Weekly Cybersecurity Intelligence Report Cyber Threats & Breaches 4 Aug – 11 Aug, 2025

The week of August 4-11, 2025 witnessed a significant escalation in cyber threat activity, marked by sophisticated supply chain attacks, zero-day exploitations, and critical infrastructure targeting. Key developments include massive data breaches affecting telecommunications providers, airlines, and financial institutions, alongside emergency government directives addressing critical vulnerabilities in Microsoft Exchange and SharePoint systems. Notable incidents include the exploitation of a WinRAR zero-day by Russian threat actors, large-scale Salesforce CRM compromises, and continued targeting of critical infrastructure by Chinese state-sponsored groups.

>>Outpace Attackers With AI-Based Automated Penetration Testing

1. Bouygues Telecom Data Breach – August 4, 2025

Overview

French telecommunications giant Bouygues Telecom suffered a major cyberattack that compromised the personal data of 6.4 million customers. The breach was detected on August 4, 2025, but the company did not immediately disclose the full scope of the incident until August 6.

Technical Explanation

The attackers gained unauthorized access through what appears to be a sophisticated network intrusion targeting the company’s customer database systems. The breach methodology suggests a multi-stage attack involving initial access through phishing or credential compromise, followed by lateral movement to reach core customer data repositories. The attack vector demonstrates advanced persistent threat capabilities, with attackers maintaining access long enough to systematically extract large volumes of customer data.

Impact

The compromised data includes:

• Contact details and contractual information
• Civil status data and company information for professional customers
• International Bank Account Numbers (IBAN)
• Customer addresses and phone numbers

Notably, the breach did not include credit card numbers or account passwords. The exposure of IBAN data is particularly concerning as these can be used for unauthorized direct debit attempts and financial fraud.

Technical Details

MITRE ATT&CK Framework Mapping:

• Initial Access (T1566): Likely spearphishing or credential-based compromise
• Persistence (T1505): Web shell or backdoor deployment
• Discovery (T1083): File and directory discovery for data location
• Collection (T1005): Data from local systems
• Exfiltration (T1041): Exfiltration over command and control channel

IOCs and Artifacts:

• Investigation ongoing, specific technical indicators not yet publicly released
• Attack patterns suggest sophisticated threat actor with telecom sector targeting experience

Remediation:

• Immediate containment and system isolation
• Enhanced monitoring implementations
• Customer notification and fraud monitoring services
• Reporting to French CNIL data protection authority

CISO Takeaway

This incident highlights the critical importance of robust network segmentation and advanced threat detection in telecommunications environments. The delay in public disclosure (detected August 4, disclosed August 6) underscores the need for rapid incident response procedures and regulatory compliance frameworks. CISOs should evaluate their third-party risk management programs and ensure comprehensive data classification and protection controls are in place.

2. Air France & KLM Customer Data Breach – August 7, 2025

Overview

European airline giants Air France and KLM disclosed a data breach affecting an undisclosed number of customers through a compromised third-party customer service platform. The incident appears linked to the ongoing ShinyHunters campaign targeting Salesforce environments across multiple organizations.

Technical Explanation

The breach occurred through unauthorized access to an external customer relationship management (CRM) platform used for customer service operations. Evidence suggests this was part of a coordinated campaign by the ShinyHunters threat group, which has been systematically targeting Salesforce instances through sophisticated social engineering and vishing (voice phishing) attacks. The attackers likely used social engineering techniques to deceive employees into granting access to OAuth applications or sharing credentials.

Impact

Compromised data includes:

• Customer names and contact details
• Flying Blue loyalty program numbers and tier levels
• Email subject lines from service requests
• Basic demographic information

The airlines confirmed that sensitive information including passwords, travel details, passport data, and payment information were not compromised.

