Week 31 of 2025 saw a series of significant cybersecurity events, highlighting the ongoing challenges facing digital infrastructure and security operations.

Apple and Google both responded to active threats. Apple patched a critical WebKit zero day also affecting Chrome, while Google launched the open beta of DBSC to bolster browser security. Law enforcement scored a significant victory as arrests related to the notorious Scattered Spider group disrupted operations, though copycat actors remain a lingering threat.

On the infrastructure front, over 200,000 WordPress sites are exposed due to a flaw in the popular Post SMTP plugin and Post Luxembourg confirmed an “exceptionally advanced” cyberattack that disrupted services.

Meanwhile, the breach of French defence contractor Naval Group may have leaked submarine data and RTÉ began investigating a possible cybersecurity incident after an NCSC alert.

Finally, a targeted attack linked to Russian-state actors hit a Colchester environmental charity, further highlighting the growing trend of politically motivated cyber activity.

Apple Patches WebKit Zero Day Also Exploited in Chrome

Apple has released updates across iOS, iPadOS, macOS, watchOS, tvOS and visionOS to address CVE‑2025‑6558, a critical vulnerability in the ANGLE and GPU components of WebKit also exploited in Google Chrome as a zero day.

The bug allows remote attackers to bypass the browser sandbox via crafted HTML, potentially leading to code execution or crashes.

Discovered by Google’s Threat Analysis Group, the flaw received a CVSS score of 8.8 and has been added to CISA’s Known Exploited Vulnerabilities catalog with an August 12 patch deadline.

Apple has advised iPhone XS and newer devices running iOS 18.6, macOS Sequoia 15.6 and related platform versions to be updated immediately.

Google Launches DBSC Open Beta in Chrome

On July 30th, Google introduced Device Bound Session Credentials (DBSC) in open beta for Chrome on Windows, a major step toward protecting user accounts from session cookie theft attacks.

DBSC binds authentication sessions to the original device using cryptographic keys stored on hardware backed protections, making stolen cookies useless for re-authentication on other devices.

Additionally, Google’s Project Zero now implements Reporting Transparency to shrink the “upstream patch gap,” publicly disclosing reported vulnerabilities within one week of vendor notification, though without releasing exploit details until the 90-day deadline.

These initiatives offer enhanced session integrity and clearer vulnerability workflows for improved ecosystem-wide security.

Arrests Dismantle Scattered Spider Cybercrime Ops But Copycats Threaten Continuity

The UK’s National Crime Agency (NCA) has arrested four individuals aged 17 to 20 in connection with recent cyberattacks attributed to the Scattered Spider group, targeting major retailers like Marks & Spencer, Co‑op and Harrods.

These coordinated attacks caused operational disruptions, impacted supply chains and resulted in significant losses estimated at over £300 million for M&S alone.

According to Mandiant Consulting, Scattered Spider’s core intrusion activity has paused following the arrests, but related threat actors continue to emulate their refined blend of social engineering, SIM swapping and help desk impersonation.

Security advisors emphasise that organisations should use this window to harden defences, tighten identity verification protocols, and patch vulnerabilities, while remaining alert to rising “copycat” threats leveraging similar techniques.

Over 200,000 WordPress Sites at Risk Due to Critical Post SMTP Plugin Vulnerability

More than 200,000 WordPress websites using the popular Post SMTP plugin (approximately 400,000 active installations) are exposed to a serious security flaw, tracked as CVE‑2025‑24000 with a severity score of 8.8.

The vulnerability stems from flawed access control in the plugin’s REST API, which only checked whether a user was authenticated rather than verifying proper privileges. This allowed low-privileged users (e.g. subscribers) to view email logs and intercept admin password reset emails, resulting in full site takeover capabilities.

A patch was released in version 3.3.0 on June 11th, but uptake has been slow with only around 48.5% of users have updated, leaving roughly 200,000 sites still vulnerable, including about 96,800 still on older 2.x versions with even greater risk. Administrators are strongly urged to update to version 3.3.0 or later immediately to prevent compromise.

Post Luxembourg Hit by “Exceptionally Advanced” Cyberattack

On July 23rd 2025, Luxembourg’s national postal and telecom provider Post Luxembourg suffered a major four hour outage affecting mobile, fixed-line and internet services, including emergency systems and about 40 disrupted flights.

Initially attributed to technical issues, authorities later confirmed the incident was a targeted and highly sophisticated cyberattack, exploiting a software vulnerability in a standardised component. While no customer data was compromised and internal systems remained intact, the disruption’s scale revealed intent to destabilise critical services.

The House of Cybersecurity warned this attack underscores the hidden prevalence of such incidents in Luxembourg’s infrastructure. A full investigation is ongoing, coordinated by the government’s crisis unit and national protection agencies.

Naval Group Breach Exposes French Submarine Secrets in Cyberattack Claim

Bitdefender reports that Naval Group, France’s national defence contractor, has confirmed the alleged cyberattack that led to the publication of roughly 1 TB of internal data, including combat systems code, weapon simulation software, network designs and proprietary manuals.

The hacker known as “Neferpitou” posted a 13 GB free sample and followed with a deadline driven leak, sharing the full dataset despite no public ransom demand.

Despite the leak’s scale, Naval Group maintains that there is no confirmed intrusion into its systems or operational disruption, classifying it as a likely reputational attack.

RTE Investigates Possible Cybersecurity Incident Following NCSC Alert

RTÉ has initiated an internal review after being contacted by Ireland’s National Cyber Security Centre (NCSC) over the weekend, following intelligence suggesting a looming cybersecurity threat possibly affecting up to seven state entities, RTÉ included.

While the exact nature of the threat remains unclear, preliminary reports hint at a ransomware style scenario with an August 4th deadline.

Although sources say there is no elevated alarm, RTÉ is assessing the credibility of the information and taking precautionary measures. The broadcaster affirmed it is working closely with the NCSC as part of Ireland’s heightened post-HSE cyber vigilance .

Colchester Environment Centre Hit by Russian-State Linked Cyberattack

An Essex sustainability charity, the Colchester Environment Centre, suffered a targeted cyberattack linked to Russian threat actors, prompting temporary shutdown of its IT systems.

The organisation has since fully restored its internet services. While specific technical details remain undisclosed, local officials stressed the incident’s sophistication and the urgency for small nonprofits to bolster cyber defences against nation-state espionage campaigns

If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇.