July 2025 Cyber Environment Update

Ben WatsonAlan Grant | SOC Analysts | 1 August 2025        

Welcome to Fortian's July 2025 cyber environment update

In July 2025: 

  • Australian airline Qantas suffered a data-breach impacting over 6 million customers, allegedly at the hands of Scattered Spider, the threat actor responsible for the Marks & Spencer, Harrods, and Co-op breaches, as well as the 2023 MGM cyber incident.
  • The Australian Defence Force has unveiled plans to establish a specialist cyber reserve capability.  
  • President Trump signed his "Big Beautiful Bill" allocating $1 billion to "offensive cyber operations".
  • The United Kingdom government announced it intends to ban ransomware payments by public sector organisation and critical infrastructure operators.
  • Chinese state-sponsored groups Linen Typhoon and Violet Typhoon used an attack-chain dubbed "ToolShell" to exploit a zero-day SharePoint vulnerability and breach government, telecommunications and software sector entities.
  • A breach of a McDonald's admin account with the password "123456" led to the exposure of 64 million records.

 

International cyber policy developments

Trump allocates $1 billion to offensive cyber operations

The Trump administration’s “One Big Beautiful Bill” which passed the US Senate on 1 July 2025, allocates US $1 billion over four years to bolster U.S. offensive cyber operations, particularly under the Indo-Pacific Command. There is little detail about what these offensive cyber operations entail, but there is some speculation that these will target China. (Yahoo)

Supporters argue this investment strengthens deterrence against adversaries like China and Russia, positioning the U.S. for strategic dominance in cyberspace.

However, critics highlight that the Trump administration has simultaneously cut more than US $1 billion from defensive cybersecurity programs, including workforce reductions at agencies such as CISA, with the result that there may be an imbalance between offensive and defensive capabilities that could escalate cyber conflicts and increase the vulnerability of U.S. critical infrastructure and private sector networks to retaliatory attacks. (TechCrunch)

UK to ban ransomware payments

The UK government has proposed (www.gov.uk) a package of measures aimed at combatting ransomware, anchored by two key initiatives:

  • A targeted ban on ransomware payments by public sector bodies (including NHS entities, local councils, and schools) and operators of regulated critical national infrastructure (CNI) like energy, telecoms, and transportation systems. This seeks to eliminate financial incentive for attackers to target services essential to public welfare.
  • An economy‑wide mandatory reporting requirement. Under the prevention regime, organisations outside the ban would be required to notify authorities of any intent to pay a ransom. The government could then provide advice and support, including notifying businesses if payments risk breaking the law by sending money to sanctioned cyber groups.  The reporting requirement would also obligate victims to submit an initial incident report within 72 hours, with more detailed follow-up expected within 28 days.

The UK’s planned ransomware policy, represents one of the most assertive approaches globally to disrupting the ransomware economy. By removing the option for essential services to make payments, the UK aims to cut off funding streams for cybercriminals and reduce their incentive to target critical services.

In Australia, a similar approach was considered during the development of the 2023–2030 Cyber Security Strategy, with policymakers discussing the potential for an outright ban.  However, this idea did not progress due to concerns about operational risk to victim organisations and the readiness of sectors to recover without ransom payments. Instead, Australia opted for a regime which requires mandatory reporting of ransomware payments within 72 hours but does not prohibit them.

UK imposes sanctions on Russia

The UK Foreign Office imposed new sanctions on Russia's GRU military intelligence and 18 officers for an alleged "sustained campaign of malicious cyber activity". The activity involved the use of novel malware to steal victim credentials for Microsoft products. Britain's National Cyber Security Centre released an advisory on the malware which they dubbed "Authentic Antics". The advisory found Authentic Antics" is a persistent strain of malware that runs within Outlook processes to give long-term access to victim email accounts. It carefully evades detection by limiting execution to once every six days; and by hiding in legitimate Outlook processes. The advisory contains indicators of compromise and detection rules that organisations should use to review system logs for any signs of compromise. (bbc)(NCSC advisory)

Australian cyber policy and legal developments

Australia to establish cyber reserves

The Australian Defence Force has officially unveiled plans to establish a specialist cyber reserve capability, following key recommendations from the Strategic Review of the ADF Reserves (defence.gov.au). This initiative calls for a dedicated cyber reserve workforce designed to bolster national resilience, enhance sovereign cyber capacity, and support Defence missions with skilled personnel sourced from industry and academia. The concept envisions flexible, mid‑career entry pathways via reservist roles, organisational design and policy frameworks that recognise cyber as a specialist domain. The workforce is envisaged to be operational by early 2026.