Technical Details

MITRE ATT&CK Framework Mapping:

• Initial Access (T1566.004): Spearphishing via service (social engineering)
• Valid Accounts (T1078): Use of compromised OAuth tokens
• Credential Access (T1110): Brute force attacks on authentication systems
• Collection (T1213): Data from information repositories (CRM systems)
• Exfiltration (T1567): Exfiltration to cloud storage services

IOCs and Threat Intelligence:

• Attack attributed to ShinyHunters threat group
• Potential collaboration with Scattered Spider collective
• Part of broader campaign targeting Salesforce customers globally

Remediation:

• Immediate termination of unauthorized access
• Enhanced authentication controls on CRM systems
• Employee training on vishing and social engineering threats
• Notification to Dutch and French data protection authorities

CISO Takeaway

This incident demonstrates the evolving threat landscape around cloud service platforms and the effectiveness of social engineering against even sophisticated organizations. CISOs should implement comprehensive third-party risk assessments, mandatory multi-factor authentication for all cloud services, and regular security awareness training focused on social engineering tactics.

3. Connex Credit Union Data Breach – June 2-3, 2025 (Disclosed August)

Overview

Connex Credit Union, one of Connecticut’s largest credit unions, disclosed that attackers had accessed and stolen personal and financial information belonging to 172,000 members. The breach occurred on June 2-3, 2025, but the organization did not begin notifying affected individuals until August 7, 2025.

Technical Explanation

The attack involved unauthorized access to Connex’s network infrastructure, with attackers successfully infiltrating systems containing sensitive member information. The attack methodology suggests a targeted approach with specific focus on financial data repositories. The significant delay between the breach occurrence and notification raises questions about detection capabilities and incident response procedures.

Impact

Compromised information includes:

• Full names and account numbers
• Social Security numbers
• Debit card information
• Government-issued identification documents used to open accounts

The credit union has found no evidence of unauthorized access to member funds or accounts, suggesting the attack focused on data exfiltration rather than direct financial theft.

Technical Details

MITRE ATT&CK Framework Mapping:

• Initial Access (T1133): External remote services compromise
• Credential Access (T1552): Unsecured credentials discovery
• Discovery (T1087): Account discovery for privilege escalation
• Collection (T1005): Data from local systems
• Impact (T1565): Data manipulation or destruction evidence

IOCs and Investigation Status:

• FBI notification and law enforcement cooperation initiated
• Forensic investigation ongoing with third-party cybersecurity experts
• No specific threat actor attribution disclosed

Remediation:

• Network security enhancements implemented
• Credit monitoring services provided to affected members
• Scam alert systems activated due to ongoing phishing attempts
• Cooperation with federal law enforcement agencies

CISO Takeaway

The delayed notification timeline (June breach, August disclosure) highlights critical gaps in incident response and regulatory compliance processes. Financial institutions must implement robust continuous monitoring, rapid detection capabilities, and clear notification procedures to meet regulatory requirements and maintain customer trust.

4. Dutch Clinical Diagnostics Laboratory Breach – July 3-6, 2025

Overview

Clinical Diagnostics NMDL laboratory in Rijswijk suffered a major cyberattack between July 3-6, 2025, compromising sensitive medical data of over 485,000 participants in the Dutch cervical cancer screening program. The laboratory, a subsidiary of Eurofins Scientific, failed to report the incident until August 6, 2025.

Technical Explanation

The attack targeted a critical healthcare infrastructure provider processing sensitive medical screening data. Initial investigations suggest the breach was significantly larger than initially reported, with threat actors stealing approximately 300GB of data including various medical examination records beyond the cervical cancer screening program. The attack demonstrates sophisticated targeting of healthcare data repositories with high-value personal health information.

