing shifts the status quo from out-of-context threat intelligence (which is still hugely useful as an industry standard approach) to sharing coordinated, real-time defense that meets attackers head-on,” he told MSSP Alert.
  • “Instead of piecing together siloed signals, both companies are now synchronizing responses against a common adversary.”

From the cybersecurity business and reporting front,

• Dark Reading reports,
  • “It was a memorable Black Hat 2025 USA for the founders of Prime Security, the winners of this year’s Startup Spotlight competition.
  • “The Startup Spotlight Competition is a pitch competition for cybersecurity startup companies to present their products and solutions in front of a live audience at Black Hat. In the first phase of the competition, startups of all stripes submitted a pitch describing the company and the products and solutions. A panel of judges reviewed submissions for the competition, looking for companies that fit the bill of “most innovative emerging companies in cybersecurity,” before narrowing down to four: FireTail, Keep Aware, Prime Security, and Twine Security. 
  • “Representatives from each of the four companies pitched their companies and products for the final time to a panel of judges at the Black Hat USA conference in Las Vegas, in a Shark Tank-style competition. While the judges deliberated on the winner, the audience also voted on their favorite. Prime Security won both the judges’ votes as well as the audience’s.”

• Here is a link to Dark Reading’s round up of Black Hat conference news.

• Also per Dark Reading,
  • “Investing in building a human-centric defense involves a combination of adaptive security awareness training, a vigilant and skeptical culture, and the deployment of layered technical controls.”
• and
  • “Data Dump from APT Actor Yields Clues to Attacker Capabilities. The tranche of information includes data on recent campaigns, attack tools, compromised credentials, and command files used by a threat actor believed to be acting on behalf of China or North Korea.”

Door prize from the artificial intelligence front

• Per Security Week,
  • “Red Teams Jailbreak GPT-5 With Ease, Warn It’s ‘Nearly Unusable’ for Enterprise
  • “Researchers demonstrate how multi-turn “storytelling” attacks bypass prompt-level filters, exposing systemic weaknesses in GPT-5’s defenses.”

From the cybersecurity policy and law enforcement front,

• Security Week tells us,
  • “Members of the Senate Homeland Security and Governmental Affairs Committee voted 9-6 [on July 31, 2025] to recommend Sean Plankey ’s nomination for director of the Cybersecurity and Infrastructure Security Agency, known as CISA, which sits under the Department of Homeland Security.”
    
• Federal News Network informs us that a “new CISA guide helps agencies with next steps on zero trust.”

• The American Hospital Association News points out,
  • “The FBI, Cybersecurity and Infrastructure Security Agency and international agencies July 29 released a joint advisory on recent tactics by the Scattered Spider cybercriminal group. The group, observed by federal agencies since November 2023, has members based in the U.S. and U.K. The group has targeted large companies and their IT help desks. Scattered Spider threat actors typically engage in data theft for extortion and also use ransomware variants once in a system to steal information, along with other tactics.  
  • “Scattered Spider often employs tactics like phishing, push bombing and subscriber identity module swap attacks to get credentials, bypass multifactor authentication and gain access to networks,” said Scott Gee, AHA deputy national advisor of cybersecurity and risk. “They have also impersonated company help desks to trick users into divulging credentials. These tactics serve as a reminder of the importance of training to recognize and stop these social engineering attacks. The fact that they are native English speakers can make their social engineering attacks more effective. There have been several arrests of group members recently, but their attacks persist, and their tactics are evolving to evade detection. They are currently targeting Snowflake data storage solutions and stealing customer information.”  

• Cyberscoop reports,
  • “Federal analysts are still sizing up what the Chinese hackers known as Volt Typhoon, who penetrated U.S. critical infrastructure to maintain access within those networks, might have intended by setting up shop there, a Cybersecurity and Infrastructure Security Agency official said Thursday.
  • “We still don’t actually know what the result of that is going to be,” said Steve Casapulla, acting chief strategy officer at CISA. “They are in those systems. They are in those systems on the island of Guam, as has been talked about publicly. So what [are] the resulting impacts going to be from a threat perspective? That’s the stuff we’re looking really hard at.”
  • “Casapulla made his remarks at a Washington, D.C. event hosted by Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.”
  • FEHBlog observation: Ruh roh! 