Legal developments: ASIC files charges against Fortnum Private Wealth

The Australian Securities and Investments Commission (ASIC) is suing Fortnum Private Wealth (FPW) over alleged failures in managing cyber security risks, claiming the firm did not have adequate policies, systems, or expertise in place to protect sensitive client data. The legal action relates to multiple cyber incidents between 2021 and 2022, including a major breach that saw data from over 9,000 clients published on the dark web. ASIC argues that FPW failed to ensure proper cyber training for its authorised representatives, lacked in-house or external cyber security expertise, and did not adequately supervise its cyber risk framework. In response, FPW CEO Matt Brown strongly denied the allegations, stating that the primary breach involved legacy data unrelated to FPW’s own advice, no client funds were lost, and the company has continued to invest in cyber resilience. (ASIC)

This case marks the third cyber enforcement related action undertaken by ASIC in recent years, following proceedings against RI Advice in 2022 and FIIG group in 2025 and emphasises the need for Australian organisations to holistically manage cyber risk.

 

Australian Cyber Incidents / Breaches

Qantas breached impacting 6 million customers

On 1 July, Qantas suffered a significant cybersecurity incident impacting 6 million Qantas frequent flyer members. Threat actors used vishing (phishing via phone call), against a third-party call centre in the Philippines to gain access to a customer database hosted in Salesforce. Data impacted in the breach included names, email addresses, phone numbers, birth dates and frequent flyer numbers. (Qantas advisory) No threat actor has been formally attributed to the attack; however, the techniques, and assets targeted in the attack aligned with the modus operandi of two threat actor groups: Scattered Spider and UNC6040.

Qantas has obtained an interim injunction from the NSW Supreme Court to prevent the stolen data from being access, viewed, released or published.  According to partially redacted documents obtained from the NSW Supreme Court, Qantas received a number of email communications from the hackers informing them of the breach, along with details of the data that had been stolen. (Cyberdaily)

While Qantas has not confirmed if a ransom demand has been received, the fact that the airline was in communications with the attacker implies that some form of extortion demand may have been received.

The Qantas breach was via a third party call centre.  To mitigate against these kinds of attack scenarios, organisations should focus on strengthening their third-party cyber risk management programs, with a specific focus on improving call centre security controls.  Processes and training should be implemented to ensure call centre help-desk staff are able to resist social engineering techniques and that they verify the identity of employees before making changes to or sharing security-related information.

Clive Palmer’s United Australia Party (UAP) and the Trumpet of Patriots hit by ransomware

Clive Palmer’s United Australia Party (UAP) and the Trumpet of Patriots have confirmed they were hit by a ransomware attack on 23 June 2025 resulting in the possible exposure of all emails, attachments, and internal documents held electronically by the parties. The compromised data may have included personal information such as email addresses, phone numbers, identity and banking records, and confidential documents. The UAP admitted it cannot identify all affected individuals and has deemed it "impracticable" to notify them directly. The breach has been reported to the Australian Signals Directorate and the Office of the Australian Information Commissioner. (cyberdaily)

Northern Territory government agency succumbs to BEC scam

In July 2025, an undisclosed Northern Territory government agency in Australia fell victim to a business email compromise (BEC) scam. A Sydney-based attacker created a fake vendor identity and tricked the agency into transferring over $3.5 million to a fraudulent account. The alleged attacker was arrested and the Australian Federal Police recovered most of the funds, leaving the agency with a loss of under $12,000. This incident underscores the risks of BEC scams, which often involve impersonating vendors to deceive finance teams. Organisations should take simple steps such as turning on multi-factor authentication; setting up auto-renewal of domain names; and training staff to spot business email compromise emails to lower the chance of succumbing to a business email compromise scam. Further tips are available here. (ITnews) (ASD advisory)