Impact

The breach affected:

• 485,000+ cervical cancer screening participants
• Names, addresses, dates of birth, and citizen service numbers (BSN)
• Test results and healthcare provider information
• Additional medical data from skin, urine, and other examinations
• Data spanning from 2022 to present, affecting multiple healthcare institutions

Technical Details

MITRE ATT&CK Framework Mapping:

• Initial Access (T1190): Exploit public-facing application
• Persistence (T1505.003): Web shell deployment
• Discovery (T1083): File and directory discovery
• Collection (T1005): Data from local systems
• Exfiltration (T1048): Exfiltration over alternative protocol

Threat Actor Attribution:

• Attack attributed to “Nova” cybercriminal group
• 100MB of 300GB stolen data published on dark web
• Ransomware-style operation with data leak threats

Remediation:

• Laboratory services temporarily suspended
• Independent security investigation launched
• Notification to Dutch Data Protection Authority and healthcare inspectorate
• Enhanced security measures for healthcare data processing

CISO Takeaway

This incident exposes critical vulnerabilities in healthcare data protection and highlights the severe consequences of delayed incident reporting. Healthcare CISOs must implement comprehensive data loss prevention, continuous monitoring of sensitive data repositories, and ensure rapid incident response capabilities with proper regulatory notification procedures.

5. Columbia University Cyberattack – May 16, 2025 (Disclosed August)

Overview

Columbia University suffered a major cyberattack affecting nearly 870,000 current and former students, applicants, and employees. The breach was discovered during a system outage on June 24, 2025, with the initial compromise occurring on May 16, 2025.

Technical Explanation

The attack appears to have been conducted by a politically motivated “hacktivist” seeking to expose alleged racial bias in admissions processes following the Supreme Court’s 2023 affirmative action decision. The attacker demonstrated sophisticated persistence, maintaining access for over a month before detection and systematically exfiltrating massive amounts of sensitive data including financial and academic records.

Impact

Compromised data includes:

• Personal information: names, dates of birth, Social Security numbers
• Academic records: GPAs, class schedules, standardized test scores
• Financial information: bank account and routing numbers, student loan data
• Demographic and health information from applications and enrollment
• Historical application data dating back to the 1990s

Technical Details

MITRE ATT&CK Framework Mapping:

• Initial Access (T1566): Phishing or credential compromise
• Persistence (T1053): Scheduled task/job creation
• Privilege Escalation (T1068): Exploitation for privilege escalation
• Discovery (T1083): File and directory discovery
• Collection (T1005): Data from local systems
• Exfiltration (T1041): Exfiltration over command and control

Threat Actor Profile:

• Politically motivated hacktivist
• Sophisticated technical capabilities
• Long-term persistent access (over 1 month)
• Data sharing with third parties for political purposes

Remediation:

• Comprehensive security system overhaul implemented
• Two-year credit monitoring services for affected individuals
• Enhanced network segmentation and monitoring
• Cooperation with federal law enforcement

CISO Takeaway

This incident demonstrates how politically motivated threat actors can pose significant risks to educational institutions. The extended dwell time (May 16 to June 24) indicates serious gaps in network monitoring and anomaly detection. Educational CISOs must implement robust insider threat detection, continuous monitoring, and data classification programs to protect sensitive student and academic data.

6. Cisco Voice Phishing (Vishing) Attack – July 24, 2025

Overview

Cisco disclosed a data breach resulting from a voice phishing attack that successfully deceived a company representative into granting access to a third-party CRM system. The attack exposed basic profile information for an undisclosed number of Cisco.com users.

Technical Explanation

The attack utilized sophisticated social engineering techniques where threat actors impersonated IT personnel to convince a Cisco employee to provide access credentials or approve malicious OAuth applications. This represents part of the broader ShinyHunters campaign targeting Salesforce-based CRM systems across multiple organizations.

Impact

Compromised data includes:

• User names and organization names
• Physical addresses and Cisco-assigned user IDs
• Email addresses and phone numbers
• Account metadata including creation dates

Technical Details

Attack Vector: Voice phishing (vishing) with social engineering

MITRE ATT&CK Framework Mapping:

• Initial Access (T1566.004): Spearphishing via service
• Credential Access (T1111): Two-factor authentication interception
• Valid Accounts (T1078.004): Cloud accounts compromise
• Collection (T1213): Data from information repositories

Attribution: Part of ShinyHunters campaign targeting Salesforce instances

Remediation:

• Immediate termination of unauthorized access
• Enhanced authentication controls implementation
• Employee retraining on vishing attack recognition
• Multi-factor authentication enforcement for all cloud services

CISO Takeaway

This incident highlights the human element as the weakest link in cybersecurity. Even sophisticated organizations like Cisco can fall victim to social engineering. CISOs must implement comprehensive security awareness training, robust verification procedures for access requests, and technical controls to prevent single points of failure in authentication systems.