• The National Institute of Standards and Technology announced,
  • “In December 2024, NIST’s Crypto Publication Review Board initiated a review of the following Special Publications (SP):
    • “NIST SP 800-56Ar3, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography (2018)
    • “NIST SP 800-56Br2, Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography (2019)
    • “NIST SP 800-56Cr2, Recommendation for Key-Derivation Methods in Key-Establishment Schemes (2020)
  • “In response, NIST received public comments.
  • “NIST proposes to:
    • “update SP 800-56Ar3
    • “reaffirm SP 800-56Br2
    • “revise SP 800-56Cr2
  • “Submit comments on this decision by September 15, 2025, to cryptopubreviewboard@nist.gov with “Comments on SP 800-56 Decision Proposal” in the subject line. Comments received in response to this request will be posted on the Crypto Publication Review Project site after the due date.

• Per Cybersecurity Dive,
  • “The Department of Justice on Thursday announced a $9.8 million settlement with Illumina over allegations that the company sold genomic-sequencing systems with software vulnerabilities to federal agencies for multiple years.
  • “Between 2016 and 2023, the government said, the company sold the systems without having an adequate security program and knowingly failed to incorporate cybersecurity into its product design process.
  • “According to prosecutors’ complaint, Illumina is the dominant company in the global market, with a share of roughly 80%.
  • “Companies that sell products to the federal government will be held accountable for failing to adhere to cybersecurity standards and protecting against cybersecurity risks,” Assistant Attorney General Brett Shumate of the DOJ’s Civil Division said in a statement.”

From the cybersecurity vulnerabilities and breaches front,

• Cyberscoop reports,
  • “Social engineering — an expanding variety of methods that attackers use to trick professionals to gain access to their organizations’ core data and systems — is now the top intrusion point globally, attracting an array of financially motivated and nation-state backed threat groups. 
  • “More than one-third (36%) of the incident response cases Palo Alto Networks’ Unit 42 worked on during the past year began with a social engineering tactic, the company said this week in its global incident response report. 
  • “Threat groups of assorted motivations and origins are fueling the rise of social engineering. Cybercrime collectives such as Scattered Spider and nation-state operatives, including North Korean technical specialists that have infiltrated the employee ranks at top global companies, have adopted social engineering as the primary hook into IT infrastructure and sensitive data.” 
• and
  • “The average cost of a data breach for U.S. companies jumped 9% to an all-time high of $10.22 million in 2025, as the global average cost fell 9% to $4.44 million, IBM said in its 20th annual Cost of a Data Breach Report Wednesday [July 30].
  • While shorter investigations are pushing down costs globally, reflecting the first decline in five years, IBM found higher regulatory fines, along with detection and escalation costs, are driving up the ultimate recovery price in the United States. 
  • “This widening gap helps explain why U.S. organizations continue to face the highest breach costs globally, further compounded by more organizations in the U.S. reporting paying steeper regulatory fines,” Troy Bettencourt, global partner and head of IBM X-Force, said in an email.
  • “The report underscores that organizations face an uneven burden in the wake of data breaches, even as detection and containment times improve. On average, it took organizations 241 days to identify and contain a breach through the one-year period ending in February — a nine-year low, according to IBM.”

• Cybersecurity Dive adds,
  • “A coalition of information-sharing groups urged their members on Wednesday [July 30] to take additional steps to mitigate potential attacks by the cybercrime gang Scattered Spider, which has spent recent months attacking the insurance, retail and airline industries. 
  • “Threat actors such as Scattered Spider are constantly innovating, so organizations must be diligent in continually monitoring their processes and identities to look for new exploits,” the group of information sharing and analysis centers (ISACs) — representing the financial services, food and agriculture, information technology, healthcare, aviation, automotive, retail, maritime and electricity sectors — said in a joint advisory.
  • Their warning came one day after the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that Scattered Spider had developed an evolving set of tactics to conduct social-engineering attacks on its targets.
  • The ISACs said they expect the group to continue to find new ways to evade existing security measures.

• Bleeping Computer points out,
  • “Researchers have found that in roughly 80% of cases, spikes in malicious activity like network reconnaissance, targeted scanning, and brute-forcing attempts targeting edge networking devices are a precursor to the disclosure of new security vulnerabilities (CVEs) within six weeks.
  • “This has been discovered by threat monitoring firm GreyNoise, which reports these occurrences are not random, but are rather characterized by repeatable and statistically significant patterns.
  • “GreyNoise bases this on data from its ‘Global Observation Grid’ (GOG) collected since September 2024, applying objective statistical thresholds to avoid results-skewing cherry-picking.
  • “After removing noisy, ambiguous, and low-quality data, the firm ended up with 216 events that qualified as spike events, tied to eight enterprise edge vendors.
  • “Across all 216 spike events we studied, 50 percent were followed by a new CVE within three weeks, and 80 percent within six weeks,” explain the researchers.”

