July’s highlights show the growing intersection of automation and exploitation. Researchers demonstrated how language models can coordinate multi-host attacks, while real-world incidents are continuing to evolve.
Techniques
LLMs Gain Autonomy in Multi-Host Cyber Attacks
Researchers at Carnegie Mellon (with Anthropic) demonstrated that Large Language Models (LLMs), when augmented with a special “translator” layer, can autonomously plan and execute complex multi-host network attacks in controlled environments.
In their study, the team introduced Incalmo, an abstraction framework that lets an LLM issue high-level actions (e.g. scan network, infect host) which are then translated into low-level commands by dedicated agents. Without this aid, some advanced LLMs failed to achieve meaningful progress in simulated multi-step intrusions, often generating incorrect or irrelevant attack commands. In 90% of complex attack scenarios using Incalmo, LLMs made significant progress, and in 50%, they completed full multi-stage breaches including lateral movement and data exfiltration. Smaller AI models with the translator performed as well as or better than larger ones without it, indicating that strategic guidance can matter more than the model size.
The implications are double-edged: this approach could automate labour-intensive penetration testing, lowering the skill barrier for defensive security assessments, but it also shows how minimal “scaffolding” might enable LLMs to become potent offensive tools. The researchers caution that while this capability is still experimental, it signals how quickly AI-driven cyberattacks could become feasible once an effective planning and execution pipeline is in place. They have open-sourced their attack simulation framework (minus actual exploit code) to encourage further research, and to support the community with staying ahead of the curve as “AI vs. AI” cybersecurity battles loom on the horizon.
Malicious Scanning Spikes Precede New CVEs
Threat intelligence firm GreyNoise revealed a striking pattern: in roughly 80% of cases studied, a sudden spike in Internet-wide malicious activity (such as mass scanning, probing or brute-force attempts) was followed by a new vulnerability disclosure (CVE) within about six weeks.
By analysing its global sensor network data since late 2024, GreyNoise identified 216 distinct “spike events” targeting enterprise networking products. In half of these events, a related security flaw was disclosed within just 3 weeks, and 80% led to a new CVE within 6 weeks. These correlations were strongest for technologies often targeted by state-sponsored actors, Ivanti, SonicWall, Palo Alto, and Fortinet devices showed especially pronounced patterns. Notably, the spiking activity usually involved attackers exploiting known bugs or intensifying recon on those systems. GreyNoise researchers theorise that threat actors may be opportunistically combing through exposed systems, and in doing so either discover new weaknesses or identify fresh targets for soon-to-be-unveiled exploits.
In practice there is a simple takeaway for IT professionals: stay wired into trusted advisory channels and patch fast. Make sure your team is subscribed to feeds from the NCSC and vendor security bulletins, enabling a fast response to new CVEs with targeted patch application and / or implementation of mitigating controls.
Happenings
[Global] Microsoft SharePoint Zero‑Day Fuels Ransomware
A newly disclosed Microsoft SharePoint vulnerability (nicknamed “ToolShell”) turned into an active battleground in July, as threat actors raced to exploit unpatched servers, including installation of ransomware on some systems before organisations could apply fixes.
The critical zero-day in on-premises SharePoint was first spotted in early July, prompting Microsoft to release out-of-band patches amid reports that hackers were already abusing it. Those reports proved true: security firm Eye Security found at least 400 SharePoint servers compromised in the wild (out of ~23,000 tested), with victims including U.S. government agencies.
Initially used for espionage and data theft, the exploits soon took a more destructive turn. In a recent blog update, Microsoft reported that a threat group known as Storm-2603, has begun exploiting a SharePoint vulnerability to deploy Warlock ransomware on unpatched servers. In some cases, the notorious LockBit ransomware was deployed as well. Storm-2603 has a history of targeting governments and stealing cryptographic keys from SharePoint systems.
Microsoft noted that other hacking groups were also likely to be leveraging the same SharePoint vulnerabilities, and it urged administrators worldwide to patch immediately and monitor any unusual activity on SharePoint servers. Organisations running on-prem SharePoint are advised to install all available updates (the initial patch was incomplete and later supplemented) and to check for indicators of compromise, as attackers continue to piggyback on this flaw to infiltrate networks and extort companies.
