MSP cybersecurity news digest, August 4, 2025

CISA, along with U.S., Canadian, U.K. and Australian agencies, has updated its cybersecurity advisory (July 29, 2025) to highlight new tactics, techniques, and procedures (TTPs) used by the Scattered Spider group, including sophisticated social engineering and deployment of DragonForce ransomware.

Following recent arrests in the U.K. tied to suspected Scattered Spider members, researchers report a noticeable drop in direct activity from the group. However, this is only a temporary reprieve, as copycat actors like UNC6040 continue to use similar social engineering techniques to breach organizations. The advisory confirms that Scattered Spider aggressively targeted VMware ESXi infrastructure in sectors like retail, airlines and transportation, often bypassing MFA via phishing, SIM swaps and impersonation of employees. The group’s hallmark is rapid, stealthy operations — often escalating from initial access to full infrastructure compromise within hours. Their use of commercial remote access tools, domain spoofing and living-off-the-land techniques makes detection difficult. The group’s attack chain often involves compromising vSphere environments, deleting backups and deploying ransomware directly from the hypervisor.

Agencies are urging organizations to adopt hardened defenses, review logs for indicators of compromise, and proactively rearchitect infrastructure to resist such threats, especially ahead of vSphere 7’s end of life in October 2025.

French telecom giant Orange, with a revenue of €40.26 billion in 2024, reported a cyberattack on July 25, 2025, affecting one of its internal systems.

The Orange team quickly isolated the compromised system, resulting in service disruptions, primarily for French business and consumer customers. Investigations are ongoing, with no current evidence of data exfiltration or customer impact. The company has notified authorities and remains on high alert.

Although no specific attacker has been confirmed, the incident is similar to previous breaches by Salt Typhoon, a Chinese state-backed group targeting global telecoms. This follows a string of past attacks on Orange, including one in Romania earlier this year that exposed internal documents and employee data.

Minnesota Governor Tim Walz declared a state of emergency and activated the National Guard following a major cyberattack on the city of St. Paul.

The attack, discovered on July 25, disrupted key services, taking down online payment platforms and Wi-Fi across public buildings, though 911 emergency lines remained operational. Due to the attack's scale and complexity, the city’s own response capabilities were overwhelmed, prompting support from state and federal agencies. Governor Walz stated the National Guard's cyber unit is working with local, state and federal officials to contain the threat and protect residents. Mayor Melvin Carter confirmed the intrusion was a deliberate, coordinated assault by a sophisticated external actor and not a technical glitch.

As a defensive measure, the city shut down its IT systems while it continues investigating the scope of the breach and whether data was exfiltrated. Authorities are now focused on restoring critical infrastructure and public-facing services.

Researchers have uncovered a new campaign in which attackers impersonate well-known companies using fake Microsoft OAuth applications to steal credentials and take over Microsoft 365 accounts. These spoofed apps mimic brands like SharePoint, Adobe and DocuSign and use phishing kits such as Tycoon and ODx to bypass MFA.

Victims are lured via phishing emails disguised as quote or contract requests, then redirected to grant permissions to a fraudulent app named “iLSMART.” Even if the victim denies permissions, they are taken through a CAPTCHA to a fake Microsoft login page using adversary-in-the-middle phishing to harvest credentials. More than 50 fake applications have been used in such campaigns, affecting nearly 3,000 user accounts across 900 Microsoft 365 tenants in 2025 alone.

Additional campaigns have leveraged Adobe-themed phishing via Twilio SendGrid and embedded remote desktop software in disguised PDFs to deliver malware like VIP Keylogger or RMM tools such as FleetDeck and Atera. These RMM tools, while legitimate, are used as initial access methods by threat actors, potentially for ransomware deployment.

ShinyHunters has been linked to a string of recent data breaches at companies like Qantas (with a revenue of $21.61 billion in 2024), Allianz Life (with a revenue of €106.4 billion in 2024), LVMH (with a revenue of €84.7 billion in 2024), and Adidas (with a revenue of €23.683 billion in 2024), all tied to compromised Salesforce CRM instances.

These attacks involved voice phishing (vishing), where threat actors impersonated IT staff to trick employees into connecting malicious apps to Salesforce via OAuth. Researchers identified the group as UNC6040 and noted their use of fake Okta login pages to steal credentials and MFA tokens. Some companies, like Tiffany & Co. and Allianz, confirmed breaches tied to third-party platforms managing customer data. Though Salesforce was not officially named by victims, court documents and insider reports confirm the platform was a target. ShinyHunters has so far avoided public data leaks, opting instead to privately extort companies via email.

The group is believed to have ties with Scattered Spider and possibly overlaps with members of the former Lapsus$ gang. Despite arrests linked to ShinyHunters, new attacks continue, prompting Salesforce to stress that its platform wasn’t breached and urging customers to adopt strong security practices against social engineering.