US Senator Requests Mandiant's Salt Typhoon Telco Reports; EU Firms Struggle to Comply With DORA; Google Offers Defensive Measures Against Scattered Spider VMWare Attacks

Fifteen years ago, STUXNET proved that malicious code could damage physical systems. What was once speculation became a reality: operational technology (OT) and industrial control systems (ICS) were vulnerable to cyberattacks, and by extension, so was national infrastructure.

Fast forward to 2025, and that threat has not only grown; it has matured and gone global.

However, in his July 22 testimony before the U.S. House Subcommittee on Cybersecurity and Infrastructure Protection, Dragos CEO and SANS Fellow Robert M. Lee delivered a clear message: “Defense is doable.”

Lee’s testimony is urgent and real but not alarmist. Instead, it is a roadmap for what we’ve learned, what we’re facing, and how we can protect the systems that keep our society running with tools we already have.

Read the SANS blog:

https://www.sans.org/blog/congressional-testimony-securing-america-critical-infrastructure: Defense is Doable: Robert M. Lee’s Congressional Testimony on Securing America’s Critical Infrastructure

Watch the hearing:

https://www.youtube.com/watch?v=jLROmU7j57Q: Fully Operational Stuxnet 15 Years Later & the Evolution of Cyber Threats to Critical Infrastructure

Explore the Five ICS Cybersecurity Critical Controls: https://www.sans.org/white-papers/five-ics-cybersecurity-critical-controls

Citing "ongoing concerns about the security of our critical networks," US Senator Maria Cantwell (D-Washington) has asked Mandiant to submit their vulnerability assessments of AT&T and Verizon that were conducted following Salt Typhoon intrusions. In December 2024, both AT&T and Verizon claimed their networks were secure; these claims came just weeks after the US government's statement that the Salt Typhoon intrusions were so severe that it would be "impossible ... to predict a time frame on when [they will] have a full eviction." Cantwell initially requested information directly from the companies about their actions to eliminate Salt Typhoon's presence on their systems and prevent recurrences; "both companies acknowledged they retained Mandiant to conduct a comprehensive assessment of the cyber incident and verify the extent to which the incident has been contained." Cantwell has requested that by August 6, 2025, Mandiant submit "a copy of all reports, assessments, and analyses Mandiant conducted for AT&T and Verizon, respectively, in response to the Salt Typhoon attacks; a list of any recommendations by Mandiant that have not been fully addressed by AT&T or Verizon in response to the Salt Typhoon attacks; [and] all records related to the costs and expenses of Mandiant’s work for AT&T and Verizon, respectively, in response to the Salt Typhoon attacks."

The European Union's Digital Operational Resilience Act (DORA) came into effect on January 17, 2025. Six months later, the results of a survey conducted by Censuswide reveal the struggles financial firms are facing to comply with DORA's requirements. DORA was "introduced by the European Union to strengthen the digital resilience of financial entities. It ... ensures that banks, insurance companies, investment firms and other financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures." Ninety-six percent of survey respondents said their data resilience is not at the level they would like it to be. Nearly a quarter of respondents said they are struggling with at least one of the following DORA requirements: establishing recovery and continuity testing; implementing incident reporting; identifying a DORA implementation lead; conducting digital operational resilience testing; and ensuring backup integrity and secure data recovery. DORA has also had some "unintended consequences," including "increased stress and pressure on IT and security teams, ... higher costs passed on by ICT vendors; ... the volume of digital regulation ... becoming a barrier to innovation or competition; ... [and] secur[ing] the necessary budget to meet DORA requirements." Survey data are derived from responses gathered from IT decision makers at firms in the UK, France, Germany, and the Netherlands.

Google Threat Intelligence Group (GTIG) has published a detailed blog post laying out defenses against attacks on VMware vSphere environments by UNC3944, also known as Scattered Spider, as part of the group's known pattern of targeted social engineering and lateral movement within a victim's systems. GTIG outlines and provides key detections, mitigations, and preventions for each step in UNC3944's phases of attack as the threat actor impersonates employees, escalates privileges in Active Directory (AD), pivots to compromising vSphere, establishes persistence, exfiltrates Domain Controller VMs' AD database core files through the hypervisor layer, and deletes backups before deploying ransomware. The three "pillars" of GTIG's defense strategy, each containing a list of specific recommendations, are setting and enforcing proactive hardening measures, breaking the attack chain through identity and architectural integrity, and establishing a "safety net" with advanced detection and recovery strategies. GTIG contends that this type of attack "requires a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defense," noting that technical hardening complements informed alerts and logging to create a "symbiotic ... system where defense enables detection. Robust hardening is not just a barrier, it also creates friction for the threat actor, forcing them to attempt actions that are inherently suspicious." The US Cybersecurity and Infrastructure Security Agency has also updated a joint security advisory in collaboration with the FBI as well as with law enforcement and cybersecurity agencies in Canada, Australia, and the UK, adding new information about Scattered Spider's tactics, techniques, and procedures (TTPS), and urging organizations to maintain offline backups, enable phishing-resistant MFA, and implement application controls to control software execution.