[Global] Flood of Fake Gaming Sites Steals Crypto from Players
A fraud campaign is flooding social media and chat platforms with ads for hundreds of polished but fake online gaming and betting sites that ultimately swindle cryptocurrency deposits from victims.
The scheme lures players by pretending to partner with popular influencers (for example, citing YouTuber MrBeast’s brand) and offering “free” credits (e.g. $2,500) via promo codes to start playing. Users can register and play casino-style games on these sites, but any winnings are fictional. When a player attempts to cash out, the site claims a “verification” deposit (around $100 in crypto) is required first – leading to victims being strung along with further payment demands, resulting in users never seeing their money again. The fraudsters generate a unique crypto wallet address per victim and use a mix of AI-driven and human “support” agents to deflect withdrawal requests and eventually cut off communications. While each individual victim loses a relatively small sum, the scale and automation of this “scambling” (scam gambling) empire allow its perpetrators to steal from a large number of people with minimal effort.
Users should be extremely wary of get-rich gaming offers on sites such as Discord and Reddit. These sites may look like real online casinos, but they exist solely to pilfer deposits and disappear.
[UK] Disgruntled Former Employee Cyber Spree
31-year-old IT worker in West Yorkshire has been sentenced to 7 months imprisonment for causing £200,000 worth of intentional business and reputational damages to their former employer. The man went on a “digital rampage” in 2022 after being informed of his suspension from work, including changing every key password and breaking the company’s MFA. This locked staff out of critical systems disrupting operations for customers in the UK, Germany, and Bahrain. Investigators later discovered phone records of the man boasting about the sabotage.
This is a textbook case of an insider risk, where a disgruntled worker sabotages the company; Diode recommends that companies employ processes to revoke privileged access at the time of suspension, dismissal, or serious investigation to avoid such threats.
[US] Saint Paul Cyberattack
A severe cyberattack on the City of Saint Paul, Minnesota (the state’s capital) brought down numerous municipal systems in late July, prompting the Governor to activate the National Guard’s cyber unit to assist in the response.
Discovered on Friday 25th of July, the attack left many city services struggling; online payment portals were taken offline, including library, parks and recreation systems, and staff worked overtime with state and federal agencies to respond. Crucially, emergency services (911 dispatch, etc.) remained unaffected, but the incident’s impact was significant enough that over the weekend it exceeded local IT incident response capabilities. By Tuesday, Saint Paul’s officials formally requested help from Minnesota’s National Guard cyber defence team. Governor Tim Walz signed an emergency order deploying the National Guard to restore critical services and strengthen the city’s cyber defences.
While details of the attack vector or perpetrators have not been made public, the city emphasised that vital operations would be safeguarded with the National Guard’s assistance as they work to bring systems back online.
[Russia] Aeroflot Cyberattack Grounds Flights
Russia’s flagship airline Aeroflot suffered a cyberattack that forced the cancellation of over 60 flights and caused widespread delays. While Russian authorities stopped short of officially naming the threat actor, two hacktivist groups, “Silent Crow” (Ukrainian) and “Cyberpartisans BY” (Belarusian anti-regime), boldly claimed responsibility on social media.
The attackers alleged an extraordinary level of long-term access: according to their statements, they infiltrated Aeroflot’s IT network for over a year, mapping out key systems, and then unleashed destructive actions to “destroy” the infrastructure. In the attack’s climax, the hackers say they simultaneously wiped some 7,000 physical and virtual servers, including critical databases (12TB of flight records, 8TB of files, 2TB of emails). They also claim to have exfiltrated extensive data, including employee workstations and call recordings, and have threatened to leak all stolen information publicly, a move that could expose sensitive details on millions of passengers.
Aeroflot has not confirmed the hackers’ specific claims, but the operational meltdown (with dozens of flights grounded) and emergency fallback to manual procedures suggest serious damage to IT systems. This incident, which hacktivists framed as retaliation related to the war in Ukraine, is one of the most high-profile cyberattacks on the aviation sector in recent memory.