Russian flights grounded, Naval group breach, dating app exposed - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines - July 29, 2025
Hosted by Lauren Verno, CISO Series

1. Hacktivist Attack Grounds Russian Flights

In a significant disruption, Russia's Aeroflot airline was forced to cancel over 50 flights and experience multiple delays at Moscow's airport due to a politically motivated cyber attack. The incident occurred on Monday when Aeroflot reported a system failure affecting their operations. The airline also announced that their ticket offices are temporarily unable to process refunds or rebookings, though services are expected to resume once the systems are restored.

Notable Quote:
Lauren Verno (00:35): "Hacktivist groups Silent Crow and Belarusan cyber partisans have claimed responsibility for the attack, stating that the disruption follows a year-long compromise of Aeroflot's systems."

2. Naval Group Denies Breach

France's state-backed defense contractor, Naval Group, is vehemently denying claims of a cyber breach after a cybercriminal alleged the theft of one terabyte of sensitive submarine data, including source code and classified technical documents. The threat group responsible posted what they claim to be proof samples and issued a 72-hour ultimatum for a response before threatening a full data leak.

Notable Quote:
Lauren Verno (02:15): "Naval Group asserts there are no signs of an IT systems breach but has initiated a thorough investigation to address the allegations."

3. Dating App Breach Exposes Thousands of Women's Pictures

In an ironic twist, a dating application marketed as a safer space for women suffered a data breach that exposed images of tens of thousands of users. Specifically, the breach compromised 13,000 user-submitted selfies and 59,000 public images from posts and messages. The attack targeted a legacy storage system containing data from before February 2024, despite the app's commitment to deleting verification photos immediately.

Notable Quote:
Lauren Verno (04:20): "The app's promise to delete verification photos immediately was undermined when attackers accessed legacy systems holding older data."

4. Scattered Spider Escalates Attacks on VMware ESXi

The cyber threat group Scattered Spider has ramped up its attacks targeting VMware ESXi hypervisors across US companies in various sectors, including retail, airlines, transportation, and insurance. According to Google's Threat Intelligence Group, the group predominantly uses sophisticated social engineering techniques rather than software exploits to infiltrate organizations. They often impersonate IT administrators to hijack privileged accounts, swiftly transitioning from access to data theft and ransomware deployment within hours.

Notable Quote:
Lauren Verno (06:45): "Scattered Spider continues to rely on highly convincing social engineering tactics, manipulating help desk staff to gain access to high-value systems."

5. Ransomware Group Chaos Rebrands

In the ongoing saga of ransomware groups, Chaos emerges as the new identity, succeeding the previously known Black Suit. This rebranding coincided with a global law enforcement operation named Operation Checkmate, which successfully seized Black Suit's Tor-based leak site. The seized site was replaced with logos from 17 agencies and Bitdefender, signaling the group's attempt to return under a new guise.

Notable Quote:
Lauren Verno (08:30): "Cisco Talos now links Chaos to the same operators as Black Suit, citing near identical ransom notes and attack methods, indicating the group's rapid resurgence."

6. New Malware Alert: Shuyal Infostealer

A new infostealer named Shuyal has been identified, targeting 19 different browsers, including privacy-focused ones like Tor. Shuyal quietly gathers system data and steals credentials while employing aggressive evasion techniques. It disables Task Manager and eradicates its own traces post-exfiltration, sending stolen data through Telegram bots. While current distribution methods remain unknown, experts warn that Shuyal could pave the way for larger attacks such as ransomware or business email compromises.

Notable Quote:
Lauren Verno (10:10): "Shuyal's ability to disable Task Manager and delete its own traces makes it a formidable threat, potentially serving as a precursor to more severe cyber attacks."

7. Papercut Exploit in Need of Band Aid

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the exploitation of a high-severity vulnerability in Papercut NGMF print management software. This flaw can lead to remote code execution and was originally patched in June 2023. Recently, it has been added to CISA's Known Exploited Vulnerabilities catalog, urging federal agencies to apply the patch by August 18. Papercut software is widely used, with over 100 million users across 70,000 organizations globally.

Notable Quote:
Lauren Verno (12:00): "Despite the patch released in June 2023, the persistence of exploiting this vulnerability highlights the critical need for timely updates, especially for widely used software like Papercut."

8. Starlink Scambrite

A US senator has called on SpaceX to take decisive action against scammers leveraging its Starlink Internet service for large-scale cyber fraud operations in Southeast Asia. Human rights groups and UN reports have consistently linked Starlink to scam operations due to its portability and detachment from national telecom networks. With reports of usage doubling in some regions and increased sightings, the senator is demanding transparency and measures to prevent the abuse of Starlink's services.

Notable Quote:
Lauren Verno (13:45): "The portability and independence of Starlink have made it a preferred tool for scam operations, prompting urgent calls for SpaceX to implement stricter controls."

9. Discussion: Mitigating Third-Party Data Breaches

The episode concludes with a discussion on the pervasive risk posed by third-party data breaches. Lauren Verno emphasizes the growing realization that organizations are often most vulnerable through parties they have the least control over. While large organizations can pressure their vendors to improve security standards, smaller entities may struggle to contain these risks effectively.