Metricon Homes confirms ransomware incident

Metricon Homes, one of Australia's largest building companies has confirmed it was the victim of a ransomware attack (Metricon).  The attack has been attributed to the Qilin group, who posted to a dark web breach forum claiming to have stolen 128 GB of sensitive company data. The stolen information reportedly includes financial records, employee salary and commission details, credit card receipts, architectural plans, and marketing materials. Qilin has posted data samples to the dark web as proof and is threatening to release the full data set. Metricon acknowledged the cyber incident, stating that internal systems were temporarily disrupted but have since been restored. (Cyberdaily)

 

International cyber incidents

Microsoft SharePoint zero-day vulnerability exploited by Chinese threat actors

Chinese nation state actors, Linen Typhoon and Violet Typhoon were among threat actors chaining the exploitation of vulnerabilities in Microsoft SharePoint, including one zero-day vulnerability, to compromise over 54 organisations in July. The attack chain, dubbed "ToolShell", involved exploiting a misconfiguration in SharePoint system page "ToolPane.aspx" to give attackers unauthenticated remote code execution access. Initial breaches featured government, telecommunications and software sector entities in North America and Western Europe suggesting the attacks were strategic and coordinated by a sophisticated threat actor. CISA added the vulnerabilities with identifiers, CVE-2025-53770 and CVE-2025-53771 to its "Known Exploited Vulnerability" catalogue and ordered federal agencies to apply patches withing one day of release. Microsoft released several indicators of compromise associated with the attacks and has now published a patch. Organisations should review system logs for indicators of compromise and apply patches as a matter or priority. (bleepingcomputer)

The US National Nuclear Security Administration was among organisations breached. While the breach affected some on-premises SharePoint systems, no classified data was reportedly compromised due to this data being hosted in Microsoft 365 cloud services. (theverge)

McDonald’s AI-powered hiring site suffers breach

Security researchers recently uncovered that millions of job applicants' personal information was exposed on McHire.com, McDonald’s AI-powered hiring site operated by Paradox.ai. The breach occurred due to a weak admin password “123456” which allowed access to over 64 million records, including names, emails, and phone numbers. While Paradox claimed the affected account was a long-unused test account and no sensitive data like Social Security numbers were exposed, further investigation revealed deeper issues. A developer in Vietnam had their device infected by Nexus Stealer malware, which leaked numerous weak and reused passwords for internal and third-party services, including credentials linked to Fortune 500 companies. Although Paradox asserts most of the compromised credentials were outdated and that multi-factor authentication is enforced via single sign-on (SSO), exposed data included valid login credentials to Paradox’s SSO system as recently as June 2025. (krebs)

UK arrests Scattered Spider members

UK authorities arrested four individuals aged 17 to 20 linked to cyberattacks on Marks & Spencer, Harrods, and Co-op, believed to be tied to the cybercrime group Scattered Spider. The group is known for social engineering and extortion tactics, recently shifting focus to retail and airlines. Two suspects identified are Owen David Flowers, allegedly involved in the 2023 MGM Resorts hack and known by aliases “bo764,” “Holy,” and “Nazi,” and Thalha Jubair, 19, reportedly a founding member of the “Star Fraud Chat” Telegram group. Jubair, who used handles like “Earth2Star” and “Star Ace,” was also linked to SIM-swapping attacks on T-Mobile and was reportedly part of the LAPSUS$ group that breached major tech firms in 2022.(krebs)

Chinese hacking groups target Taiwan’s semiconductor industry

Cybersecurity researchers at Proofpoint identified a rise in Chinese-linked cyber espionage campaigns targeting Taiwan’s semiconductor industry and financial analysts, amid growing U.S.–China semiconductor tensions. Between March and June 2025, at least three distinct China-aligned hacking groups attacked 15–20 organizations, including chip manufacturers and investment firms in Asia and the U.S.

Tactics included spear-phishing emails, some sent from compromised Taiwanese university accounts, and disguised malware embedded in job applications or collaboration requests. These emails often used PDFs or password-protected archives to deliver malicious payloads.