• CISA added three known exploited vulnerabilities to its catalog this week.
  • July 28, 2025
    • CVE-2025-20281 Cisco Identity Services Engine Injection Vulnerability
    • CVE-2025-20337 Cisco Identity Services Engine Injection Vulnerability
      • Bleeping Computer discusses the Cisco vulnerabilities.
    • CVE-2023-2533 PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability
      • Bleeping Computer discusses the PaperCut KVE.

From the ransomware front,

• HIPAA Journal tells us,
  • “A new report from the cybersecurity firm Semperis suggests ransomware attacks have decreased year-over-year, albeit only slightly. The ransomware risk report indicates healthcare is still a major target for ransomware gangs, with 77% of healthcare organizations targeted with ransomware in the past 12 months. 53% of those attacks were successful.
  • “The report is based on a Censuswide survey of 1,500 IT and security professionals across multiple sectors. While attacks are down slightly, 60% of attacked healthcare organizations report suffering multiple attacks. In 30% of cases, they were attacked more than once in the same month, 35% were attacked in the same week, 14% were attacked multiple times on the same day, and 12% faced simultaneous attacks.
  • “A general trend in recent years, as reported by several firms, is fewer victims of ransomware attacks paying ransoms, although across all industry sectors in the U.S., 81% attacked companies paid the ransom, an increase from last year. Ransom payment was far less common in healthcare. According to Semperis, 53% of healthcare victims paid a ransom to either prevent the publication of stolen data, obtain decryption keys, or both. The ransom paid was less than $500,000 for 55% of companies, 39% paid between $500,000 and $1 million, and 5% paid more than $1 million.”

• Cybersecurity Dive adds,
  • “Manufacturing, information technology and healthcare are top targets of cybercriminals, but ransomware attacks on the oil and gas industry increased dramatically between April 2024 and April 2025, spiking 935%, according to a new report from cybersecurity firm Zscaler.
  • “Oil and gas companies may be facing more attacks because their industrial control systems are increasingly automated and digitized, “expanding the sector’s attack surface,” Zscaler said.
  • “Half of all ransomware attacks listed on leak sites during the April-to-April survey period targeted the United States, and attacks on U.S. targets more than doubled, to 3,671, a figure that exceeds the combined number of ransomware events on the 14 other countries in the top 15 list.”

• Cybersecurity Dive further reports,
  • “A recent wave of ransomware attacks targeting SonicWall firewall devices may be related to a zero-day vulnerability in the products, according to researchers.
  • “Anomalous firewall activity that began on July 15 and involved VPN access through SonicWall SSL VPNs morphed into intrusions the following week, researchers at Arctic Wolf said.
  • “This appears to be affecting SonicOS devices from what we’ve seen so far,” Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf, told Cybersecurity Dive. “Our investigation is still preliminary, so I’m not able to offer much more detail yet.”
  • “Hackers deployed the Akira ransomware variant in hands-on-keyboard attacks after compromising SonicWall SSL VPNs, according to the researchers.”
• and
  • “Researchers from Palo Alto Networks say they are investigating a ransomware attack related to the recently disclosed ToolShell vulnerabilities in Microsoft SharePoint. 
  • “The hackers left the victim a ransom note on Sunday [July 27] claiming they had encrypted files using the 4L4MD4R ransomware. The note warned that any attempt to decrypt the files would result in their deletion.
  • The hackers used PowerShell commands to disable real-time monitoring in Windows Defender, according to Palo Alto Networks researchers. The intruders also bypassed certificate validation.
  • Researchers from Palo Alto Networks say they are investigating a ransomware attack related to the recently disclosed ToolShell vulnerabilities in Microsoft SharePoint. 
  • The hackers left the victim a ransom note on Sunday claiming they had encrypted files using the 4L4MD4R ransomware. The note warned that any attempt to decrypt the files would result in their deletion.
  • The hackers used PowerShell commands to disable real-time monitoring in Windows Defender, according to Palo Alto Networks researchers. The intruders also bypassed certificate validation.
• and
  • “Several major ransomware-as-a-service groups have stopped posting victims to popular leak sites, suggesting that the ecosystem is more dispersed than it used to be, according to a new report from Check Point Software Technologies.
  • “At the same time, many smaller groups that used to affiliate with larger players “are operating independently or seeking new partnerships,” Check Point said in its Thursday report.
  • “Established players are actively competing to recruit these ‘orphaned’ affiliates,” according to the report, which cited competition between prominent groups Qilin and DragonForce for affiliates of the now-defunct RansomHub.”