Notable Quote:
Lauren Verno (15:30): "We don't go a week without hearing a story about a data breach caused by a third party. It's crucial to explore strategies to better manage and mitigate these risks."

Upcoming: CISO Series Podcast Episode

Listeners are encouraged to look out for the upcoming CISO Series podcast episode titled "Cosmo: 23 Ways to Make Your Vendors Obsessed with Your Security Standards", which will delve deeper into strategies for enhancing third-party security.

For more detailed stories and updates, visit CISOsSeries.com.

Loading summary

Transcript1 lines

[00:00]
Lauren Verno
From the CISO series It's Cybersecurity Headlines these are the cybersecurity headlines for Tuesday, July 29, 2025. I'm Lauren Verno. Hacktivist Attack Grounds Russian Flights A politically motivated cyber attack forced Russia's Aeroflot airline to cancel dozens of flights. On Monday, the airline reported it system fail that led to at least 50 flight cancellations and multiple delays at Moscow's airport. The airline said ticket offices are also temporarily not processing refunds or rebookings, but will resume once services can be restored. Hacktivist groups Silent Crow and Belarusan cyber partisans by claimed responsibility for the attack and said the disruption followed a year long compromise of Aeroflot system systems. Naval Group Denies breach Hackers beg to Differ France's state backed defense contractor Naval Group is denying claims it was hacked after a cybercriminal alleged they stole one terabyte of sensitive submarine data, including source code and classified technical documents. The threat group posted alleged proof samples and gave the company 72 hours to respond before promising a full leak. Naval Group says there are no signs of an IT systems breach, but they have launched an investigation. Dating App breach Exposes Thousands of Women's Pictures A dating app marketed as a safer space for women was hacked, exposing images of tens of thousands of users. I'll pause for the irony t the app confirmed a breach that compromised 13,000 user submitted selfies and 59,000 public images from posts and messages. The attack targeted a legacy storage system holding data from before February of 2024, despite the app's promise to delete verification photos immediately. Scattered Spider escalates attacks on VMware ESXi Scattered Spider is back in action, targeting VMware ESXi hypervisors at US companies in the retail, airline, transportation and insurance sectors. According to Google's Threat Intelligence Group, the group continues to rely on highly convincing social engineering and not software exploits to manipulate help desk staff and gain access to high value systems. In some cases, the attackers impersonate IT administrators to hijack privileged accounts and move quickly from access to data theft and ransomware within hours, something we've seen many times before. Huge thanks to Today's episode sponsor DropZone AI let me tell you about Drop Zone AI. They're revolutionizing how security teams work. Companies like CBTS and Zapier use their AI to investigate alerts, automatically freeing up analysts for the work that really matters. We're talking four 40 minute investigations done in three minutes. You can meet the Drop Zone team at Black Hat in Startup City or just head to DropZone AI for a self guided demo. That's DropZone AI. Trust me, this is the future of security operations. Black Suit down Chaos emerges first it was Royal, then Black Suit, and now an even newer rebrand has emerged for the ransomware group dubbed Chaos. The update came just as law enforcement seized Black Suit's Tor based leak site in a global takedown called Operation Checkmate, replacing the site with the logos of 17 agencies and Bitdefender. Cisco Talos now links Chaos to the same operators, citing near identical ransom notes, attack methods and encryption tactics, all signs pointing to the group already being back in business. Beware of new malware Attack A new infostealer called Shuyal that's S H U Y A L is targeting 19 browsers, including privacy focused ones like Tor or while quietly gathering system data and stealing credentials. Researchers say it uses aggressive evasion techniques, disables Task Manager and deletes its own traces after exfiltrating data through Telegram bots. Now distribution methods are still unknown, but like other stealers, it could be a precursor to larger attacks like ransomware or business email compromise. Papercut exploit in need of band aid CISA is warning that hackers are exploiting a high severity vulnerability in Papercut NGMF print management software that can lead to remote code execution. The flaw was patched in June of 2023, but CISA recently added it to its known Exploited Vulnerabilities catalog, giving federal agencies until August 18th to patch it. The software is used by more than 100 million people across 70,000 organizations. Starlink Scambrite A US senator is calling on SpaceX to crack down on scammers using its Starlink Internet service to run large scale cyber fraud operations across Southeast Asia. Human rights groups and UN reports have repeatedly linked Starlink to scam compounds that rely on its portability and independence from national telecom networks. With sightings increasing and usage reportedly doubling in some regions, the senator is demanding answers on what SpaceX is doing to stop the abuse. We don't go a week without hearing a story about a data breach caused by a third party. We're increasingly realizing the risk posed by the parties we have the least control over. Some extremely large organizations can exert pressure to raise standards for third party security, but what can the rest of us do to contain these risks better? That's one of the segments we're discussing this week on the CISO Series podcast. Look for the episode Cosmo 23 Ways to Make your vendors obsessed with your security standards. Wherever you get your podcast and if you have some thoughts on the news from today or about the show in general. Be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. I'm Lauren Verno reporting for the CISO series. Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.