7. Fashion Giant Chanel Salesforce Data Theft – August 5, 2025

Overview

Luxury brand Chanel confirmed unauthorized access to its Salesforce environment during the ongoing ShinyHunters campaign. The breach was discovered on August 5, 2025, when unusual API requests triggered alerts.

Explanation

Attackers used voice phishing (vishing) against Chanel support staff to obtain OAuth tokens granting access to Salesforce data. Once inside, they harvested customer profiles and order histories.

Impact

• Personal data: names, emails, shipping addresses
• Order history and product preferences
• Loyalty program tier statuses

Details

MITRE ATT&CK Mapping:

• Initial Access (T1566.004): Vishing
• Valid Accounts (T1078.004): OAuth token misuse
• Collection (T1213): API data exfiltration

Takeaway for CISO

Prioritize enforcement of context-aware MFA on all SaaS apps and rigorous access-request verification protocols to thwart vishing-based OAuth token theft.

8. Pandora Jewelry Data Breach – August 6, 2025

Overview

Pandora confirmed a breach in which customer data for 30,000 users was exposed. The intrusion occurred August 1–3, 2025, but was only disclosed on August 6.

Explanation

The attack exploited the same ShinyHunters supply-chain method via a compromised third-party Salesforce integration, allowing bulk data exports.

Impact

• Customer names and email addresses
• Purchase records and subscription statuses

Details

MITRE ATT&CK Mapping:

• Initial Access (T1566.001): Phishing linked to integration support
• Exfiltration (T1567.002): Cloud storage upload

Takeaway for CISO

Implement granular API permissions and continuous monitoring of integration service principals to detect abnormal data-export volumes.

9. Google Salesforce Data Theft – August 8, 2025

Overview

Google disclosed a breach of its internal Salesforce instance on August 8. The attack aligned with the global ShinyHunters supply-chain campaign.

Explanation

Threat actors exploited a compromised admin’s session token to export sales leads and customer-prospect data.

Impact

• Potential Ads customer prospects’ contact details
• Lead scoring and pipeline data

Details

MITRE ATT&CK Mapping:

• Initial Access (T1078.004): Stolen session tokens
• Collection (T1213): API exfiltration

Takeaway for CISO

Rotate application session tokens after any suspected compromise and enforce device-bound session policies for critical SaaS apps.

10. PBS Employee Data Leak – August 9, 2025

Overview

Public Broadcasting Service (PBS) confirmed that employee credentials and PII were leaked on Discord servers on August 9.

Explanation

An insider shared a backup file via a public Discord channel. Attackers scraped the file containing hashed passwords and internal email addresses.

Impact

• Employee names and work emails
• Hashed password dumps

Details

MITRE ATT&CK Mapping:

• Insider Threat (T1086): Data sharing via collaboration platform
• Credential Access (T1555): Hash extraction

Takeaway for CISO

Implement Data Loss Prevention (DLP) controls on collaboration platforms and enforce strict data-sharing governance among employees.

11. U.S. Judiciary Court Records Breach – August 10, 2025

Overview

The U.S. Judiciary confirmed a breach of its electronic court records service on August 10, impacting PACER and CM/ECF systems.

Explanation

Attackers exploited a legacy authentication bypass in a third-party e-filing plugin to gain read-only access to court dockets and filings.

Impact

• Publicly filed documents and docket summaries
• Limited personal data of litigants (names, addresses)

Details

MITRE ATT&CK Mapping:

• Exploit Public-Facing Application (T1190): Plugin vulnerability
• Collection (T1119): Automated extraction of docket records

Takeaway for CISO

Enforce rigorous patch management and decommission outdated third-party plugins that no longer meet security baselines.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial