Weekly One-Shot: June 29 - July 6, 2025

This week's threats and trends.

Before we dive in, I would like to thank all of you for supporting us with your subscription! My goal is to bring both actionable insights and easy-to-digest information regarding cybersecurity threats to non-tech and technical professionals alike. If this sounds like something that would help someone you know, please share the newsletter!

Well, this week's cybersecurity landscape felt like watching a developer's worst nightmare come to life…

We've got hardcoded backdoors in enterprise communications systems that make your production environment about as secure as a screen door, Chrome zero-days dropping like confetti at a hacker convention, and North Korean threat actors who apparently decided that cryptocurrency organizations needed some "freedom" from their digital assets.

But wait, there's more! Airlines are getting breached faster than you can say "frequent flyer miles," fake browser extensions are multiplying like rabbits in Firefox's store, and the International Criminal Court is learning that investigating war crimes comes with its own set of digital warfare challenges.

The good news? At least someone finally figured out that leaving root credentials in production code might not be the best security practice. The bad news? It only took them until 2025 to realize it. Patch everything, trust nothing, and maybe consider that your browser extension collection needs a security audit. Let's dive into this week's digital chaos.

This week in Cybersecurity

1. Google Patches Fourth Chrome Zero-Day of 2025 Under Active Attack
Fourth actively exploited Chrome zero-day this year targeting high-risk individuals including opposition politicians, dissidents, and journalists.
July 1 Newsletter

2. Qantas Data Breach Exposes 6 Million Customers in Scattered Spider Campaign
Major airline breach affecting 6 million customers as part of coordinated Scattered Spider campaign targeting the aviation sector.
July 4 Newsletter

3. North Korean Hackers Target Web3 with Sophisticated Nim Malware
State-sponsored actors are using novel "NimDoor" malware with process injection and encrypted WebSocket communications to target cryptocurrency organizations.
July 4 Newsletter

4. Iranian Hackers Target U.S. Critical Infrastructure and Defense Organizations
Joint CISA, FBI, and NSA advisory warns of increased targeting of Defense Industrial Base and critical infrastructure sectors.
July 1 Newsletter

5. Swiss Govt Data Stolen in Ransomware Attack Against Third-Party
Sarcoma ransomware group leaked 1.3TB of sensitive federal office data after compromising health organization Radix.
July 1 Newsletter

6. Fake Crypto Wallet Extensions Flood Firefox Store, Stealing Seed Phrases
Over 40 malicious extensions impersonating popular cryptocurrency wallets discovered in Firefox's official add-ons store.
July 4 Newsletter

7. New FileFix Attack Bypasses Windows Security Protections
Novel technique bypasses Windows Mark of the Web protection by exploiting browser behavior when saving HTML pages as .HTA files.
July 4 Newsletter

8. International Criminal Court Hit by "Sophisticated" Cyberattack
Second targeted attack against ICC coincides with high-profile war crimes investigations involving major world leaders.
July 4 Newsletter

9. Aviation Sector Under Coordinated Attack by Scattered Spider
Systematic targeting of airline industry by notorious threat group using social engineering and identity-based attack techniques.
July 4 Newsletter

10. State-Sponsored Groups Escalate Cryptocurrency Targeting
Multiple nation-state actors focusing on Web3 and cryptocurrency organizations with advanced malware and social engineering techniques.
July 1 Newsletter

Biggest Threat This Week

Cisco Removes Critical Backdoor from Unified Communications Manager

Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM) that would have allowed remote attackers to log in to unpatched devices with root privileges. The vulnerability, tracked as CVE-2025-20309 with a maximum CVSS score of 10.0, affects Cisco Unified CM and Unified CM Session Management Edition (SME) Engineering Special (ES) releases. The flaw is due to the presence of static user credentials for the root account that were reserved for use during development but mistakenly left in production releases.

This critical vulnerability is particularly concerning as Cisco Unified CM is widely deployed in enterprise environments for managing IP phones, video conferencing systems, and other communication services. An unauthenticated, remote attacker could exploit this vulnerability to gain complete control over affected systems, potentially compromising the entire communications infrastructure of an organization. The backdoor could allow attackers to intercept sensitive communications, deploy malware, or use the compromised systems as a foothold for lateral movement within corporate networks.

The discovery highlights a fundamental security failure in the software development lifecycle, where development credentials were not properly removed before production deployment. Organizations using affected Cisco Unified CM systems should immediately upgrade to version 15SU3 or apply emergency patches to prevent potential exploitation.

Learn more on Cisco Backdoor

Training Recommendation

Enterprise Communications Security and Development Lifecycle Management

With the discovery of hardcoded backdoors in critical enterprise communications infrastructure, organizations need comprehensive training on secure software development lifecycle practices and enterprise communications security. Focus areas should include understanding the risks of development credentials in production systems, implementing proper code review processes to catch security issues before deployment, and developing rapid response procedures for critical infrastructure vulnerabilities. Additionally, with the rise of sophisticated social engineering attacks targeting cryptocurrency and aviation sectors, organizations should focus on industry-specific threat awareness training and the importance of verifying software authenticity, especially for browser extensions and communication tools. Training should also cover nation-state threat detection techniques and the evolving tactics used by advanced persistent threat groups.

Sign up here to get started: Lifecycle Management Training

Wrapping Up:

This week's cybersecurity landscape demonstrates the critical importance of secure development practices and the persistent targeting of high-value sectors by both nation-state and criminal actors.

From hardcoded backdoors in enterprise communications systems to sophisticated malware targeting cryptocurrency organizations, we're seeing threat actors exploit both technical vulnerabilities and human factors with increasing effectiveness.

The coordinated attacks against the aviation sector and the continued targeting of critical infrastructure underscore the need for sector-specific security strategies and enhanced threat intelligence sharing.

Organizations must prioritize both technical security measures and comprehensive security awareness training to address the evolving threat landscape effectively.

(P.S. Supporting our partners helps keep this newsletter running!)