• Per Bleeping Computer,
  • “A wave of data breaches impacting companies like Qantas, Allianz Life, LVMH, and Adidas has been linked to the ShinyHunters extortion group, which has been using voice phishing attacks to steal data from Salesforce CRM instances.
  • “In June, Google’s Threat Intelligence Group (GTIG) warned that threat actors tracked as UNC6040 were targeting Salesforce customers in social engineering attacks.
  • “In these attacks, the threat actors impersonated IT support staff in phone calls to targeted employees, attempting to persuade them into visiting Salesforce’s connected app setup page. On this page, they were told to enter a “connection code”, which linked a malicious version of Salesforce’s Data Loader OAuth app to the target’s Salesforce environment.”

• SC Media tells us,
  • “Epsilon Red ransomware is being spread via a unique ClickFix lure that convinces victims to download and execute HTML Application files.
  • “The campaign impersonates widely used online services such as Twitch, Kick, Rumble, OnlyFans and the popular Discord Captcha Bot, CloudSEK reported recently.
  • “Like other sites using the ClickFix social-engineering method, these impersonation sites display a fake CAPTCHA prompt, but rather than having the victim copy and paste malicious commands, this version directs them to go to a different page to complete “extra verification steps.”
  • “These extra steps include pressing CTRL + S to save a file, renaming the file to verify.hta, opening the file with Microsoft HTML Application Host (mshta.exe), clicking “YES” if a popup appears and then entering a decoy “verification code” on the original CAPTCHA page. This last step is designed to trick the user into believing they have completed a legitimate verification process.”

• Per InfoSecurity Magazine,
  • “A new ransomware operator called Chaos has launched a wave of intrusions impacting a wide range of sectors, Cisco Talos has reported.
  • “Victims have been predominantly based in the US, with some in the UK, New Zealand India, according to the actor’s data leak site.
  • “Targeting appears to be opportunistic and does not focus on any specific verticals. However, Chaos is focused on “big-game hunting” and uses double-extortion tactics.
  • “In one incident observed by Cisco, the group adopted a novel negotiation strategy, offering an extra ‘reward’ for making payment to the attackers, or additional ‘punishment’ for resisting demands, including the threat of a distributed denial-of-service (DDoS) attack.
  • “The Chaos ransomware actor is a recent and concerning addition to the evolving threat landscape, having shown minimal historical activity before the current wave of intrusions,” the researchers wrote in a blog dated July 24.”

• Per Trend,
  • “Gunra ransomware’s Linux variant broadens the group’s attack surface, showing the new group’s intent to expand beyond its original scope. 
  • “The Linux variant shows notable features including running up to 100 encryption threads in parallel and supporting partial encryption. It also allows attackers to control how much of each file gets encrypted and allows for the option to keep RSA-encrypted keys in separate keystore files.
  • “Since its first observed activity in April 2025, Gunra ransomware has victimized enterprises from Brazil, Japan, Canada, Turkiye, South Korea, Taiwan, and the United States. Its victims include organizations from the manufacturing, healthcare, IT and agriculture sectors, as well as companies in law and consulting.” 

From the cybersecurity business and defenses front,

• Cyberscoop reports,
  • “Palo Alto Networks has agreed to acquire identity security firm CyberArk for approximately $25 billion, marking the cybersecurity giant’s largest acquisition and its formal entry into the identity security market as the industry continues consolidating amid rising cyber threats.
  • “The transaction ranks among the largest technology acquisitions this year and underscores the market’s focus on identity security in an era of increasing artificial intelligence adoption.
  • “CyberArk, founded over two decades ago, specializes in privileged access management technology that helps organizations control and monitor access to critical systems and accounts. The company’s customers include major corporations such as Carnival Corp., Panasonic, and Aflac. Its technology addresses what security experts consider one of the most vulnerable aspects of enterprise security: managing privileged credentials for both human users and machine identities.
  • “The acquisition comes as cybersecurity companies face pressure to offer comprehensive solutions rather than point products, with customers seeking to streamline their vendor relationships following high-profile breaches. Recent cyberattacks, including Microsoft’s SharePoint vulnerabilities that affected over 100 organizations including U.S. government agencies, have heightened focus on identity protection and privileged access management.”

