Fortinet SSL VPNs getting hammered, The Netherlands critical infrastructure compromise, Africa the most targeted for cyber attacks - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines – August 13, 2025

Hosted by Hadas Kasorla from the CISO Series

Fortinet SSL VPNs Under Intense Attack

In today’s episode, Hadas Kasorla kicks off with alarming news about ongoing attacks targeting Fortinet’s SSL VPNs. “[...] only a couple of weeks after a critical Fortinet vulnerability was added to CISA's vulnerabilities catalog, an unrelated brute force attack on Fortinet's 40s was spotted by Internet threat tracker Graynoise” ([00:00]). Starting August 3, 2025, over 780 malicious systems globally launched assaults on Fortinet’s SSL VPNs, specifically the Fortinet 40s profile. Just two days later, the attackers pivoted to the 40 manager using different techniques. Graynoise analysts observe that such concentrated attack spikes often precede the disclosure of new vulnerabilities, indicating a possible setup for further exploits targeting Fortinet users. Hadas emphasizes the potential threat this poses, suggesting vigilance is imperative for organizations relying on Fortinet’s solutions.

The Netherlands Faces Critical Infrastructure Compromise

Shifting focus to Europe, Hadas discusses a significant security incident in the Netherlands. She notes, “The Netherlands, wishing they could plug their data breach as easily as the boy in the fable, is dealing with a serious Citrix Netscaler security incident” ([02:15]). Multiple critical infrastructure organizations within the country have been compromised through a memory overflow vulnerability. The National Cybersecurity Center reports that attackers exploited this flaw as early as May 2025, successfully gaining unauthorized access and subsequently wiping logs to obscure their activities. This breach underscores the persistent threat landscape and the necessity for robust defense mechanisms in safeguarding national infrastructure.

Africa Becomes the Most Targeted Region for Cyber Attacks

Hadas highlights a disturbing trend in cybercrime geography: Africa has surpassed all other regions as the most targeted for cyber attacks. “[...] Africa has overtaken all other regions as the most targeted in the world for cyber attacks, with Nigeria recording the sharpest rise in attack volume on the continent” ([04:30]). Many of these attacks originate from outside Africa; however, domestic cybercrime within Nigeria is notably significant. Groups such as Silver Terrier and BEC Syndicate operate from within the country, targeting victims worldwide. These actors exploit outdated infrastructure, including Internet service providers and unpatched enterprise servers, facilitating phishing, ransomware, and financial fraud campaigns. Hadas emphasizes the critical need for African nations to modernize their cybersecurity defenses to combat these pervasive threats effectively.

Ransom Hub Confirms Breach of Manpower’s Lansing Franchise

In a case study, Hadas reports on the ransomware group Ransom Hub’s breach of Manpower’s Lansing, Michigan staffing service franchise. “[...] almost as delayed as waiting for a recruiter to call you back after a job interview, Ransom Hub claimed it stole about 500 gigabytes of data” ([06:45]). The compromised data includes passport scans, Social Security numbers, driver’s licenses, financial statements, HR analytics, and confidential contracts. Although Ransom Hub removed the listing from its Dark Web site—often a sign of ransomware payments—no payment has been confirmed. The delay in Manpower’s announcement, eight months post-breach, highlights the challenges organizations face in timely disclosure and response to cyber incidents.

Cybercrime Groups Collaborate to Target Salesforce Users

Hadas delves into a coordinated campaign between cybercrime groups Shiny Hunters and Scattered Spider targeting Salesforce users. “[...] the activity combines phishing, voice phishing, and malicious app-based attacks” ([09:10]). Techniques employed include impersonating IT support, making fraudulent phone calls, creating fake Okta-branded login pages, and setting up spoofed connected apps that mimic legitimate tools to harvest credentials and data. These malicious domains often adopt ticket-related themes, targeting industries such as luxury, retail, aviation, insurance, technology, and financial services. Researchers at ReliaQuest indicate that the collaboration between these groups suggests a strategic alliance aimed at maximizing the effectiveness of their attacks.

Reddit Blocks Internet Archive’s Wayback Machine from Indexing

In a notable policy shift, Reddit has moved to block the Internet Archive’s Wayback Machine from indexing all but its homepage. “[...] effectively cutting off access to individual posts, comments, user profiles, and subreddits” ([11:25]). This decision responds to AI firms leveraging archived Reddit data to circumvent the platform’s data access rules. Reddit frames this change as a measure to protect its business interests by preventing the free harvesting of content, which it now licenses to partners like Google and OpenAI. While Reddit officials believe this move enforces platform policies and safeguards user privacy, critics argue it jeopardizes web preservation efforts. The debate highlights the tension between data accessibility for innovation and the need to protect user data and platform integrity.

Emergence of Pay Charon Ransomware Targeting the Middle East

Concluding the episode, Hadas discusses Trend Micro’s identification of a new ransomware strain, Pay Charon, which is targeting public sector and aviation organizations in the Middle East. “[...] targeting public sector and aviation organizations in the Middle East with techniques usually reserved for state-sponsored espionage” ([13:40]). This ransomware employs sophisticated methods such as DLL sideloading, multi-stage encrypted payloads, process injection, and anti-EDR (Endpoint Detection and Response) evasion. Each ransom note is customized with the victim organization’s name, indicating deliberate and high-profile targeting. The techniques bear resemblance to those used by the China-linked Earth Baxia APT group, though Trend Micro remains uncertain whether Pay Charon is directly affiliated, imitates, or independently developed these advanced methods.

