At a glance.
- China's Salt Typhoon breached a US state's National Guard network.
- UK sanctions Russian military intelligence officers for cyber reconnaissance operations.
- CISA confirms exploitation of maximum-severity Wing FTP flaw.
- Malware campaign targets end-of-life SonicWall devices.
- Law enforcement disrupts pro-Russian hacker group.
- Louis Vuitton UK discloses breach.
China's Salt Typhoon breached a US state's National Guard network.
The Chinese threat actor Salt Typhoon "extensively compromised" a US state's National Guard network last year and "collected its network configuration and its data traffic with its counterparts' networks in every other US state and at least four US territories," according to a US Department of Homeland Security memo obtained by NBC News. The threat actor was present on the network for nine months between March and December 2024. BleepingComputer further quotes the memo as saying, "This data also included these networks' administrator credentials and network diagrams—which could be used to facilitate follow-on Salt Typhoon hacks of these units."
A National Guard Bureau (NGB) spokesperson confirmed the compromise, telling NBC that the attack "has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope."
UK sanctions Russian military intelligence officers for cyber reconnaissance operations.
The British government has sanctioned eighteen Russian military intelligence officers belonging to three GRU units for allegedly conducting cyber reconnaissance that led to hundreds of murders and civilian deaths in Ukraine, the Record reports. One of the sanctioned GRU units allegedly helped to target a missile strike that killed hundreds of civilians in the Mariupol Theatre in 2022. Another is accused of surveilling Yulia and Sergei Skripal before their attempted murders with the Novichok nerve agent in the UK.
The UK's National Cyber Security Centre (NCSC) has also published a technical analysis of a newly observed strain of malware deployed by the GRU threat actor APT28.
CISA confirms exploitation of maximum-severity Wing FTP flaw.
CISA has added a critical vulnerability (CVE-2025-47812) affecting Wing FTP Server to its Known Exploited Vulnerabilities (KEV) Catalog, ordering Federal civilian agencies to patch the flaw by August 4th. The vulnerability, which was assigned a CVSS score of 10, can allow attackers to inject arbitrary Lua code into user session files with the privileges of the FTP service, which are root or SYSTEM by default. The vulnerability's CVE record describes it as "a remote code execution vulnerability that guarantees a total server compromise."
Researchers at Huntress observed exploitation against a customer on July 1st, one day after an initial write-up was published.
Malware campaign targets end-of-life SonicWall devices.
Google's Threat Intelligence Group (GTIG) has published a report on an ongoing malware campaign targeting fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances. The threat actor is using credentials and one-time password seeds stolen during previous attacks, and installing a newly observed rootkit dubbed "OVERSTEP." Google states, "[O]ur analysis shows this malware modifies the appliance's boot process to maintain persistent access, steal sensitive credentials, and conceal its own components. GTIG assesses with moderate confidence that UNC6148 may have used an unknown zero-day remote code execution vulnerability to deploy OVERSTEP on opportunistically targeted SonicWall SMA appliances." The goal of the operation appears to be data theft, extortion, and possibly ransomware deployment.
Google recommends that "all organizations with SMA appliances perform analysis to determine if they have been compromised," noting that "[o]rganizations should acquire disk images for forensic analysis to avoid interference from the rootkit anti-forensic capabilities."
Law enforcement disrupts pro-Russian hacker group.
An international law enforcement operation has disrupted the pro-Russian hacker group NoName057(16). The group is a loose collective of criminals and hacktivists known for launching DDoS attacks against Ukraine and its allies. The operation, which was coordinated by Europol and Eurojust, involved over a dozen European countries, as well as Canada and the US.
Europol stated, "The actions led to the disruption of an attack-infrastructure consisting of over one hundred computer systems worldwide, while a major part of the group's central server infrastructure was taken offline. Germany issued six warrants for the arrest of offenders living in the Russian Federation. Two of these persons are accused of being the main instigators responsible for the activities of "NoName057(16)". In total, national authorities have issued seven arrest warrants, which are directed, inter alia, against six Russian nationals for their involvement in the NoName057(16) criminal activities. All of the suspects are listed as internationally wanted, and in some cases, their identities are published in media."
Louis Vuitton UK discloses breach.
Louis Vuitton has disclosed a cyberattack affecting its UK branch, Infosecurity Magazine reports. The attacker stole personal data belonging to the luxury retailer's UK customers, including names, contact details, and purchase history. The company says financial details were not affected.
Louis Vuitton said in its disclosure, "Given the nature of the data involved, we warmly recommend that you remain vigilant against any unsolicited communication or other suspicious correspondence, including emails, phone calls, or text messages. While we have no evidence that your data has been misused to date, phishing attempts, fraud attempts, or unauthorized use of your information may occur."
