In today’s cybersecurity news…
Akira ransomware delivers zero-day attacks to SonicWall VPNs
This is an incidence of targeting SonicWall VPNs including fully patched devices with MFA and rotated credentials. Researchers from Arctic Wolf Labs have observed multiple intrusions in late July 2025. This, they say, points to a zero-day vulnerability. Their report points out that “in contrast with legitimate VPN logins which typically originate from networks operated by broadband internet service providers, ransomware groups often use Virtual Private Server hosting for VPN authentication in compromised environments.” They recommend that organizations consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.
(Security Affairs and Arctic Wolf)
UK Legal Aid program faces collapse due to cyberattacks
Following up on a story we covered last May, lawyers in the UK are warning that the cyberattack that occurred in May has “pushed the sector into chaos, with barristers going unpaid, cases being turned away and fears [that] a growing number of firms could desert Legal Aid work altogether.” After the personal data of hundreds of thousands of legal aid applicants in England and Wales dating back to 2010 was stolen in the attack, the inability for lawyers to access data or get compensated for their services has led to stress and a simple financial inability to maintain their Legal Aid practice, leading to a possible collapse of the entire system.
Luxembourg suffers attack on its Huawei systems, knocking out mobile service
As posted in The Record, “Luxembourg’s government announced on Thursday it was formally investigating a nationwide telecommunications outage caused last week by a cyberattack reportedly targeting Huawei equipment inside its national telecoms infrastructure.” This attack affected the country’s 4G and 5G mobile networks, making them unavailable for more than three hours, including for access to emergency services. This is because the country’s fallback 2G system became overloaded. Internet access and electronic banking services were also inaccessible. Statements issued by the country’s government said that the attack was “intentionally disruptive rather than an attempt to compromise the telecoms network,” and this led to a system failure.
Aeroflot’s breach that didn’t happen is now leaking data
Following up on a story we covered on July 29, despite statements from the airline as well as from Russian internet watchdog Roskomnadzor that there was no evidence of a data leak, the Belarusian hacker group Cyber Partisans, which has claimed responsibility for the attack, has posted what it says is travel data including flights taken and passport number for to Aeroflot CEO Sergei Aleksandrovsky. The authenticity of the leaked data has not been independently verified. Aeroflot has restored services and resumed normal operations, but cybersecurity experts warn “full recovery of the airline’s IT infrastructure may take longer.” The Cyber Partisans group says it was able to breach the airline’s systems because “employees used weak passwords, and the company relied on outdated versions of Windows,” but these claims also have not been independently verified.
Huge thanks to our sponsor, ThreatLocker
ThreatLocker® is a global leader in Zero Trust endpoint security, offering cybersecurity controls to protect businesses from zero-day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit ThreatLocker.com/CISO.
Cursor’s AI coding agent morphs into local shell with one-line prompt attack
According to researchers at AimLabs, a data-poisoning attack affecting Cursor, an AI-powered code editing software, could have given an attacker remote code execution privileges over user devices. The flaw was reported to Cursor on July 7, and a patch was sent out the next day, however, all previous versions of the software remain susceptible. This vulnerability has a CVE number (CVE-2025-54135) and occurs when Cursor interacts with a Model Contest Protocol (MCP) server that helps the software access a number of external tools from Slack, GitHub and other databases used to develop software. “Through a single line of prompting, an attacker can influence the actions of Cursor, which has developer-level privileges on host devices, in ways that are nearly silent and invisible to the user.
Social engineering attacks surged this past year, says Palo Alto Networks
The company’s Unit 42 division said, in a report, that for groups as diverse as Scattered Spider and North Korean tech workers, this technique of “tricking employees into granting access to their organizations’ core data and systems, was the top initial attack vector over the past year,” comprising 36% of the incident response cases that it had worked on. The report “includes data from more than 700 attacks ranging from small organizations to Fortune 500 companies. Nearly three-quarters of these attacks targeted organizations in North America.”
China accuses Nvidia of allowing alleged backdoors in H20 Chips
Nvidia H20 chips are “AI GPUs tailored for the Chinese market, based on Hopper architecture,” delivering strong AI performance but “with reduced features to comply with U.S. export controls.” The challenge from China comes just after the U.S. lifted an export ban, allowing Nvidia to resume chip sales in China. China’s Cyberspace Administration “summoned Nvidia on July 31, 2025, over security concerns tied to its H20 chips, with U.S. AI experts claiming the chips have tracking, location, and remote shutdown features.” China is now demanding some answers.
Microsoft Recall still captures images that it shouldn’t
Research conducted by The Register states that Microsoft Recall, the infamous AI app that takes screenshots of users’ PC activity is still screenshotting sensitive information like credit card numbers, despite promises not to do so. The setting entitled “Filter sensitive information,” which is enabled by default is supposed to avoid capturing personal data such as credit card numbers and passwords. However, tests conducted by The Register’s staff showed that not only does the filter frequently fail, there is “no way it would know to avoid potentially damaging entries in your web history that you’d rather keep private, such as things related to your medical history.” The researchers add that the screenshots Recall takes are available to anyone who has a user’s PIN number, even via remote access.
