Cyber Security Headlines – August 13, 2025
Hosted by Hadas Kasorla from the CISO Series
Fortinet SSL VPNs Under Intense Attack
In today’s episode, Hadas Kasorla kicks off with alarming news about ongoing attacks targeting Fortinet’s SSL VPNs. “[...] only a couple of weeks after a critical Fortinet vulnerability was added to CISA's vulnerabilities catalog, an unrelated brute force attack on Fortinet's 40s was spotted by Internet threat tracker Graynoise” ([00:00]). Starting August 3, 2025, over 780 malicious systems globally launched assaults on Fortinet’s SSL VPNs, specifically the Fortinet 40s profile. Just two days later, the attackers pivoted to the 40 manager using different techniques. Graynoise analysts observe that such concentrated attack spikes often precede the disclosure of new vulnerabilities, indicating a possible setup for further exploits targeting Fortinet users. Hadas emphasizes the potential threat this poses, suggesting vigilance is imperative for organizations relying on Fortinet’s solutions.
The Netherlands Faces Critical Infrastructure Compromise
Shifting focus to Europe, Hadas discusses a significant security incident in the Netherlands. She notes, “The Netherlands, wishing they could plug their data breach as easily as the boy in the fable, is dealing with a serious Citrix Netscaler security incident” ([02:15]). Multiple critical infrastructure organizations within the country have been compromised through a memory overflow vulnerability. The National Cybersecurity Center reports that attackers exploited this flaw as early as May 2025, successfully gaining unauthorized access and subsequently wiping logs to obscure their activities. This breach underscores the persistent threat landscape and the necessity for robust defense mechanisms in safeguarding national infrastructure.
Africa Becomes the Most Targeted Region for Cyber Attacks
Hadas highlights a disturbing trend in cybercrime geography: Africa has surpassed all other regions as the most targeted for cyber attacks. “[...] Africa has overtaken all other regions as the most targeted in the world for cyber attacks, with Nigeria recording the sharpest rise in attack volume on the continent” ([04:30]). Many of these attacks originate from outside Africa; however, domestic cybercrime within Nigeria is notably significant. Groups such as Silver Terrier and BEC Syndicate operate from within the country, targeting victims worldwide. These actors exploit outdated infrastructure, including Internet service providers and unpatched enterprise servers, facilitating phishing, ransomware, and financial fraud campaigns. Hadas emphasizes the critical need for African nations to modernize their cybersecurity defenses to combat these pervasive threats effectively.
Ransom Hub Confirms Breach of Manpower’s Lansing Franchise
In a case study, Hadas reports on the ransomware group Ransom Hub’s breach of Manpower’s Lansing, Michigan staffing service franchise. “[...] almost as delayed as waiting for a recruiter to call you back after a job interview, Ransom Hub claimed it stole about 500 gigabytes of data” ([06:45]). The compromised data includes passport scans, Social Security numbers, driver’s licenses, financial statements, HR analytics, and confidential contracts. Although Ransom Hub removed the listing from its Dark Web site—often a sign of ransomware payments—no payment has been confirmed. The delay in Manpower’s announcement, eight months post-breach, highlights the challenges organizations face in timely disclosure and response to cyber incidents.
Cybercrime Groups Collaborate to Target Salesforce Users
Hadas delves into a coordinated campaign between cybercrime groups Shiny Hunters and Scattered Spider targeting Salesforce users. “[...] the activity combines phishing, voice phishing, and malicious app-based attacks” ([09:10]). Techniques employed include impersonating IT support, making fraudulent phone calls, creating fake Okta-branded login pages, and setting up spoofed connected apps that mimic legitimate tools to harvest credentials and data. These malicious domains often adopt ticket-related themes, targeting industries such as luxury, retail, aviation, insurance, technology, and financial services. Researchers at ReliaQuest indicate that the collaboration between these groups suggests a strategic alliance aimed at maximizing the effectiveness of their attacks.
Reddit Blocks Internet Archive’s Wayback Machine from Indexing
In a notable policy shift, Reddit has moved to block the Internet Archive’s Wayback Machine from indexing all but its homepage. “[...] effectively cutting off access to individual posts, comments, user profiles, and subreddits” ([11:25]). This decision responds to AI firms leveraging archived Reddit data to circumvent the platform’s data access rules. Reddit frames this change as a measure to protect its business interests by preventing the free harvesting of content, which it now licenses to partners like Google and OpenAI. While Reddit officials believe this move enforces platform policies and safeguards user privacy, critics argue it jeopardizes web preservation efforts. The debate highlights the tension between data accessibility for innovation and the need to protect user data and platform integrity.
Emergence of Pay Charon Ransomware Targeting the Middle East
Concluding the episode, Hadas discusses Trend Micro’s identification of a new ransomware strain, Pay Charon, which is targeting public sector and aviation organizations in the Middle East. “[...] targeting public sector and aviation organizations in the Middle East with techniques usually reserved for state-sponsored espionage” ([13:40]). This ransomware employs sophisticated methods such as DLL sideloading, multi-stage encrypted payloads, process injection, and anti-EDR (Endpoint Detection and Response) evasion. Each ransom note is customized with the victim organization’s name, indicating deliberate and high-profile targeting. The techniques bear resemblance to those used by the China-linked Earth Baxia APT group, though Trend Micro remains uncertain whether Pay Charon is directly affiliated, imitates, or independently developed these advanced methods.
Final Thoughts
Hadas wraps up by encouraging listeners to share their thoughts and feedback via email. She reiterates the importance of staying informed and proactive in cybersecurity measures: “Stay Alert, Stay Patched, Stay Hydrated” ([15:00]). For more detailed stories behind today’s headlines, she directs listeners to visit cisoseries.com.
Key Takeaways:
- Fortinet SSL VPNs are under significant and evolving attack, potentially signaling upcoming vulnerabilities.
- Dutch critical infrastructure has been compromised through a Citrix Netscaler vulnerability, highlighting national security risks.
- Africa, particularly Nigeria, is experiencing a surge in cyber attacks, driven by both domestic and international threats.
- Ransom Hub’s breach of Manpower underscores the challenges in timely breach disclosure and response.
- Shiny Hunters and Scattered Spider’s collaboration presents sophisticated threats to Salesforce users across various industries.
- Reddit’s policy change impacts web preservation and data accessibility, sparking debate on data use and privacy.
- Pay Charon ransomware employs state-level techniques, targeting sensitive sectors in the Middle East with precision.
Stay vigilant and informed to navigate the ever-evolving cybersecurity landscape effectively.
