July 2025 In Review: Major Cyber Threats & Lessons Learned

As we head into August, here’s a consolidated review of the most consequential cyber threats that dominated July 2025, complete with exact dates, our internal analysis, and actionable remediation advice to help strengthen your defenses.

Microsoft “ToolShell” Zero‑Day (July 18–22, 2025)

What happened:
An RCE + spoofing exploit combo, dubbed ToolShell, leveraged zero‑day flaws CVE‑2025‑49706 and CVE‑2025‑49704/CVE‑2025‑53770, allowing attackers full control of vulnerable on‑prem Microsoft SharePoint servers and access to internal file shares and services. Initial patches proved ineffective, and the chain was exploited globally, including in government, academia, and critical infrastructure. Reports estimate hundreds of compromised servers and the deployment of Warlock ransomware in some cases. (Reuters, AP News, CyberScoop, CISA)

Cyber Intel Perspective:
This incident underscores worsening cloud-to-edge coordination: the exploit revealed gaps in Microsoft’s patch deployment process, but defenders often let trust & network architecture act as a false firewall. Particularly, shared key rotation and web‑config modifications were overlooked.

Key Remediation Actions:

• Immediately apply Microsoft’s updated SharePoint patches.
  
• Rotate ASP.NET machine keys before and after patching, then restart IIS. Disable AMSI only if absolutely necessary. (CISA)
  
• If patching isn’t possible, isolate on‑prem SharePoint servers (especially 2016/2019/Subscription Edition) from the internet.
  
• Hunt for activity patterns such as POSTs to /ToolPane.aspx?DisplayMode=Edit and Referer: /_layouts/SignOut.aspx.
  
• Deploy EDR, enable AMSI scanning, and update WAF/IPS with ToolShell detection signatures.
  

Aeroflot Hack Grounds Over 50 Flights (July 28, 2025)

What happened:
On July 28, two pro‑Ukraine hacking groups, Silent Crow and Belarusian Cyber Partisans BY, claimed credit for an attack that destroyed approx. 7,000 Aeroflot servers, disrupted customer service systems, and forced cancellation or delay of over 50 flights. Data theft is also alleged. The Kremlin called the event “alarming” and opened a criminal investigation. (Reuters, The Times of India)

Cyber Intel Perspective:
The attack reaffirms that infrastructure owners are now primary targets in asymmetric warfare. For global operators, agility in recovering from data destruction is just as critical as defense-in-depth.

Key Remediation Actions:

• Maintain immutable, geo-redundant backups offline (e.g., vault-based or WORM storage).
  
• Regularly test restoration processes with disaster-recovery orchestration drills.
  
• Maintain strict privileged access management (PAM) and Zero Trust network segmentation; even senior executives' endpoints should be segregated.
  
• Implement proactive VAPT (Vulnerability Assessment & Penetration Testing) on legacy systems.
  

St. Paul, MN: National Guard Activated after Digital Attack (July 25–29, 2025)

What happened:
A "deliberate, coordinated digital attack" overloaded St. Paul’s municipal IT infrastructure around July 25, forcing lockdown of city-wide IT services, including public Wi-Fi and library networks. On July 29, Minnesota Governor Tim Walz deployed the National Guard’s cyber unit to support recovery efforts. (The Guardian, Saint Paul Minnesota)

Cyber Intel Perspective:
Municipal governments remain soft targets for cybercriminals and ideologically motivated groups alike. The shallow perimeter and lack of robust incident response plans left St. Paul exposed, while reliance on outsourced or cloud-backed services delayed containment.

Key Remediation Actions:

• Create “offline telemetry” pipelines, forensic image snapshots that remain intact if primary infrastructure is hit.
  
• Conduct quarterly tabletop exercises simulating city-wide outages, seated with continuity and IT teams.
  
• Preserve internal control domains and air-gapped zones for emergency operations (e.g., police, utilities).
  
• Pre-authorize auxiliary support contracts (e.g. IR firms, National Guard cyber units) to speed response.
  

Allianz Life Vendor CRM Breach Exposes 1.4 Million Customers’ PII (July 16, 2025)

What happened:
On July 16, Allianz Life USA was infiltrated via a third-party cloud CRM vendor, using phishing-based social engineering to steal names, addresses, dates of birth of the majority of its 1.4 million U.S. customers, plus select employees. The breach was discovered on July 17 and reported to the FBI. (IT Pro)

Cyber Intel Perspective:
This is a textbook case of supply chain vulnerability magnified by social engineering. Even with mature e-Bank networks, single-chain vendors in privileged positions remain high risk.

Key Remediation Actions:

• Implement cloud vendor baseline assessments: enforce MFA, logs visibility, and JITA (Just-In-Time Access).
  
• Require phishing-resistant MFA (e.g. hardware keys, FIDO2).
  
• Train vendor personnel in live phishing simulations; enforce weekly MFA resets for administrative roles.
  
• Isolate vendor systems via dedicated jump hosts, never allow direct lateral movement.
  
• Monitor for anomalous login behavior (e.g. access from unmanaged IPs/geographies).
  