• ISACA discusses “Defending Against Human-Operated Ransomware Attacks.”

• Per a CISA news release,
  • “Today, the Cybersecurity and Infrastructure Security Agency (CISA) released an Eviction Strategies Tool, a no-cost resource designed to support cyber defenders in their efforts to respond to cyber incidents. CISA contracted with MITRE to develop this tool that enables cyber defenders to create tailored response plans and adversary eviction strategies within minutes. They will also be able to develop customized playbooks aimed at containing and evicting adversaries from compromised systems and networks.
  • “The tool includes COUN7ER, a database of atomic post-compromise countermeasures mapped to adversary tactics, techniques, and procedures (TTPs), and Cyber Eviction Strategies Playbook NextGen, a web-based application that matches incident findings with countermeasures obtained from COUN7ER. Together, these resources help defenders build systematic eviction plans with distinct countermeasures to thwart and evict unique intrusions.”

• Dark Reading adds,
  • “The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Department of Energy’s Sandia National Laboratories, has released Thorium, an automated malware and forensic analysis platform, to help enterprise defenders quickly assess malware threats.” * * *
  • “Thorium is available from CISA’s official GitHub repository. Organizations interested in using it will need a deployed Kubernetes cluster, block store, and object store. A successful deployment requires familiarity with Docker containers and compute cluster management.
  • “By making this platform publicly available, we empower the broader cybersecurity community to use advanced tools for malware and forensic analysis,” said Jermaine Roebuck, CISA’s associate director for threat hunting, in a statement. “Scalable analysis of binaries and digital artifacts strengthens our ability to identify and fix vulnerabilities in software.”
    
• Dark Reading offers Black Hat News. The Black Hat conference starts today in Las Vegas.

Exploitation of Microsoft SharePoint Vulnerabilities

• Last Sunday, July 20, the Cybersecurity and Infrastructure Security Agency (CISA) added a known exploited vulnerability to its catalog
  • CVE-2025-53770 Microsoft SharePoint Server Remote Code Execution Vulnerability

• CISA also created an alert on the new KVE, which the agency updated on Tuesday and Thursday.

• The Wall Street Journal reported on July 21,
  • “Microsoft issued an alert about “active attacks” targeting its server software and urged customers to install new security updates that have been released.
  • “Microsoft’s Security Response Center said in a blog post over the weekend that the attacks target on-premises SharePoint server customers and exploit vulnerabilities that were partially addressed by a July security update.
  • “Organizations typically use Microsoft SharePoint to create intranet websites, store and organize information, and facilitate file-sharing among workers. Cloud-based SharePoint Online in Microsoft 365 isn’t affected, the company said.
  • “By Monday, cybersecurity investigators said that the SharePoint attacks were widespread. At least one of the “multiple” hacking groups involved in the attacks was linked to China, according to Google’s Mandiant cybersecurity group.
  • “Microsoft declined to comment beyond its blog post.
  • “Hackers exploiting the SharePoint flaws then stole cryptographic keys that could be used to run commands on the affected server in the future, even if it had been patched, cybersecurity investigators said on Monday.”
• and added on July 24,
  • Last year, Satya Nadella pledged to make security priority number one at Microsoft. A new hack involving China is showing just how difficult that can be.
  • The attack involves several versions of Microsoft’s SharePoint software that serve as a document storage platform for customers who don’t want to use the cloud. Microsoft released patches for a pair of SharePoint bugs earlier this month, but the fixes were quickly bypassed, allowing China-linked hackers to break into hundreds of organizations, according to security researchers.
  • Instead of protecting customers, the faulty patches may have served as a road map for hackers to hone their attacks, the researchers said.
  • It’s the latest in a string of lapses by the technology giant that have benefited China’s vast and global cyber-espionage operations, a top U.S. national security threat. * * *
  • “In the SharePoint attack * * * the issue began in May 2025, at a hacking contest in Berlin where the Vietnamese researcher [and pentester] Dinh Khoa (LinkedIn page) won $100,000 and a laptop.
  • “This is a very hard target so we spent a lot of time digging into it,” Khoa said in an interview posted online after the contest.
  • “To the applause of audience members, he showed how to break into a SharePoint system and was soon escorted into a private room where he explained the bugs to a representative from Microsoft and Dustin Childs, head of threat awareness with cybersecurity company Trend Micro’s Zero Day Initiative. Two months later, on July 8, Microsoft fixed the bugs. They were two of the 130 bugs that Microsoft fixed that month.” * * *
  • “On Saturday [July 19], Microsoft took the unusual step of issuing two emergency patches, which contain “more robust protections” to the bugs that Khoa had found, the company said. SharePoint customers should also change the cryptographic keys used by their servers, a move that—when combined with the new patches—effectively closes the back door created by the attack, Microsoft said.”