On Monday, July 28, the US Cybersecurity and Infrastructure Security Agency (CISA) added three CVEs to their Known Exploited Vulnerabilities (KEV) catalog: a pair of critical injection vulnerabilities in Cisco Identity Services Engine (ISE), and a high severity cross-site request forgery (CSRF) vulnerability in PaperCut NG/MF print management software. The Cisco vulnerabilities (CVE-2025-20281 and CVE-2025-20337) were patched in June and July of this year; both have been identified as being actively exploited. The PaperCut vulnerability (CVE-2023-2533) was patched in June 2023. CISA warns that the vulnerability is currently being actively exploited. All three issues have mitigation due dates of August 18, 2025.

A broken access control vulnerability in the Post SMTP plugin for WordPress could be exploited to take control of unpatched websites. The flaw allows any registered user to access sensitive data on the site. The flaw was reported to PatchStack on May 23, 2025. The developers of Post SMTP (which stands for Simple Mail Transfer Protocol) plugin addressed the vulnerability in version 3.3.0, which they released on June 11, 2025. The plugin has more than 400,000 active installations; according to information from the plugin's WordPress statistic page, less than half of those instances have been updated to Post SMTP 3.3.0, leaving more than 200,000 instances potentially vulnerable.

In a blog post, the Threat Research Team at Socket describe a compromise of the GitHub organization account belonging to Toptal, a freelance employment platform, which was discovered when 73 repositories went public on July 20, 2025. Ten npm packages related to "Picasso," the site's component library for developers, each contained a malicious script designed to exfiltrate a target's GitHub authentication token and then attempt to recursively delete the entire filesystem without user interaction, on both Unix-based and Windows systems. Approximately 5,000 downloads of the malicious packages occurred before they were removed. The attack vector and timeline of compromise have not been determined, but Socket notes that "Toptal responded quickly once the compromise was identified and deprecated the malicious package versions and reverted to their last stable versions, preventing further distribution of the malicious code. This rapid response likely prevented significant additional damage to the developer community." Socket provides indicators of compromise (IoCs), and recommends enabling two-factor authentication, implementing branch protection rules, and monitoring for unusual publishing activity in repository visibility changes, also stating, "Developers must review package.json lifecycle scripts before installing dependencies, use automated security scanning in CI/CD pipelines, and regularly rotate authentication tokens. Security teams should monitor npm registry activity for unusual publication patterns, implement network egress filtering to detect credential exfiltration attempts, and create incident response procedures specifically for supply chain compromises."

A high-severity, remotely exploitable authentication bypass vulnerability affecting all versions of LG Innotek Camera Model LNV5110R will not receive a patch as the product has reached end-of-life (EoL). According to the US National Institute of Standards and Technology's National Vulnerability Database, "an authentication vulnerability exists in the LG Innotek camera model LNV5110R firmware that allows a malicious actor to upload an HTTP POST request to the device's non-volatile storage. This action may result in remote code execution that allows an attacker to run arbitrary commands on the target device at the administrator privilege level." CISA says the affected camera is used in commercial facilities worldwide, and "recommends [that] users take defensive measures to minimize the risk of exploitation of this vulnerability, such as minimiz[ing] network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet; locat[ing] control system networks and remote devices behind firewalls and isolating them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available."

Swiss medical group AMEOS, which operates healthcare facilities in Switzerland, Germany, and Austria, published a statement per Article 34 of the EU's General Data Protection Regulation (GDPR), disclosing a cyberattack. The timing and nature of the attack were not described, but upon discovery of unauthorized access AMEOS disconnected all network connections and shut down all systems, reviewed and tightened security measures, and notified the German Federal Office for Information Security (BSI) as well as law enforcement. Investigation is ongoing alongside IT and forensic service providers, in coordination with the Data Protection Commissioner. AMEOS does not fully list the types of information that may have been accessed, but cautions patients, employees, and partners to be wary of suspicious communications that may leverage stolen data or contact information. The notice states that there is not yet any concrete evidence of data leakage, promising prompt and transparent communication as new details arise.

A social engineering attack led to the compromise of sensitive information belonging to Allianz Life customers, financial professionals, and employees. The Minneapolis-based life insurance company said that “a malicious threat actor gained access to a third-party CRM (customer relationship management) system” on July 16, 2025. Allianz says the majority of their 1.4 million customers were affected by the breach. There is speculation that a group of threat actors known as ShinyHunters is responsible for the breach; the group has been linked to the PowerSchool and SnowFlake attacks.

St. Louis, Missouri-based BJC Health System, doing business as BJC HealthCare, has settled a class action lawsuit over the use of website tracking tools on their patient portal. The plaintiffs alleged that BJC HealthCare added tracking tools to their websites, and that these tools gathered sensitive information and shared it with third parties, including Meta and Google, without patient knowledge or consent. The settlement covers people who used the BJC HealthCare MyChart patient portal between June 2017 and August 2022. The organization will pay up to $9.25 million to cover legal fees, administrative costs, and $35 payments to settlement class members.