Final Thoughts

Hadas wraps up by encouraging listeners to share their thoughts and feedback via email. She reiterates the importance of staying informed and proactive in cybersecurity measures: “Stay Alert, Stay Patched, Stay Hydrated” ([15:00]). For more detailed stories behind today’s headlines, she directs listeners to visit cisoseries.com.

Key Takeaways:

Fortinet SSL VPNs are under significant and evolving attack, potentially signaling upcoming vulnerabilities.
Dutch critical infrastructure has been compromised through a Citrix Netscaler vulnerability, highlighting national security risks.
Africa, particularly Nigeria, is experiencing a surge in cyber attacks, driven by both domestic and international threats.
Ransom Hub’s breach of Manpower underscores the challenges in timely breach disclosure and response.
Shiny Hunters and Scattered Spider’s collaboration presents sophisticated threats to Salesforce users across various industries.
Reddit’s policy change impacts web preservation and data accessibility, sparking debate on data use and privacy.
Pay Charon ransomware employs state-level techniques, targeting sensitive sectors in the Middle East with precision.

Stay vigilant and informed to navigate the ever-evolving cybersecurity landscape effectively.

Loading summary

Transcript1 lines

[00:00]
Hadas Kasorla
From the CISO series, it's Cybersecurity Headlines these are the Cybersecurity headlines for August 13, 2025. I'm Hadas Kasorla. The hits just keep on coming Only a couple of weeks after a critical Fortinet vulnerability was added to CISA's vulnerabilities catalog, an unrelated brute force attack on Fortinet's 40s was spotted by Internet threat tracker Graynoise. Starting on August 3, 2025, more than 780 malicious systems around the world began hammering at Fortinet's SSL VPNs, specifically targeting the Fortinet 40s profile. Two days later, the attackers shifted focus to 40 manager, using a different method. Gray Noyes notes that these kinds of concentrated attack spikes often appear shortly before new vulnerabilities are disclosed, suggesting this could be the prelude to another round of bad news for Fortinet users. Where's the little Dutch boy when you need him? The Netherlands, wishing they could plug their data breach as easily as the boy in the fable, is dealing with a serious Citrix netscaler security incident. Dutch authorities report that multiple critical infrastructure organizations have been compromised through a memory overflow vulnerability. According to their National Cybersecurity center, attackers exploited the flaw as early as May 2025, gained access, and then wiped logs to hide their tracks. I felt the Ransomware down in Africa New data shows Africa has overtaken all other regions as the most targeted in the world for cyber attacks, with Nigeria recording the sharpest rise in attack volume on the continent. While many of these incidents are launched from outside Africa, Nigeria also has significant domestic cybercrime activity, with groups like Silver Terrier, BEC Syndicate operating from within its borders and targeting victims globally. These actors, along with foreign counterparts, frequently exploit outdated infrastructure like Internet service providers and unpatched enterprise servers, which remain major conduits for phishing, ransomware and financial fraud campaigns. We are confirming the breach. You already knew about eight months after ransomware group Ransom Hub first announced it had breached Manpower's Lansing, Michigan staffing service franchise, the company has finally confirmed the attack and revealed the number of people affected, an announcement almost as delayed as waiting for a recruiter to call you back after a job interview, Ransom Hub claimed it stole about 500 gigabytes of data, including passport scans, Social Security and driver's license numbers, financial statements, HR analytics and confidential contracts. The group later removed the listing from its Dark Web leak site, a move often associated with ransomware payments, though no payment has been confirmed. But pinpointing when it disappeared is tricky as the leak site was offline for parts of April and May during downtime and migration. Huge thanks to our sponsor Vanta. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and help you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines hey Federal Trade Commission, can you block this merger? Cybercrime groups Shiny Hunters and Scattered Spider are working together in a coordinated campaign targeting salesforce users, according to researchers at ReliaQuest. The activity combines phishing, voice phishing and malicious app based attacks. Techniques include impersonating IT support and phone calls, creating fake Okta branded login pages, and setting up spoofed connected apps that look like legitimate tools to collect credentials and data. Many of the malicious domains use ticket related themes and target industries including luxury, retail, aviation, insurance, technology and financial services. Researchers are saying the tactics align with known methods from both groups and suggest a deliberate collaboration. Reddit mods, scrapes Reddit has moved to block the Internet Archive's Wayback Machine from indexing all but its homepage, effectively cutting off access to individual posts, comments, user profiles and subreddits. The company says the decision comes in response to AI firms using archived Reddit data to bypass the platform's data access rules, and also frames it as a way to protect its business by preventing the free harvesting of content it now licenses to partners like Google and OpenAI. Reddit officials alerted the nonprofit Archive in advance and say the changes will help enforce platform policy and protect user privacy. Critics argue the move undermines Web preservation, while supporters see it as a necessary step to close loops and safeguard both users and Reddit's commercial interests. Don't pay the ferrymen Trend Micro has identified a new ransomware strain called Pay Charon C h a R o n targeting public sector and aviation organizations in the Middle east with techniques usually reserved for state sponsored espionage. The campaign uses DLL sideloading, multi stage encrypted payloads, process injection and anti edr invasion, all methods usually reserved for stealing state secrets, not demanding ransoms. Each ransom node is customized with the victim's organization's name, underscoring deliberate targeting. The methods closely mirror those of the China linked Earth Baxia Apt group, but Trend Micro says this could be direct involvement, imitation or independent development. Remember, if you have some thoughts on the news from today or about the show in general, be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. I'm Hadaska Sorla. The reporting for the CISO series. Stay Alert, Stay Patched, Stay Hydrated. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.