This week’s cybersecurity news is dominated by a trifecta of escalating threats: MFA failures, AI accelerated social engineering and the massive political costs of corporate breaches.
Our top stories reveal a significant Global Threat Shift, confirming that while Ransomware Dominates Impact, the methods are evolving with AI Accelerating Phishing. We detail how the Akira Ransomware group is achieving MFA bypass on critical VPNs with “hours-long” attacks, forcing immediate patching. Meanwhile, the human element remains the primary weakness, with Mandiant exposing the UNC6040/ShinyHunters Salesforce Vishing Scheme, urging organisations to adopt phishing-resistant authentication methods. The repercussions of these attacks extend far beyond the technical.
We examine the controversial UK Grants to Jaguar Land Rover following a devastating cyberattack, raising questions about government funded bailouts and their effect on encouraging future extortion.
Finally, we issue Urgent Action alerts for critical vulnerabilities, including necessary patches for both OpenSSL and Apple devices that prevent remote code execution.
AI Accelerates Phishing as Ransomware Dominates Impact
The ENISA Threat Landscape 2025 report provides essential context, confirming that the EU is being consistently targeted by diverse threat groups, often with overlapping methods.
Ransomware is identified as the most impactful threat in the EU. While high volume attacks are dominated by hacktivists launching low-impact DDoS campaigns (77%), the top initial intrusion vector is Phishing (60%). This threat is intensifying as AI-supported phishing campaigns reportedly account for over 80% of observed social engineering activity worldwide.
Organisations should use the ENISA findings to inform their security budget, specifically prioritising defences against AI driven social engineering and confirming that DDoS mitigation is robust enough to handle hacktivism campaigns.
View SourceAttack Tactics & Defence: The Human Element is the Only Way In
The two biggest attack stories this week demonstrate that threat actors are focusing on bypassing technological controls by exploiting human trust and existing legacy flaws.
Akira Bypassing MFA on SonicWall VPNs with ‘Hours Long’ Attacks
Security experts have warned of a significant increase in malicious activity from the Akira ransomware group targeting SonicWall SSL VPN appliances. The campaign leverages the legacy improper access control vulnerability CVE 2024 40766 for initial access and credential harvesting.
A key concern is the observed ability of threat actors to compromise devices even when One Time Password (OTP) Multi-Factor Authentication (MFA) is enabled, suggesting a successful MFA bypass, likely through the acquisition of OTP seeds.
Due to exceptionally short “dwell times,” measured in mere hours, organisations must patch CVE 2024 40766 immediately. Furthermore, they should audit SonicWall VPN logs for logins originating from hosting/VPS IP addresses, as these indicate a likely bypass attempt and move to more phishing resistant MFA like FIDO2 keys.
View SourceMandiant Exposes ShinyHunters Salesforce Vishing Scheme
Mandiant detailed the successful tactics of the threat campaign UNC6040 (attributed to the ShinyHunters cybercrime group), which has repeatedly compromised Salesforce instances by exclusively using vishing (telephone based social engineering).
These attacks trick employees into visiting a malicious version of the Salesforce Data Loader to harvest credentials, enabling lateral movement into other cloud platforms like Okta and Microsoft 365.
Since the attacks rely solely on manipulating users and not exploiting vulnerabilities, Mandiant’s primary recommendation is to enforce stringent identity verification protocols. These include live video identity proofing with corporate badges for help desk requests and out of band (OOB) verification with a manager for high risk actions.
For technical hardening, organisations are urged to deploy a single sign on (SSO) provider and adopt phishing resistant MFA using FIDO2 physical keys.
View SourceThe Cost of a Major Security Incident
The financial and political consequences of high profile cyberattacks are becoming clear, raising questions about accountability and deterrence.
UK Gives JLR £1.5B Loan After Attack, Experts Warn It Encourages Extortion
The UK government announced a £1.5 billion (€1.72 billion) loan guarantee for Jaguar Land Rover (JLR) following a severely disruptive cyberattack.
The support is intended to stabilise cash reserves, protect the supply chain and safeguard jobs. However, the bailout has drawn sharp criticism from cybersecurity experts, who warn that granting financial support to an organisation after a major security incident could incentivise cybercriminals to increasingly target other UK firms with weak defences.
View SourceWestJet Confirms Data Breach Exposed Customer Passports and Government IDs
In a powerful example of the personal cost of breaches, Canadian airline WestJet confirmed details of the security incident that occurred in June, which exposed sensitive customer data.
The compromised personal information included names, dates of birth, mailing addresses and critical travel documents such as passports and other government issued identification numbers.
Importantly, the airline stated that no credit card numbers or passwords were involved.
View SourceUrgent Patching of RCE Flaws
These critical updates close vulnerabilities that could result in full system compromise.
OpenSSL Fixes Flaws That Enable Key Recovery and Remote Code Execution
The OpenSSL Project has released security updates to address three vulnerabilities. The most severe, CVE 2025 9230, is a flaw that can cause memory corruption, potentially leading to a Denial of Service (DoS) condition or, more critically, the execution of attacker supplied code.
A second moderate severity flaw, CVE 2025 9231, could be exploited to recover private keys on 64-bit ARM platforms. All systems using OpenSSL must be updated immediately to the latest patched versions.
View SourceApple Urges Update to Patch Bug That Could Allow Remote Code Execution
Apple has released urgent security updates for iOS, iPadOS, macOS and visionOS to patch a medium severity vulnerability, CVE 2025 43400, in the operating system’s FontParser component.
This out of bounds write issue can be exploited by a remote attacker using a specially crafted malicious font file, which could allow the attacker to execute arbitrary code remotely, leading to full device compromise.
All eligible Apple devices must be updated immediately to the newest versions (iOS/iPadOS 26.0.1, macOS 26.0.1, etc.) as this is a mandatory patch to prevent remote system compromise.
View SourceThis week’s news confirms that modern threats are highly aggressive, targeting both your technology through flaws like the Akira MFA bypass and your people via schemes like the UNC6040 vishing attacks. Survival against these short dwell time threats demands proactive security testing, not just patching.
Penetration Testing and Vulnerability Assessments uncover and strengthen technical weaknesses (SonicWall, OpenSSL). Simulated Phishing Attacks train your employees to defeat social engineering schemes. For enterprise wide resilience, Cybersecurity Maturity Assessments and Crisis Management Exercises prepare your organisation to manage fallout like the JLR incident.
Don’t get caught off guard. Get in touch with our team today to learn how our services can help you navigate these complex threats and secure your digital future.