• Cyberscoop noted on July 24,
  • The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread nearly a week after zero-day exploits were discovered, setting off alarms across the globe. More than 400 organizations have been actively compromised across four waves of attacks, according to Eye Security.
  • Multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services, have been hit. The California Independent System Operator, which operates some of the state’s wholesale electric grid, was also impacted.
  • As more victims confirm varying levels of compromise from the attack spree, researchers are learning and sharing more details about post-exploit activities. One of the China-based attackers behind the initial wave of attacks, Storm-2603, deployed Warlock ransomware starting July 18, Microsoft Threat Intelligence said Wednesday in an updated blog post.
  • The Chinese government-affiliated threat groups Linen Typhoon and Violet Typhoon — which have been active for at least a decade — are also actively exploiting the zero-day vulnerabilities, Microsoft said. Linen Typhoon has focused on stealing intellectual property and Violet Typhoon is an espionage threat group. Storm is a moniker Microsoft uses for threat groups in development.

• NextGov/FCW discusses the impact of the Sharepoint vulnerabilities on federal government agencie here (Homeland Security, among other agencies affected) and there (Defense Department not affected).

From the cybersecurity breaches and vulnerabilities front,

• Security Week informs us,
  • “The Alcohol & Drug Testing Service (TADTS) is notifying roughly 750,000 people that their personal information was compromised in a July 2024 data breach.
  • “TADTS is based in Texas and was until recently known as the Texas Alcohol and Drug Testing Service. It provides workplace and individual alcohol and drug testing services in Texas and other states.
  • “The incident, TADTS says, was identified on July 9, 2024, and involved unauthorized access to and the theft of data maintained in its systems.
  • “The investigation into the potentially compromised information, conducted with the assistance of a professional data mining team, was concluded only recently, and determined that personal information was included in the stolen data.” * * *
  • “While TADTS did not share details on the type of cyberattack it fell victim to, the infamous BianLian ransomware group took credit for the intrusion on July 14, 2024, claiming the theft of roughly 218 gigabytes of data.
  • “It is unclear whether the hackers released the stolen information publicly, as their Tor-based leak site is currently offline and the group has been quiet for months, with their last known victim announced on March 31.”
• and
  • “Marketing software and services company Cierant Corporation and law firm Zumpano Patricios have independently disclosed data breaches, each impacting more than 200,000 individuals.
  • “What the Cierant and Zumpano Patricios incidents have in common is that the number of impacted people was brought to light in recent days by the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS).
  • “The Zumpano Patricios breach impacts nearly 280,000 individuals. The law firm, which has offices in several major US cities, is representing healthcare providers in disputes with health insurance companies over medical service payments to patients. 
  • “Zumpano Patricios is informing impacted individuals that it had detected an intrusion in its IT network on May 6, 2025, but could not determine the date and time of initial access. 
  • “An investigation revealed that the hackers accessed and possibly exfiltrated files containing information such as patient name, date of birth, Social Security number, provider name, health insurer information, dates of service, and amounts charged by the provider and payments they received.”

• Cybersecurity Dive tells us,
  • “Hackers breached the Philadelphia Indemnity Insurance Company in June and stole customer data, the company said in a filing with the California Attorney General’s office. 
  • “An unauthorized party accessed customer data during an intrusion discovered between June 9 and June 10, according to the disclosure.
  • “The company previously called the incident a network outage, however it said there was no ransomware and no encryption. The company did report the incident to law enforcement and retained outside forensic experts to investigate.”

• In addition to the June 20 addition discussed above, CISA added six known exploited vulnerabilities to its catalog this week.
  • July 22, 2025
    • “CVE-2025-49704 Microsoft SharePoint Code Injection Vulnerability
    • “CVE-2025-49706 Microsoft SharePoint Improper Authentication Vulnerability”
      • Cybersecurity Dive explains,
        • “The [Sharefile] intrusions are exploiting ToolShell, an attack sequence that combines remote code injection and network spoofing vulnerabilities tracked as CVE-2025-49704 and CVE-2025-49706.” 
  • Also July 22, 2025,
    • CVE-2025-54309 CrushFTP Unprotected Alternate Channel Vulnerability
      • Tenable discusses the CrushFTP vulnerability
    • CVE-2025-6558 Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
      • Cyber Security News discusses this KVE.
    • CVE-2025-2776 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
    • CVE-2025-2775 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
      • Security Week discusses the SisAid KVEs.

