WEEKLY TOP TEN: July 28, 2025, 16:00 GMT
- Akira Ransomware Surge Targets SonicWall Devices
A recent wave of Akira ransomware attacks is actively exploiting vulnerabilities in unpatched SonicWall firewall devices. By leveraging exposed management interfaces, attackers gain initial access and deploy ransomware within enterprise networks, often leading to significant data encryption and ransom demands. - ShinyHunters Behind Major Salesforce Data Theft
The ShinyHunters hacking group has been linked to a string of data breaches involving stolen Salesforce Marketing Cloud data used by major brands including Qantas, Allianz Life, and LVMH. The attackers exfiltrated contact and campaign information, likely for future phishing or fraud campaigns. - SafePay Ransomware Threatens to Leak 35TB from Ingram Micro
The SafePay ransomware gang has claimed responsibility for breaching global IT distributor Ingram Micro, threatening to leak 35 terabytes of stolen internal data. While Ingram Micro has yet to confirm the breach publicly, the attackers have already posted proof-of-access samples online. - Hackers Exploit SAP NetWeaver to Deliver Auto-Color Linux Malware
Threat actors are exploiting a critical vulnerability in SAP NetWeaver to deploy a previously unknown Linux malware called Auto-Color. The malware grants persistence and system-level control, making it ideal for long-term espionage or lateral movement in enterprise environments. - Cyber-Espionage Targets Russian Aerospace and Defense Firms
A new cyber-espionage campaign has been discovered targeting Russian aerospace and defense organizations, using spear-phishing emails to deploy custom information-stealing malware. The campaign has been attributed to a yet-unnamed threat actor and may represent internal or foreign opposition to Russian defense operations. - Shade BIOS Attack Defeats Endpoint Security Measures
A new BIOS-level attack dubbed Shade allows malware to hide below the operating system, rendering conventional endpoint security tools ineffective. The method uses signed but vulnerable firmware to insert malicious code that persists across reinstalls and evades modern detection techniques. - Russia’s Secret Blizzard APT Targets Embassies Through ISP Access
Blizzard, a Russian APT linked to the FSB, has been caught using compromised Internet Service Providers to spy on foreign embassies. By exploiting their upstream access, the attackers were able to monitor sensitive diplomatic traffic and potentially perform man-in-the-middle attacks. - Fake Mobile Apps Used to Hack and Blackmail South Koreans
A widespread campaign involving over 250 fake mobile apps has been uncovered in South Korea, used to steal personal data and blackmail victims. The apps disguised themselves as lifestyle tools or adult content platforms and collected sensitive media for extortion. - Silk Typhoon Linked to Chinese Military Offensive Toolkit
The threat actor known as Silk Typhoon, believed to be operating on behalf of China’s People’s Liberation Army, has been found using a powerful offensive toolkit that includes rootkits, privilege escalation tools, and credential harvesters. The group focuses on military and government targets across the Asia-Pacific region. - Gunra Ransomware Adopts New Linux Variant
The Gunra ransomware operation has expanded its capabilities with a new Linux variant dubbed Nimble. This variant focuses on encrypting servers and NAS devices using efficient file-targeting methods, signaling a growing trend of Linux-focused ransomware targeting infrastructure.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk, and using multiple sources when available: