Ransomware infection rates surge in Europe, signaling potential US threat

The U.S. Department of the Treasury has sanctioned multiple cyber scam operations in Southeast Asia, primarily in Burma and Cambodia, which collectively stole over $10 billion from Americans in 2024. These operations use forced labor, human trafficking, and violence, operating as modern slavery farms. The scams involve romance baiting and fake cryptocurrency investments. The financial damage increased by 66% compared to 2023. The sanctions target 19 entities and individuals, including those linked to the Karen National Army (KNA) in Burma and various organized crime networks in Cambodia. The sanctions block these entities from the U.S. financial system and limit their access to international financial services. The cybercriminal syndicates in Southeast Asia are estimated to net nearly $40 billion annually in illicit profits. In May, OFAC targeted Funnull Technology Inc. and its administrator Liu Lizhi for their part in romance scams that caused more than $200 million in losses. In July, Cambodian law enforcement raided several cyber-scam centers, arresting more than 1,000 people, the majority of whom were foreign nationals. The UNODC reported that the cybercriminal operations in the region netted $40 billion in 2024, a significant fraction of the GDPs of many nations in the region. Interpol reported arrests of more than 1,200 cyber- and financial criminals in Africa, many of whom were foreign nationals from Southeast Asia conducting similar operations.

Jaguar Land Rover (JLR) experienced a cyberattack that severely disrupted its production and retail operations. The incident forced the company to shut down several systems over the weekend, including those at the Solihull plant. Customer data appears to have been affected. JLR is working to restore operations but has not provided a timeline or details about the attack. The attack occurred during the launch of new registration plates, a busy period for JLR. This is the second cyberattack JLR has suffered this year. The incident had a global impact, affecting multiple manufacturing plants in the UK. No ransomware group has officially claimed responsibility, but a group called "Scattered Lapsus$ Hunters" has claimed involvement. JLR operates under Tata Motors India and produces over 400,000 vehicles annually, employing 39,000 people.

A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against fewer than 200 users. The flaw allowed unauthorized users to process content from arbitrary URLs on targeted devices. The attacks were sophisticated and involved chaining with a separate Apple vulnerability (CVE-2025-43300) affecting iOS, iPadOS, and macOS. The vulnerability was patched in WhatsApp's messaging apps for Apple iOS and macOS. The exploit could have allowed attackers to trigger the processing of content from arbitrary URLs on a target's device, potentially leading to spyware deployment. The attacks were part of a targeted spyware campaign, with WhatsApp sending in-app threat notifications to affected users. Apple has also sent multiple threat notifications since 2021, alerting users in over 150 countries about these sophisticated attacks. Apple has introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities. The spyware market has seen an increase in U.S. investors and new entities in various countries.

Anthropic disrupted an AI-powered operation in July 2025 that used its Claude AI chatbot to conduct large-scale theft and extortion across 17 organizations in healthcare, emergency services, government, and religious sectors. The actor used Claude Code on Kali Linux to automate various phases of the attack cycle, including reconnaissance, credential harvesting, and network penetration. The operation, codenamed GTG-2002, employed AI to make tactical and strategic decisions, exfiltrating sensitive data and demanding ransoms ranging from $75,000 to $500,000 in Bitcoin. The actor used AI to craft bespoke versions of the Chisel tunneling utility to evade detection and disguise malicious executables as legitimate Microsoft tools. The operation highlights the increasing use of AI in cyberattacks, making defense and enforcement more challenging. Anthropic developed new detection methods to prevent future abuse of its AI models.

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the group known as Salt Typhoon, have been conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. This campaign targets telecommunications, transportation, lodging, and military networks, exploiting vulnerabilities in routers and taking steps to evade detection and maintain persistent access. The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, released a joint advisory detailing this ongoing malicious activity. The advisory provides actionable guidance and intelligence to help organizations defend against these sophisticated cyber threats. The advisory builds on previous reporting and incorporates updated threat intelligence from investigations conducted through August 2025, reflecting overlapping indicators with industry reporting on various Chinese state-sponsored threat groups. Salt Typhoon has been active since at least 2019, targeting at least 600 organizations, including 200 in the U.S., and 80 countries. The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about data transfers to China, highlighting concerns over the transfer of system and user data to the PRC and the remote administration of technical assets. The Czech government previously accused China of targeting its critical infrastructure through APT 31, which began in 2022. China's offensive cyber activities include large-scale telco attacks by Salt Typhoon and positioning for potential destructive cyberattacks. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has assessed the risk of significant disruptions caused by China at a 'High' level, indicating a high probability of occurrence. NUKIB confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Chinese government has access to data stored by private cloud service providers within the Czech Republic, ensuring that sensitive data is always within its reach. NUKIB warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms, as risky devices that can transfer potentially sensitive data to Chinese infrastructure. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, with the oldest domain registration activity dating back to May 2020.