Weekly One-Shot: July 6 - July 12, 2025

This week's threats and trends.

Author

J.W. Croley
July 12, 2025

In partnership with

Before we dive in, I would like to thank all of you for supporting us with your subscription! My goal is to bring both actionable insights and easy-to-digest information regarding cybersecurity threats to non-tech and technical professionals alike. If this sounds like something that would help someone you know, please share the newsletter!

The Daily Newsletter for Intellectually Curious Readers

Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.

Well, this week's cybersecurity landscape felt like watching a memory leak turn into a full-blown data hemorrhage!

We've got Citrix devices bleeding session tokens like a broken faucet, Microsoft dropping 130 patches like it's going out of style, and Chinese APT groups treating zero-days like a three-course meal. Meanwhile, ransomware operators decided that disrupting global supply chains was the perfect way to make friends and influence people.

But wait, there's more! Chrome is serving up its fourth zero-day of the year (because apparently three wasn't enough), airlines are getting social engineered faster than you can say "frequent flyer miles," and someone thought it would be clever to disguise malware as AI tools... Because nothing says "cutting-edge technology" like good old-fashioned malware with a fresh coat of artificial intelligence paint.

The good news?
At least we're consistent in our ability to find new and creative ways to compromise enterprise networks.

The bad news?
Your incident response team is probably already reaching for the emergency coffee reserves…

Let's dive into this week's digital chaos.

This week in Cybersecurity

1. Microsoft Patches 130 Vulnerabilities Including Wormable SPNEGO Flaw
The largest Patch Tuesday of 2025 addresses wormable vulnerability CVE-2025-47981 and a publicly known SQL Server zero-day.
July 10 Newsletter

2. Chinese Hackers Exploit Three Zero-Days in Ivanti Devices
Houken group deployed sophisticated rootkits targeting government, telecommunications, and critical infrastructure sectors.
July 8 Newsletter

3. Google Releases Emergency Updates for Fourth Chrome Zero-Day of 2025
A Type confusion vulnerability in V8 JavaScript engine has been actively exploited by nation-state actors.
July 8 Newsletter

4. NightEagle APT Exploits Microsoft Exchange Zero-Days
A previously unknown threat actor is targeting Chinese military and technology sectors with undisclosed Exchange vulnerabilities.
July 8 Newsletter

5. Ingram Micro Suffers Ransomware Attack, Causing Supply Chain Disruptions
The SafePay ransomware disrupted global IT distribution operations, affecting thousands of resellers and MSPs worldwide.
July 10 Newsletter

6. Qantas Confirms Extortion Demands Following 6 Million Customer Data Breach
The Scattered Spider group is systematically targeting the aviation sector using sophisticated social engineering tactics.
July 10 Newsletter

7. SEO Poisoning Campaign Distributes Oyster Malware via Fake AI Tools
Over 8,500 SMB users targeted with trojanized versions of popular software disguised as AI tools.
July 8 Newsletter

8. Aviation Sector Under Systematic Attack by Scattered Spider
Coordinated campaign targeting multiple airlines globally with social engineering and credential theft.
July 8 Newsletter

9. Nation-State Groups Escalate Zero-Day Exploitation
Multiple APT groups are actively exploiting zero-day vulnerabilities, targeting critical infrastructure and government systems.
July 8 Newsletter

10. Supply Chain Attacks Target Critical Infrastructure
Ransomware groups are focusing on supply chain disruption with cascading effects on downstream organizations.
July 10 Newsletter

Biggest Threat This Week

Citrix NetScaler "CitrixBleed2" Actively Exploited

Security researchers have released proof-of-concept exploits for a critical Citrix NetScaler vulnerability tracked as CVE-2025-5777, dubbed "CitrixBleed2" due to its striking similarity to the devastating original CitrixBleed vulnerability from 2023. The flaw affects Citrix NetScaler ADC and Gateway devices and allows attackers to retrieve memory contents by sending malformed POST requests during login attempts.

Researchers from watchTowr and Horizon3 have demonstrated that the vulnerability can be exploited by sending incorrect login requests where the login parameter is modified to be sent without an equal sign or value, causing the NetScaler appliance to leak memory contents in the response. Each malicious request can extract approximately 127 bytes of sensitive data, and attackers can perform repeated HTTP requests to gather additional memory contents until they locate valuable information such as user session tokens.

This vulnerability is particularly concerning because it allows unauthenticated attackers to steal active user sessions, potentially gaining access to internal corporate networks and sensitive applications without needing to compromise user credentials. Security researcher Kevin Beaumont disputes Citrix's claims that the vulnerability isn't being actively exploited, stating he has observed exploitation activity since mid-June, including repeated POST requests to authentication endpoints and suspicious logoff events with unusual usernames containing hash symbols.

The memory disclosure technique is nearly identical to the original CitrixBleed vulnerability that caused widespread compromise of enterprise networks in 2023, demonstrating that fundamental memory safety issues continue to plague critical network infrastructure devices.

Training Recommendation

Critical Infrastructure Vulnerability Management and Memory Safety

With the discovery of CitrixBleed2 and the escalation of zero-day exploitation by nation-state actors, organizations need comprehensive training on critical infrastructure vulnerability management and emergency response procedures. Focus areas should include understanding memory disclosure vulnerabilities and their exploitation techniques, implementing rapid patch deployment processes for critical network appliances, and developing session monitoring capabilities to detect unauthorized access. Additionally, with the rise of sophisticated supply chain attacks targeting major IT distributors and the systematic targeting of specific industry sectors, organizations should focus on supply chain risk assessment methodologies and sector-specific threat awareness training. Training should also cover the evolving tactics of APT groups exploiting multiple zero-day vulnerabilities simultaneously and the importance of network segmentation to limit the impact of compromised perimeter devices.

Sign up here to get started with Infrastructure Vulnerability Management

Wrapping Up:

This week's cybersecurity landscape demonstrates the critical importance of memory safety in network infrastructure and the persistent targeting of supply chain vulnerabilities by both nation-state and criminal actors.

From memory disclosure vulnerabilities in critical network appliances to sophisticated zero-day exploitation campaigns targeting government and critical infrastructure, we're seeing threat actors exploit both technical vulnerabilities and organizational dependencies with increasing effectiveness.

The coordinated attacks against specific industry sectors and the continued targeting of major technology distributors underscore the need for comprehensive supply chain security strategies and enhanced threat intelligence sharing.

Organizations must prioritize both technical security measures and comprehensive incident response capabilities to address the evolving threat landscape effectively.

(P.S. Supporting our partners helps keep this newsletter running!)