The campaigns align with China’s strategic goal of overcoming U.S. chip export restrictions by gathering intelligence on Taiwan’s semiconductor supply chain. A separate attack linked to the group "Amoeba" even targeted a chemical company critical to chip production. While the specific victims and impact remain undisclosed, the campaigns underscore the persistent threat posed by state-aligned cyber actors seeking access to sensitive technological and economic data. (reuters)

Dell systems breached leaking 1.3TB of data

Dell Technologies confirmed a recent breach of its internal Solution Center platform leading to leakage of 1.3TB of data, The platform is used to simulate and test products for commercial clients and Dell emphasized that it is isolated from customer networks and contains mostly synthetic or publicly available data, While Dell has not revealed the attackers' identity, the WorldLeaks ransomware group linked to former Hive and Hunters International members has claimed responsibility. Cybersecurity experts suggest the group may also be connected to recent SonicWall-related data theft campaigns. (bleepingcomputer)

ACSC and CSIA Advisories

In July, the ACSC issued the following advisories:

  • Citrix NetScaler ADC and Gateway Critical Vulnerabilities (4 July 2025):
    ACSC alerted organisations to critical flaws (CVE‑2025‑5349, CVE‑2025‑5777, and later CVE‑2025‑6543) affecting Citrix NetScaler ADC and Gateway appliances, including memory overflow and access-control issues enabling session hijacking, data exposure, or denial-of-service attacks. The advisory urged immediate patching to fixed versions and post-patch mitigation steps like session resets and log monitoring. Organisations were also advised to report any indicators of compromise to ACSC via its hotline. (ACSC)
  • Microsoft Office SharePoint Server Vulnerability (20 July 2025):
    ACSC issued a critical advisory for a remote code execution vulnerability (CVE‑2025‑53770) in Microsoft SharePoint Server. The bug was actively exploited, allowing attackers to remotely execute code. ACSC recommended urgent patch deployment, configuration review, and enhanced monitoring to detect exploitation attempts. (ACSC)
  • Scattered Spider Threat Actor Advisory (30 July 2025):
    ACSC issued an advisory detailing the tactics of the Scattered Spider group (also tracked as UNC3944), known for sophisticated social engineering such as SIM-swapping, vishing, and helpdesk impersonation and use of legitimate remote access tools in targeted intrusions. The advisory included mitigations such as enforcing MFA, bolstering access controls, adopting threat intelligence feeds, and implementing proactive detection and response mechanisms. (ACSC)

In July, CISA also released an advisory on a critical remote code execution (RCE) vulnerability in Wing FTP (File Transfer Protocol) Server used globally, including in Australia and New Zealand is being actively exploited. Discovered on June 30, 2025, the flaw allows attackers to inject Lua code via mishandled \0 bytes, enabling full server compromise even through anonymous FTP access. CISA rated the flaw 10/10 in severity and urged immediate updates to version 7.4.4. Over 5,000 vulnerable instances were found online, including high-profile users like the US Air Force, Sony, and Airbus. While the latest update fixes the RCE, it doesn’t address the server’s default overly permissive root/SYSTEM privileges. (ITnews)

Takeaways for Australian organisations

Australian organisations should consider undertaking the following actions: 

  • Review third party cyber risk management.  The Qantas breach stemmed from a compromised third-party call centre. To prevent similar incidents, organisations should strengthen third-party cyber risk management and enhance call centre security by training help-desk staff to resist social engineering and requiring strict identity verification before making changes or sharing sensitive information.
  • Conduct a SharePoint threat hunt. Two SharePoint zero-day vulnerabilities were actively exploited in June giving attackers remote access to fully patched SharePoint systems at a number of significant entities. Organisations should review logs for indicators of compromise supplied by Microsoft and urgently apply patches. (bleepingcomputer)
  • Conduct user awareness training and implement technical security controls to combat Business Email Compromise (BEC). The loss of $3.5 million to a business email compromise scam by a Northern Territory government agency highlights the potential impact of these attacks and importance of implementing controls to minimise risk of compromise. Organisations should take simple steps such as turning on multi-factor authentication; setting up auto-renewal of domain names; and training staff to spot business email compromise emails to lower the chance of succumbing to a business email compromise scam. For further mitigations see the ASD advisory on preventing BEC. (ASD advisory)
CONTACT US

Speak with a Fortian Security Specialist

Request a consultation with one of our security specialists today.

Get in touch