Cyberattacks (4)

Cybercriminals exploited a critical SAP vulnerability (CVE-2025-31324) to breach a U.S. chemicals company and install Auto-Color malware on their Linux systems. The attack demonstrates how hackers are targeting enterprise software flaws to gain access to corporate networks.

SAP systems are widely used by major corporations for business operations, making this vulnerability particularly concerning for companies across industries. Organizations running SAP software should immediately apply security patches and review their Linux system configurations to prevent similar attacks.

Source: thehackernews.com

French telecom giant Orange detected a cyberattack on July 25 that disrupted management services for corporate and individual customers, mainly in France. The company's security team quickly isolated affected systems to minimize damage. Services should be restored by July 30, and Orange says no customer data appears stolen so far. Authorities have been notified, but Orange won't share additional details.

This follows February incidents where hackers claimed to steal gigabytes of Orange data, including customer information and source code, though Orange downplayed those breaches as affecting only non-critical systems.

Source: Security Week

Gov. Tim Walz activated the Minnesota National Guard Tuesday to help St. Paul recover from a sophisticated cyberattack that has crippled city systems since Friday. Mayor Melvin Carter declared a state of emergency, calling it a "deliberate, coordinated digital attack" by external criminals targeting the city's infrastructure. The FBI and cybersecurity firms are investigating alongside the Guard's cyber forces.

City Wi-Fi, internal networks, and online bill payment are down, forcing some workers offline. Libraries and recreation services are also affected, though 911 remains operational. Officials won't restore services until they fully understand the breach's scope.

Source: CBS News Minnesota

The Python Package Index (PyPI) is warning developers about an ongoing phishing campaign targeting their accounts. Attackers are sending fake verification emails and using lookalike domains to steal credentials from Python developers. The fraudulent emails appear legitimate but direct users to malicious sites designed to harvest login information.

PyPI officials are urging developers to verify email authenticity before clicking links and to enable two-factor authentication. This campaign specifically targets the Python development community, potentially compromising software supply chains if successful.

Source: The Hacker News

Cybercriminals compromised Toptal's GitHub account and published 10 malicious npm packages that downloaded 5,000 times before removal. The packages contained code designed to steal GitHub authentication tokens and completely wipe victim systems using destructive commands. All packages targeted the same preinstall and postinstall scripts, sending stolen data to webhook endpoints before silently deleting files on Windows and Linux machines.

Toptal has since restored safe versions, but the attack method remains unknown. This follows similar supply chain attacks targeting npm and Python repositories with surveillanceware.

Source: The Hacker News

A pro-Ukraine hacking group called Silent Crow claims it successfully attacked Russia's national airline Aeroflot, forcing the cancellation of dozens of flights and causing widespread system failures. The group, working with Belarusian hackers Cyber Partisans, says it compromised Aeroflot's IT infrastructure and threatens to release passenger data. Russian prosecutors confirmed the cyber-attack and opened a criminal investigation.

The disruption mostly affected domestic routes but also flights to Belarus, Armenia, and Tashkent. Passengers were transferred to other carriers. This marks a rare visible impact from the ongoing cyber warfare between pro-Russian and pro-Ukrainian hacking groups since 2022.

Source: BBC News

Over 400 organizations worldwide fell victim to Chinese hackers exploiting zero-day vulnerabilities in Microsoft SharePoint servers, including the Departments of Energy, Homeland Security, and Health and Human Services. The attack began Friday using the "ToolShell" exploit that bypasses multi-factor authentication.

Three Chinese threat groups are involved: Storm-2603 deployed Warlock ransomware starting July 18, while government-affiliated Linen Typhoon and Violet Typhoon focused on stealing intellectual property and espionage. Microsoft released emergency patches Monday, but nearly 11,000 SharePoint instances remained exposed Wednesday. Federal agencies report no confirmed data breaches so far, though investigations continue.

Source: CyberScoop

Proofpoint researchers discovered four previously unknown Chinese hacking groups attacking Taiwan's semiconductor industry since last fall, marking a sharp increase in cyber espionage. The attackers used phishing emails disguised as job-seeking students, investment firms, and Microsoft security notices to breach chip manufacturers and investment banks analyzing the sector. One group even targeted legal personnel at semiconductor companies.

The campaigns deployed custom malware including Cobalt Strike, Voldemort backdoor, and SparkRAT. Taiwan's chip industry is globally critical, making it a prime target as China seeks to undermine the island's economic strength and national defense capabilities.

Source: Dark Reading

Security firm Socket discovered an active campaign targeting developers through 60 malicious NPM packages that steal system data when installed. Over two weeks, threat actors published packages containing scripts that collect hostnames, IP addresses, DNS servers, and directory paths, sending everything to a Discord webhook.

The packages have been downloaded over 3,000 times across Windows, Linux, and macOS systems. Three NPM accounts published 20 packages each, all containing identical fingerprinting code designed to evade detection.

Socket warns this data helps attackers map internal developer networks to public infrastructure, enabling future supply chain attacks and targeted intrusions.

Source: Security Week