In today’s cybersecurity news…
The hits just keep on coming
Only a couple of weeks after a critical Fortinet vulnerability was added to CISA’s Vulnerabilities Catalog, an unrelated brute-force attack on FortiOS was spotted by internet-threat tracker GreyNoise. Starting August 3, 2025, more than 780 malicious systems around the world began hammering Fortinet SSL VPNs, specifically targeting the FortiOS profile. Two days later, the attackers shifted focus to FortiManager using a different method. GreyNoise notes that these kinds of concentrated attack spikes often appear shortly before new vulnerabilities are disclosed, suggesting this could be the prelude to another round of bad news for Fortinet users.
Where’s the Little Dutch Boy when you need him?
The Netherlands, wishing they could plug their data breach as easily as the boy in the fable, is dealing with a serious Citrix NetScaler security incident. Dutch authorities report that multiple critical infrastructure organizations have been compromised through a memory overflow vulnerability (CVE-2025-6543). According to their National Cyber Security Centre (NCSC) attackers exploited the flaw as early as May 2025, gained access, and then wiped logs to hide their tracks.
I felt the ransomware down in Africa
New data shows Africa has overtaken all other regions as the most targeted in the world for cyberattacks, with Nigeria recording the sharpest rise in attack volume on the continent. While many of these incidents are launched from outside Africa, Nigeria also has significant domestic cybercrime activity, with groups like the SilverTerrier BEC syndicate operating from within its borders and targeting victims globally. These actors, along with foreign counterparts, frequently exploit outdated infrastructure, like internet service providers and unpatched enterprise servers, which remain major conduits for phishing, ransomware, and financial fraud campaigns.
We are confirming the breach you already knew about
Eight months after ransomware group RansomHub first announced it had breached Manpower’s Lansing, Michigan staffing service franchise, the company has finally confirmed the attack and revealed the number of people affected. An announcement almost as delayed as waiting for a recruiter to call you back after a job interview. RansomHub claimed it stole about 500 GB of data, including passport scans, Social Security and driver’s license numbers, financial statements, HR analytics, and confidential contracts. The group later removed the listing from its dark-web leak site, a move often associated with ransom payments—though no payment has been confirmed—but pinpointing when it disappeared is tricky, as the leak site was offline for parts of April and May during downtime and migration.
Huge thanks to our sponsor, Vanta
We know that real-time visibility is critical for security, but when it comes to our GRC programs…we rely on point-in-time checks.
But more than 9,000 companies have continuous visibility into their controls with Vanta.
Vanta brings automation to evidence collection across over 35 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done 5 times faster with AI.
Now that’s…a new way to GRC. Get started at Vanta.com/headlines
Hey FTC, can you block this merger?
Cybercrime groups ShinyHunters and Scattered Spider are working together in a coordinated campaign targeting Salesforce users, according to researchers at ReliaQuest. The activity combines phishing, voice phishing, and malicious app-based attacks. Techniques include impersonating IT support in phone calls, creating fake Okta-branded login pages, and setting up spoofed “connected apps” that look like legitimate tools to collect credentials and data. Many of the malicious domains use ticket-related themes and target industries including luxury retail, aviation, insurance, technology, and financial services. Researchers say the tactics align with known methods from both groups, suggesting a deliberate collaboration.
Reddit mods scrapes
Reddit has moved to block the Internet Archive’s Wayback Machine from indexing all but its homepage, effectively cutting off access to individual posts, comments, user profiles, and subreddits. The company says the decision comes in response to AI firms using archived Reddit data to bypass the platform’s data access rules, and also frames it as a way to protect its business by preventing the free harvesting of content it now licenses to partners like Google and OpenAI. Reddit officials alerted the nonprofit archive in advance and say the change will help enforce platform policy and protect user privacy. Critics argue the move undermines web preservation, while supporters see it as a necessary step to close loopholes and safeguard both users and Reddit’s commercial interests.
Don’t pay the ferryman
Trend Micro has identified a new ransomware strain called Charon, targeting public sector and aviation organizations in the Middle East with techniques usually reserved for state-sponsored espionage. The campaign uses DLL sideloading, multi-stage encrypted payloads, process injection, and anti-EDR evasion, methods usually reserved for stealing state secrets, not demanding ransoms. Each ransom note is customized with the victim organization’s name, underscoring deliberate targeting. The methods closely mirror those of the China-linked Earth Baxia APT group, but Trend Micro says this could be direct involvement, imitation, or independent development.