Ticker feed

SonicWall is investigating a potential zero-day vulnerability after a surge in ransomware attacks targeting its firewalls since mid-July. Google's threat intelligence team first spotted the campaign, where hackers deployed a new backdoor called Overstep on fully patched devices. The attacks affect Gen 7 SonicWall firewalls with SSLVPN enabled, particularly TZ and NSa-series models running firmware 7.2.0-7015 or earlier.

What's alarming: attackers bypassed multi-factor authentication and reached domain controllers within hours. SonicWall recommends immediately disabling SSLVPN services, limiting connectivity to trusted IPs, and updating all passwords while the investigation continues.

Source: Security Week

Cybercriminals are deploying Interlock ransomware through a clever social engineering trick called ClickFix. Victims visit compromised websites that display fake error messages, prompting them to copy and run malicious PowerShell commands that appear to fix technical issues.

Active since September 2024, the ransomware has targeted organizations across North America and Europe using double extortion tactics. The malware fingerprints victim systems to identify high-value targets while avoiding security researchers. eSentire analysts discovered the sophisticated attack chain in July 2025, revealing multi-layered techniques involving PowerShell scripts and custom remote access tools.

Source: Cyber Security News

Cybercriminals behind Akira ransomware are exploiting SonicWall SSL VPN devices in what appears to be a zero-day attack, successfully breaching fully-patched systems. The attacks target organizations using SonicWall's VPN infrastructure, raising serious concerns about a previously unknown vulnerability.

Since the compromised devices were up-to-date with security patches, security experts suspect attackers discovered and weaponized a new flaw before SonicWall could address it. Organizations using SonicWall VPNs face immediate risk and should monitor their networks closely for suspicious activity while awaiting official patches.

Source: The Hacker News

A new wave of ransomware attacks may be exploiting an unknown zero-day vulnerability in SonicWall firewall devices, researchers warn. Arctic Wolf detected suspicious activity starting July 15, when hackers used VPN access through SonicWall SSL VPNs to launch intrusions the following week. The attackers deployed Akira ransomware in hands-on attacks after compromising the devices.

What's particularly concerning: hackers breached fully patched SonicWall systems with rotated credentials and even bypassed multi-factor authentication. This echoes similar attacks from 2024 targeting CVE-2024-40766. Arctic Wolf's investigation remains preliminary, but the pattern suggests a serious new threat to SonicWall users.

Source: Cybersecurity Dive

Cybercriminals have created over 250 fake Android and iOS apps targeting Korean users, disguising spyware as legitimate dating, social media, and file-sharing services. These convincing copycats feature professional logos and fake five-star reviews to trick users into downloading them. Once installed, the malware steals contacts, photos, messages, and device data.

Attackers then escalate to personal blackmail, as happened to one victim who downloaded a fake dating app after a breakup. The hacker contacted his family members with threats after luring him into compromising situations. Researchers from Zimperium discovered 88 domains behind the campaign, with 25 indexed by Google search results.

Source: Dark Reading

Ontario Health atHome knew about a massive cyberattack affecting up to 200,000 patients as early as April 14 but didn't tell the public until June 27. The breach at vendor Ontario Medical Supply actually happened in March, compromising patient names, addresses, medical diagnoses, and prescription data.

The agency waited six weeks to notify Ontario's privacy commissioner and only informed patients after Liberal MPP Adil Shamji forced their hand by revealing the incident publicly. Health Minister Sylvia Jones then ordered the agency to contact affected patients. Critics call the delay "deception" and "incompetence," warning the stolen data could enable identity theft and blackmail.

Source: Global News

Cybercriminals are exploiting legitimate email security services from Proofpoint and Intermedia to launch sophisticated phishing attacks targeting Microsoft 365 users. The hackers use these trusted platforms' link-wrapping features to create multi-layered redirects that bypass security filters and appear legitimate to victims.

When users click these disguised links, they're taken through several redirects before landing on fake Microsoft login pages designed to steal their credentials. This technique is particularly dangerous because it leverages trusted security brands, making the malicious emails harder to detect and more likely to fool recipients.

Source: The Hacker News

Apple released security updates Tuesday fixing dozens of vulnerabilities, including CVE-2025-6558, a bug already exploited against Chrome users. Google patched this flaw in Chrome 138 last July after discovering active attacks targeting its graphics components. The vulnerability lets attackers escape browser sandboxes through malicious web pages.

Apple's updates cover iOS 18.6, macOS Sequoia 15.6, and other platforms, patching 87 CVEs in macOS alone. While there's no evidence Safari users were targeted, the flaw could crash the browser when visiting malicious sites. CISA previously flagged this as a critical threat requiring federal agencies to patch by August 12.

Source: Security Week

Cybercriminals exploited a critical SAP vulnerability (CVE-2025-31324) to breach a U.S. chemicals company and install Auto-Color malware on their Linux systems. The attack demonstrates how hackers are targeting enterprise software flaws to gain access to corporate networks.

SAP systems are widely used by major corporations for business operations, making this vulnerability particularly concerning for companies across industries. Organizations running SAP software should immediately apply security patches and review their Linux system configurations to prevent similar attacks.

Source: thehackernews.com

French telecom giant Orange detected a cyberattack on July 25 that disrupted management services for corporate and individual customers, mainly in France. The company's security team quickly isolated affected systems to minimize damage. Services should be restored by July 30, and Orange says no customer data appears stolen so far. Authorities have been notified, but Orange won't share additional details.

This follows February incidents where hackers claimed to steal gigabytes of Orange data, including customer information and source code, though Orange downplayed those breaches as affecting only non-critical systems.

Source: Security Week