• Security Week notes,
  • “SonicWall on Wednesday announced patches for a critical vulnerability in Secure Mobile Access (SMA) 100 series secure access gateways, urging organizations to take immediate action in the wake of the recently disclosed Overstep malware attacks.
  • “The newly addressed flaw, tracked as CVE-2025-40599 (CVSS score of 9.1), is described as an arbitrary file upload issue in the SMA 100’s web management interface.
  • “The bug can be exploited by remote attackers to upload arbitrary files to the system, which could lead to remote code execution (RCE). The attackers need administrative privileges to exploit the security defect, SonicWall’s advisory reads.”
• and
  • “The Lumma Stealer has returned after Microsoft and law enforcement caused significant disruption to its infrastructure, Trend Micro reported on Tuesday.” * * *
  • “The ability of Lumma Stealer’s operators to regroup and innovate poses a continued risk to organizations and individuals worldwide,” Trend Micro said. “This emphasizes the need for ongoing vigilance, proactive threat intelligence, and sustained collaboration between law enforcement and the cybersecurity community. Without this, even the most significant takedowns might only offer temporary relief from evolving cyber threats.”

• Per Dark Reading,
  • “A suspected Chinese nation-state threat group is conducting an extensive cyberespionage campaign that takes advantage of vulnerable VMware ESXi and vCenter environments.
  • “Since early 2025, researchers at Sygnia have responded to multiple incidents tied to a cyberespionage campaign they track as “Fire Ant.” According to research published Thursday, Fire Ant actors are establishing initial access in organizations’ VMware systems, which have become popular targets for attackers in recent years.
  • “More importantly, Fire Ant actors used deep knowledge of the target environments and strong capabilities to consistently bypass segmentations and reach isolated portions of the network.”

From the ransomware front,

• In line with this week’s theme, Bleeping Computer points out,
  • “A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain.
  • “Non-profit security organization Shadowserver is currently tracking over 420 SharePoint servers that are exposed online and remain vulnerable to these ongoing attacks.
  • “Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” the company said in a Wednesday report.”

• July 22, 2025, CISA issued an alert and advisory on Interlock ransomware.

• Per Bleeping Computer,
  • “Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.
  • “The U.S. Department of Justice confirmed the takedown in an email earlier today, saying the authorities involved in the action executed a court-authorized seizure of the BlackSuit domains.
  • “Earlier today, the websites on the BlackSuit.onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.”

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports,
  • “The Trump administration’s new AI Action Plan calls for companies and governments to lean into the technology when protecting critical infrastructure from cyberattacks.
  • “But it also recognizes that these systems are themselves vulnerable to hacking and manipulation, and calls for industry adoption of “secure by design” technology design standards to limit their attack surfaces.
  • “The White House plan, released Wednesday, calls for critical infrastructure owners — particularly those with “limited financial resources” — to deploy AI tools to protect their information and operational technologies.
  • “Fortunately, AI systems themselves can be excellent defensive tools,” the plan said. “With continued adoption of AI-enabled cyberdefensive tools, providers of critical infrastructure can stay ahead of emerging threats.” * * *
  • “The Trump plan states that “all use of AI in safety-critical or homeland security applications should entail the use of secure-by-design, robust, and resilient AI systems that are instrumented to detect performance shifts, and alert to potential malicious activities like data poisoning or adversarial example attacks.”
  • “The plan also recommends the creation of a new AI-Information Sharing and Analysis Center (AI-ISAC) led by the Department of Homeland Security to share threat intelligence on AI-related threats.”

• Cybersecurity Dive lets us know,
  • “Sean Plankey, President Donald Trump’s nominee to lead the Cybersecurity and Infrastructure Security Agency, faced sharp questions during a Senate confirmation hearing Thursday about the looming expiration of an information-sharing law and CISA’s work on election security.
  • Plankey — currently a senior adviser to Secretary of Homeland Security Kristi Noem — explained his vision for leading an agency that has experienced major workforce cuts and faces significant budget reductions in Trump’s Fiscal Year 2026 spending proposal.”
  • The Senate Homeland Security and Governmental Affairs Committee will vote on whether to send Mr. Plankey’s nomination to the Senate floor at a business meeting next Thursday.

