Analyst Insight
This week in cyber, we have seen a continuation of the ToolShell flaw from last week, with ransomware gangs targeting exposed SharePoint servers to deliver ransomware, with at least 400 compromised servers globally. Additionally, the Akira ransomware gang has been exploiting a zero-day vulnerability in SonicWall SSL VPN instances for ransomware deployment. Fashion giant Chanel has confirmed data was stolen, with the threat actors utilising social engineering techniques to compromise Salesforce instances. Finally, two major airlines Air France and KLM were targeted by Scattered Spider resulting in unauthorized access to customer data. Read more in this week in cyber.
Ransomware Gangs Target Vulnerable Microsoft SharePoint Servers
Microsoft has confirmed that newly disclosed vulnerabilities in on‑premises SharePoint servers, known as ToolShell (CVE-2025-53770 and CVE-2025-53771) has been actively exploited since mid‑July, starting as early as July 7th and accelerating around July 18th 2025. Initially used for stealthy access and data theft by state‑linked groups such as Linen Typhoon and Violet Typhoon, more recent operations attributed to Storm‑2603 have shifted toward deploying Warlock ransomware across at least 400 compromised servers globally, including U.S. federal agencies. Urgent patches were released for SharePoint Server 2019 Subscription Edition and SharePoint 2016.
Chanel Confirmed in Salesforce Data Theft Campaign
On July 25th 2025, Chanel discovered that attackers accessed a customer database hosted via a third party and tied to its U.S. client care centre. The breach exposed names, email, mailing addresses, and phone numbers for select U.S. customers, but no payment or financial data, the company stated. Salesforce confirmed that its platform wasn’t breached; instead, attackers used social engineering to compromise individual customer instances. The company urged users to adopt MFA, review connected apps, enforce least‑privilege access, and intensify phishing awareness training. Chanel has already notified impacted individuals and enlisted cybersecurity experts and regulators as part of its response.
Akira Ransomware Exploits SonicWall SSL VPNs in New Campaign
A surge in Akira ransomware attacks has been linked to SonicWall SSL VPN devices, with activity increasing since mid-July 2025. Arctic Wolf Labs reports that attackers are gaining access via VPN logins, thought to be facilitated by a zero-day vulnerability, as even fully patched devices have been compromised.
While credential theft has not been unruled, the use of Virtual Private Servers for VPN authentication suggests a deliberate effort to mask malicious access. The group’s tactics show a rapid transition from initial access to ransomware deployment.
Organizations are urged to disable SonicWall SSL VPN services if possible until a patch is available and to enforce multi-factor authentication, remove unused accounts, and maintain strong password practices.
Akira ransomware, active since March 2023, has reportedly extorted over $42 million from more than 250 victims. In Q2 2025, it ranked as the second most active ransomware group, with a notable focus on Italian companies, according to statistics by Check Point.
Air France and KLM Disclose Data Breaches Impacting Customers
Air France and KLM have announced that attackers had breached a customer service platform and stolen the data of an undisclosed number of customers. Air France and KLM are some of the largest airline companies in France and in Europe. They provide air transport to 300 destinations and 98 million passengers worldwide. They detected unusual activity on an external customer service platform, this activity resulted in unauthorised access to customer data however no financial or personal data was affected. The attackers are believed to be linked to the cybercriminal gang Scattered Spider, who have been spotted using attack methods such as social engineering by calling customer support and impersonating higher officials to access sensitive data
Go Back