Turla/Secret Blizzard Uses Russian ISPs to Spy on Embassies & Diplomats (Reported July 31, 2025)

What happened:
Microsoft exposed an ongoing FSB-linked espionage campaign (Turla, also known as Secret Blizzard) that hijacked public Wi-Fi and captive-portal flows via Moscow-based ISPs to silently install malware (e.g. ApolloShadow) on foreign embassy endpoints. The embeds masqueraded as Kaspersky certificate updates, a novel ISP-level man-in-the-middle exploited via SORM infrastructure. (Reuters, WIRED)

Cyber Intel Perspective:
Trust in network infrastructure used to be an assumption; this campaign undermines it entirely. Governments or organizations must now assume that hostile nation-state ISP infrastructure can compromise endpoint provisioning.

Key Remediation Actions:

• Enforce full-device VPN tunnels independently managed (never user-installed captive-portal).
  
• Mandate secure OS update channels; avoid accepting root-injected transport layers.
  
• Require hardware-backed machine credentials and remote attestation.
  
• Use MDM-enforced app provisioning via whitelists only.
  
• Rotate keys regularly and audit device certificates when traveling.
  

Google Misses July 2025 Android Security Bulletin, for the First Time in 10 Years (July 11, 2025)

What happened:
On July 11, Google officially released an empty Android Security Bulletin, no patches issued for Android OS, Pixel devices, or Google Play Protect in over a decade of monthly updates. Researchers warned Qualcomm and other OEMs are still addressing unpatched chip vulnerabilities, especially in GPS and baseband firmware. (Android Open Source Project, SecurityWeek)

Cyber Intel Perspective:
Routine patch fatigue is dangerous, missing a monthly update may hint at deep supply chain issues. Without official bulletins, enterprises should treat Android fleets with elevated risk, especially models using vulnerable third-party silicon.

Key Remediation Actions:

• Flag Android 2025-07 deployments in MDM; temporarily enforce app lockdown policies.
  
• Subscribe to chip-tier vendor mailing lists (e.g., MediaTek, Qualcomm).
  
• Implement BYOD device quarantine workflows for affected Android cohort.
  
• Educate users on installing patch-forward behavior; enforce PIN/device encryption.
  

Oracle July 2025 Critical Patch Update: 309 Vulnerabilities Addressed (Released July 15–17, 2025)

What happened:
Oracle delivered its July 2025 Critical Patch Update, addressing 309 vulnerabilities across 200 unique CVEs, 127 of which were remotely exploitable without credentials. This massive Q3 push followed early warnings that unpatched Oracle CVEs had recently been weaponized in the wild. (SecurityWeek, Waratek)

Cyber Intel Perspective:
Oracle’s quarterly patching remains a high-stakes testing ground where delays invite real-world exploitation. Many organizations still operate on outdated versions (e.g., 11g, 12c), increasing risk exposure.

Key Remediation Actions:

• Prioritize applying critical CPU patches within 48 hours, especially for Internet‑facing or high‑availability servers.
  
• Validate remediation using CVSS ≥ 9.0 flags (e.g. RCE or auth bypass vulnerabilities).
  
• Scan application dependencies for affected third-party libraries.
  
• Apply virtual patching on WAF or IPS where immediate patching isn’t possible.
  

Cross-Cutting Insights for Cyber Defenders in July 2025

Trend

Recommended Posture

Nation-state espionage using supply chains, ISP-level injection, and infrastructure compromise

Build a layered “no-trust” model; rotate keys; treat all upstream systems as potentially compromised

Supply-chain & vendor compromise risks

Enforce Zero Trust between internal and 3rd-party services; require technical due diligence

Patch fatigue & scheduling gaps (Android bulletin skipped; Oracle bulk patching)

Implement continuous vulnerability management, not just patch calendar; integrate external CVE feeds

Digital disruption (e.g. Aeroflot, municipal outages)

Focus on recovery readiness, immutable backups, offline zones, secondary control domains

Ineffective vendor response & delayed detection (e.g. poor telemetry, late CISA alerts)

Develop proactive hunting, shared IR playbooks, and tiered escalations with strategic partners (e.g. CISA, CrowdStrike)

Outlook for August 2025–Q3 Strategy

• AI-generated scams/deepfake social engineering continue rising. Be ready to validate communications via out-of-band channels.
• ‍Supply chain risk equivalence: breaches via partners now account for over 30% of successful attacks, invest in supply chain risk registries and auditing.‍
• Endpoint telemetry should integrate OS logs, certificate rotation alerting, and unusual “blank patch” commands (e.g. Android July gap) in real‑time dashboards.

In Summary: 

As we step into August 2025, these July incidents reveal escalating challenges, from state‑sponsored espionage and supply‑chain abuse to deepfake-enabled impersonation and absent patch cycles, that are reshaping the cyber threat landscape. Organizations must now operate under the assumption of compromised upstream infrastructure, enforce Zero Trust segmentation, and integrate AI‑augmented detection to keep pace with adversaries who are reducing dwell time and weaponizing social engineering and cloud lateralism.

At Cyber Intel Training, we focus on equipping cybersecurity professionals with the knowledge and practical frameworks they need to navigate modern threats. Through specialized education in threat analysis, incident response principles, and secure systems design, we help teams work more effectively with their managed service providers. Our goal is to build informed defenders who can ask the right questions, interpret signals correctly, and implement strategy with confidence alongside their operational partners.

Daniel Wilson
Cyber Intel Training‍

Practical training for a safer, smarter, more cyber-aware society.