• Cyberscoop adds,
  • “President Donald Trump’s pick to lead the Cybersecurity and Information Security Agency told senators Thursday that he would prioritize evicting China from the U.S. supply chain, and wouldn’t hesitate to ask for more money for the shrunken agency if he thought it needed it.
  • “If confirmed it will be a priority of mine to remove all Chinese intrusions, exploitations or infestation into the American supply chain,” Sean Plankey told Rick Scott, R-Fla., at his confirmation hearing before the Homeland Security and Governmental Affairs Committee. Scott had asked Plankey about reports of Chinese infiltration of U.S. energy infrastructure.”

• Per a National Institute of Standards and Technology news release,
  • “NIST has issued draft updates to Special Publication (SP) 800-53 to provide additional guidance on how to securely and reliably deploy patches and updates in response to the Executive Order 14306, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. A two-week expedited public comment period on the draft updates is open through August 5, 2025.” 
    
• Per a July 23, 2025, HHS news release,
  • “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Syracuse ASC, LLC doing business as Specialty Surgery Center of Central New York, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules. Syracuse ASC is a single-facility, ambulatory surgery center located in Liverpool, New York that provides ophthalmic and ENT surgical services and pain management procedures to patients.” * * *
  • “The settlement resolves an OCR investigation concerning a ransomware breach of ePHI that affected 24,891 individuals. OCR initiated the investigation in October 2021 after Syracuse ASC reported to HHS that an unauthorized individual had accessed its network in March 2021. Further investigation revealed that Syracuse ASC was affected by a ransomware attack involving the PYSA ransomware variant, which is a cross-platform cyber weapon known to target the healthcare industry. OCR’s investigation found that Syracuse ASC never conducted an accurate and thorough risk analysis to determine the risks and vulnerabilities to the ePHI it held. OCR also found that Syracuse ASC failed to timely notify affected individuals and the Secretary of the breach.
  • “Under the terms of the resolution agreement, Syracuse ASC agreed to implement a corrective action plan that OCR will monitor for 2 years and paid $250,000 to OCR.”

• Cyberscoop reports,
  • “Ukrainian authorities Tuesday [July 22, 2025] arrested the alleged administrator of XSS.is, a Russian-language cybercrime forum, following a four-year investigation by the Paris public prosecutor’s office. 
  • “Law enforcement officials from France and Europol seized the domain of the influential forum following the arrest. Authorities have not named the suspected administrator of XSS.is.
  • “The forum, which was active since 2013, had more than 50,000 registered users and was a key marketplace for stolen data, malware, access to compromised systems and ransomware services, officials said. “It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit,” Europol said in a news release.”

• Dark Reading alerts us,
  • “A “laptop farmer” [Christina Marie Chapman] in Arizona responsible for enabling North Korean IT worker infiltration into US companies is going to jail for eight and a half years, after raising $17 million in illicit funds for Kim Jong-Un’s regime. That news, however, is merely a drop in the justice bucket, and DPRK’s efforts to siphon salaries off of American companies is unlikely to wane anytime soon. So, US organizations need to wrap their heads around the magnitude of the threat.
  • “North Korea’s multiyear HR-compromise effort has the twin goals of earning money for the hermit kingdom’s nuclear program and other efforts via salaries, as well as gaining a foothold inside corporate networks for the purpose of planting cryptominers or malware for stealing secrets.”

• Cybersecurity Dive adds,
  • “The U.S. Department of the Treasury on Thursday [July 24, 2025] sanctioned three North Koreans and their company for participating in remote IT worker scams and other operations designed to generate revenue for Pyongyang.
  • “The sanctions target the North Korean firm Korea Sobaeksu Trading Co., Sobaeksu employee Kim Se Un, Sobaeksu “IT team leader” Jo Kyong Hun and Kim’s associate Myong Chol Min. 
  • “The Treasury Department calls Sobaeksu a front for North Korea’s Munitions Industry Department, which oversees the country’s nuclear weapons program. North Korea “has previously utilized Sobaeksu to send teams of IT workers overseas, including to Vietnam, in order to generate revenue,” the department said.”

From the cybersecurity defenses front,

• HelpNet Security explains “Why we must go beyond tooling and CVEs to illuminate security blind spots.”

• SC Media discusses “exposure management [, which is] a new blueprint for modern cyber defense.

• The Hacker News considers “From Backup to Cyber Resilience: Why IT Leaders Must Rethink Backup in the Age of Ransomware.”

• Here is a link to Dark Reading’s CISO Corner.