Cybersecurity Weekly News for 11th August to 24th August, 2025
Share
DoJ Disrupts BlackSuit/Royal Ransomware Infrastructure
The U.S. Department of Justice disrupted the infrastructure of the BlackSuit/Royal ransomware groups, having seized servers and domains used in attacks on healthcare and critical infrastructure. In response security firms praised the takedown, urging organisations not to rely on law enforcement disruption but to still improve backup and incident-response readiness. The consequences can lead to the dissolution of ransomware gangs into smaller affiliates, which are less predictable. SMBs should anticipate "data theft without encryption" tactics and rehearse crisis comms tactics.
Sources: (US DoJ, KrebsOnSecurity)
Microsoft Patch Tuesday Fixes 107 CVEs, a Zero-Day Included
Microsoft's August Patch Tuesday patched 107 vulnerabilities, 13 of which were Critical and featured a single actively exploited zero-day. Highlight issues included remote code execution vulnerabilities in SharePoint and Exchange. In response, enterprise IT teams scrambled to prioritise patch rollouts, as security vendors warned of exploit code appearing imminently for unpatched systems. The threats to SMBs running M365/SharePoint environments are especially exposed here postponed patching can provide attackers with the initial footholds they require for ransomware and supply-chain attacks.
Sources: (Microsoft, BleepingComputer)
Workday Data Breach via Social-Engineering Attacks on Salesforce Workflows
Workday acknowledged a breach following exploitation by attackers of Salesforce-integrated workflows via social engineering. The "ShinyHunters" group was responsible, with customer contact data being stolen. Remediation for workday reset affected accounts, locked down SaaS admin access, and urged clients to adopt phishing-resistant MFA. What this campaign highlights is SaaS supply-chain vulnerability SMBs using Salesforce/Workday must require MFA on helpdesk workflows and monitor API tokens to avoid similar compromise.
Sources: (TechCrunch, SecurityWeek)
Allianz Life Data Breach Exposes 1.1M Individuals
Allianz Life reported a breach impacting over 1.1M policyholders, with sensitive personal data leaked. Attackers reportedly stole records without breaking encryption. The customer response was to provide credit monitoring; regulators initiated investigations into Allianz vendor management. The fallout showcases the evolution of ransomware gangs into pure data theft. SMBs should apply DLP and encrypt sensitive datasets both at rest and in transit.
Sources: (Bloomberg, DarkReading)
DaVita Provides Update on Ransomware Attack 2.7M Affected
US health provider DaVita notified regulators of its May attack, and confirmed ~2.7M patients' data was affected. The response was for patients and activist groups to demand stricter healthcare cyber regulations. The implication for healthcare-adjacent SMBs (clinics, suppliers) should be to expect greater compliance and insurance requirements, raising operational costs.
Sources: (Reuters, HIPAA Journal)
TPG Telecom / iiNet (Australia) Breach 280k+ Records Stolen
TPG confirmed unauthorized access to legacy iiNet email platforms, exposing addresses and personal details of ~280,000 customers. Attackers used stolen employee credentials. The response was for the company to shut down the impacted environment and required stronger password resets. The implications of this show that credential reuse remains a major weak point SMBs must implement password less auth or universal MFA, particularly for legacy hosted services.
Sources: (ABC News, Sydney Morning Herald)
WestJet (Canada) Passenger Data Leaked
WestJet reported that hackers accessed passenger data through a third-party system that had been compromised. Personal data was stolen, but no passport or financial data was confirmed lost. The Response is that WestJet is introducing supplier monitoring and informing affected passengers. The implications are that the air travel supply chains are still prime extortion targets; SMBs in travel services must conduct vendor audits and demand breach notice clauses.
Sources: (CBC, Global News)
UK-Centric Tales
APCS Criminal-Records Checker Breach
Associated Criminal Records Services (APCS), a UK provider of DBS/Background checks, had an upstream software vendor breach its network. Candidate and employer information was exposed. APCS took action by shutting down parts of its platform, notifying affected users, and working with the ICO. The lessons for SMBs using third-party vetting services must be to enforce vendor risk assessments and breach response contractual SLAs.
Sources: (BBC, Infosecurity Magazine)
Suspected Ransomware Attack on Colt Technology Services
Colt Technology Services (a UK/EU telco carrier) was hit by a suspected ransomware attack, with reports of SharePoint compromise. Downstream connectivity and voice services were affected. Colt took action by containing the attack and bringing core services back online, with investigations continuing. The consequences for SMBs that rely on hosted collaboration and voice platforms, this serves to underscore the need for cloud monitoring, conditional access on SharePoint, and service continuity planning.
Sources: (Computer Weekly, Security Affairs)
MoD Contractor Breach Exposes Resettlement Data
A UK Ministry of Defence contractor breached service leavers' personal data in a leak, raising concern about data handling. The MoD responded by launching an internal investigation and informing those affected. The consequences are that even SMBs contracting to government departments must now treat personal data with military-grade diligence encryption, red-teaming suppliers, and access controls are now bare minimum expectations.
Sources: (Guardian, AP)
| Threat/Event | Type | Affected Scope | Urgent Action |
|---|---|---|---|
| BlackSuit disruption | Ransomware infra takedown | Global | Assume regrouping; update playbooks |
| Microsoft Patch Tuesday | 107 CVEs incl. zero-day | Windows, SharePoint, Exchange | Accelerated patching |
| Workday/SaaS breach | Supply-chain/social engineering | SaaS/CRM users | Audit OAuth/MFA, review API access |
| Allianz Life breach | Data exfiltration | 1.1M individuals | Improve DLP & insurance compliance |
| DaVita update | Ransomware | 2.7M patients | Healthcare resilience, tabletop drills |
| TPG Telecom breach | Credential theft | 280K customers | Passwordless/MFA deployment |
| WestJet breach | PII theft | Airline customers | Customer notification readiness |
| APCS UK breach | Supplier compromise | HR/SMB employers | Vendor risk & breach SLAs |
| Colt Technology | Suspected ransomware | UK/EU business services | Harden M365/SharePoint |
| MoD contractor breach | Third-party data leak | Defence contractors | Encrypt data, review SLAs |
Conclusion
This fortnight's events underscore a familiar pattern: attackers operate around traditional perimeters through SaaS workflows, vendors, and social engineering, and defenders are still catching up. Three imperatives for SMBs:
- Enhance third-party risk management each supplier breach is a window into your information.
- Accelerate patching & MFA adoption unpatched M365/SharePoint and weak SaaS admin credentials are common entry points.
- Get ready for data extortion rather than encryption have legal, comms, and client response prepared ahead of time.
The shift to data theft + social engineering makes proactive identity controls and vendor management the most critical security investments for 2025.