MSP cybersecurity news digest, August 13, 2025

CISA issued Emergency Directive 25-02 in response to CVE-2025-53786, a high-severity vulnerability in Microsoft Exchange hybrid deployments that could allow attackers with administrative access to on-premises servers to escalate privileges into Exchange Online undetected. The flaw stems from hybrid Exchange configurations where on-premises and cloud environments share the same service principal, enabling attackers to forge trusted tokens or API calls without triggering standard Microsoft 365 audit logs.

If left unpatched, this weakness could result in a total hybrid cloud and on-premises domain compromise, impacting the integrity of an organization’s identity and email systems. Researchers have yet to observe active exploitation but warns it is “Exploitation More Likely” due to the ease of developing reliable exploit code, urging customers to apply the April 2025 Exchange Hotfix, reconfigure hybrid apps and reset service principal credentials. CISA further advises disconnecting any public-facing Exchange or SharePoint servers that have reached end of life, such as SharePoint 2013, to reduce exposure and patch all supported servers with the April hotfix and latest cumulative updates.

This warning follows recent exploitation of multiple SharePoint vulnerabilities — including CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770 — used in the “ToolShell” exploit chain to deploy malware capable of stealing cryptographic keys, running encoded PowerShell commands and exfiltrating data. CISA has added these SharePoint vulnerabilities to its Known Exploited Vulnerabilities Catalog and released a Malware Analysis Report with indicators of compromise and detection signatures.

The Acronis Threat Research Unit (TRU) recently analyzed new samples of the Akira and Lynx ransomware families to uncover the latest changes in their tactics.

Both groups operate under a ransomware-as-a-service (RaaS) model and use double extortion, with Lynx believed to incorporate elements from leaked LockBit source code and Akira showing similarities to Conti, suggesting a shared code lineage. They gain access through stolen credentials, VPN vulnerabilities, reconnaissance, privilege escalation, defense evasion and data exfiltration / encryption, relying on sophisticated yet recycled methods that primarily target small and midsize businesses (SMBs). Once inside, they disable security software, delete shadow copies and clear event logs to evade detection and hinder recovery efforts. In a notable twist, the Lynx sample observed by TRU can even print ransom notes directly to connected printers.

Akira has claimed over 220 victims, including law firms, accounting firms, construction companies, and potential managed service providers (MSPs) like Hitachi Vantara and Toppan Next Tech. Lynx has compromised around 145 victims, often focusing on SMBs, with one reported case involving a CBS affiliate television station in Chattanooga, Tennessee. While MSPs are not the sole targets, both gangs see them as high-value opportunities due to their ability to provide access to multiple downstream customers, significantly amplifying the potential payout.

US-based kidney dialysis provider DaVita, with a revenue of $12.82 billion in 2024, has confirmed that a data breach affecting 915,952 customers exposed sensitive personal, clinical, and financial information, including names, birth dates, Social Security numbers, health records, and in some cases, tax IDs and check images.

The incident, believed to be ransomware-related, began on March 24, 2025, and persisted until April 12, when the attacker was blocked from accessing DaVita’s dialysis labs database. On August 5, the company notified impacted individuals, urging vigilance against identity theft and offering free credit monitoring services.

DaVita disclosed that remediation efforts, supported by third-party cybersecurity experts, cost approximately $13.5 million, including $1 million in increased patient care costs and $12.5 million in additional administrative expenses. The Interlock ransomware group claimed responsibility in April, alleging the theft of 1.5TB of data and publishing partial samples on its leak site. This breach is one of several major health care sector incidents in 2025, following a surge in attacks in 2024 despite overall ransomware growth in health care slowing this year.

A wave of Salesforce data theft attacks by the ShinyHunters extortion group continues and has impacted more major global brands, including Chanel, with a revenue of $18.7 billion in 2024, Pandora, with a revenue of $4.9 billion in 2024, and Google, with a revenue of $350.02 billion.

In these campaigns, threat actors use vishing and phishing to steal Salesforce credentials or trick employees into approving malicious OAuth apps, granting full access to corporate CRM instances. Once inside, they exfiltrate customer databases — often containing names, contact details, and other personal information — which are then leveraged for private extortion campaigns with the threat of public leaks. Salesforce has stressed that its platform has not been breached, but customers must harden their defenses with MFA, least-privilege access, and strict management of connected applications. The ShinyHunters group, linked to past high-profile breaches such as Snowflake and AT&T, has confirmed that these attacks are ongoing and warned that non-paying victims may face mass data leaks. One affected company has reportedly paid four Bitcoins — roughly $400,000 — to stop its stolen data from being publicly leaked.

In parallel, a cybercriminal used a vishing call to trick a Cisco representative into granting access, allowing theft of personal data from a third-party cloud-based CRM system. Cisco discovered the breach on July 24 and confirmed that attackers exported basic profile information, including names, organizations, email addresses, phone numbers, and account metadata. The company did not disclose how many Cisco.com users were affected, and a spokesperson declined to comment on the scope. This incident appears to be part of a wider trend of attacks targeting Salesforce data from various major companies.

Milford Entities/Management Company, a prominent owner and manager of luxury properties in New York’s Battery Park City, was allegedly scammed out of nearly $19 million in early July through a single phishing email.

The spoofed message tricked the firm into transferring quarterly ground lease and PILOT tax payments to a fraudulent TD Bank account posing as the Battery Park City Authority (BPCA). The Department of Homeland Security is leading a multiagency investigation, while the company confirmed the theft affected both buildings it owns and others it manages, including Liberty View and Liberty Luxe.

Emails reveal that one residential tower lost $3.5 million in dues, prompting the BPC Homeowners Coalition to warn residents and boards to review their cybersecurity policies, stressing that similar attacks could happen again. BPCA clarified it did not receive the payment, was not directly involved in the incident, and is working with residents, the management firm, and law enforcement to address the issue.