Aeroflot grounded by 'crippling cyberattack' as Silent Crow takes credit
Microsoft probes early alert system leak tied to SharePoint hacks, Women’s Tea app hit with photo leak, Allianz Life confirms major data breach, Hackers claim Naval Group breach, US senator urges Musk to block SpaceX cyberscammers, much more.


Check out my latest CSO piece on the challenges CISOs face because most of their colleagues don't know what they do.
A Special Request
Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.
If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.
To learn more, feel free to reach out at cynthia@metacurity.com.
Thank you so much for being part of the Metacurity community.
If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.
Russian airline Aeroflot was forced to cancel dozens of flights on Monday after a shadowy pro-Ukrainian hacking group claimed responsibility for what it said was a crippling cyberattack.
The national carrier did not provide further details about the cause of the problem or how long it would take to resolve, but departure boards at Moscow's Sheremetyevo airport turned red as flights were cancelled at a time when many Russians take their holidays.
The Kremlin said the situation was worrying, and prosecutors confirmed the airline's problems were the result of a hack and opened a criminal investigation.
A statement purporting to be from a hacking group called Silent Crow said it had carried out the operation together with a Belarusian group called Cyberpartisans BY, and linked it to the war in Ukraine.
"Glory to Ukraine! Long live Belarus!" said the statement, whose authenticity Reuters could not immediately verify.
The statement in the name of Silent Crow said the cyberattack was the result of a year-long operation that had deeply penetrated Aeroflot's network, destroyed 7,000 servers, and gained control over the personal computers of employees, including senior managers.
Silent Crow has previously claimed responsibility for attacks this year on a Russian real estate database, a state telecoms company, a large insurance firm, the Moscow government's IT department, and the Russian office of South Korean car maker KIA. Some of these resulted in significant data leaks.
"The information that we are reading in the public domain is quite alarming. The hacker threat is a threat that remains for all large companies providing services to the population," Kremlin spokesman Dmitry Peskov said.
The airline said it had cancelled more than 50 flights - mostly within Russia but also including routes to the Belarusian capital Minsk and the Armenian capital Yerevan - after reporting a failure in its information systems. At least 10 other flights were delayed. (Dmitry Antonov and Filipp Lebedev / Reuters)
Related: The Moscow Times, Belsat.eu, Kyiv Independent, Odessa Journal
Sources say Microsoft is investigating whether a leak from its early alert system for cybersecurity companies, the Microsoft Active Protections Program, or MAPP, allowed Chinese hackers to exploit flaws in its SharePoint service before they were patched.
They say the company is looking into whether the program, designed to give cybersecurity experts a chance to fix computer systems before the revelation of new security concerns, led to the widespread exploitation of vulnerabilities in its SharePoint software globally over the past several days.
“As part of our standard process, we'll review this incident, find areas to improve, and apply those improvements broadly,” a Microsoft spokesperson said.
Microsoft has attributed SharePoint breaches to state-sponsored hackers from China, and at least a dozen Chinese companies participate in the initiative.
Members of the 17-year-old program must prove they are cybersecurity vendors and that they don’t produce hacking tools like penetration testing software. After signing a non-disclosure agreement, they receive information about novel patches to vulnerabilities 24 hours before Microsoft releases them to the public.
A subset of more highly vetted users receives notifications of an incoming patch five days earlier.
Dustin Childs, head of threat awareness for the Zero Day Initiative at cybersecurity company Trend Micro, says Microsoft alerted members of the program about the vulnerabilities that led to the SharePoint attacks. “These two bugs were included in the MAPP release,” says Childs, whose company is a MAPP member.
“The possibility of a leak has certainly crossed our minds.” He adds that such a leak would be a dire threat to the program, “even though I still think MAPP has a lot of value.” (Ryan Gallagher, Margi Murphy, and Patrick Howell O'Neill / Bloomberg)
Related: Reuters, Cyber Daily, Livemint
As first reported by 404 Media, hackers breached the Tea app, which recently went viral as a place for women to safely talk about men, and tens of thousands of women’s selfies and photo IDs have now seemingly been leaked online.
The app has angered some men and prompted a thread on the right-wing troll message board 4Chan, in which users called for a “hack and leak” campaign. The company became aware of the incident.
A 4Chan user posted a link Friday morning, allegedly allowing people to download the database of stolen images, and troves of alleged victims’ identification photos have been posted on 4Chan and X.
On Google Maps, a user has created a map that purports to show the locations of Tea users that were affected by the hack, though there are no names attached to the coordinates posted.
The company estimates that 72,000 images, including 13,000 verification photos and pictures of government IDs, were accessed.
Signing up for Tea requires users to take selfies, which the app says are deleted after review, to prove they are women. All users who get accepted are promised anonymity outside of the usernames they choose. Taking screenshots of what’s in the app is also blocked.
The hacker accessed a database from more than two years ago, the Tea spokesperson said, adding that “This data was originally stored in compliance with law enforcement requirements related to cyberbullying prevention.” (Kevin Collier and Angela Yang / NBC News)
Related: Cartoons Hate Her, CNET, Baller Alert, Associated Press, Gizmodo, Sandra Rose, Business Insider, R Street Institute, Mashable, Barron's Online, Engadget, Neowin, Washington Post, BBC News, Fortune, 404 Media, Infosecurity Magazine, Mezha, NewsNation
US insurance giant Allianz Life confirmed that hackers stole the personal information of the “majority” of its customers, financial professionals, and employees during a mid-July data breach.
Allianz Life spokesperson Brett Weinberg said, “On July 16, 2025, a malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life,” referring to a customer relationship management (CRM) database containing information on its customers.
“The threat actor was able to obtain personally identifiable data related to the majority of Allianz Life’s customers, financial professionals, and select Allianz Life employees, using a social engineering technique."
The company disclosed the data breach on Saturday in a legally required filing with Maine’s attorney general, but did not immediately provide a number of how many Allianz Life customers are affected. According to the spokesperson, Allianz Life has 1.4 million customers. Its parent company, Allianz, has more than 125 million customers worldwide. (Zack Whittaker / TechCrunch)
Related: Maine Attorney General, Reuters, Associated Press, BleepingComputer, Bloomberg, WinBuzzer, r/cybersecurity, r/technology, r/privacy, AInvest, BBC News, Cyber Security News, Daily Mail, BBN Times, Web Pro News, Cyber Express, Insurance Business, PYMNTS, IT News
French defense company Naval Group said it has been targeted by potential cyber attackers who claim to have accessed sensitive data relating to its submarines and frigates.
The ship and submarine maker said that it had been the target of a “reputational attack” by hackers in a “context marked by international, business and informational tensions”. No ransom demand has been made.
The hackers have published 30 gigabytes of information in an online forum that they claim relates to the combat management system of Naval’s submarines and frigates, and said they have one terabyte of data.
Naval is currently analysing the authenticity of the documents published. It said it had not detected any intrusion in its systems, that it had begun an investigation, and that it is working with the French government. (Ian Johnston / Financial Times)
Related: FirstPost, Financial Times, Sirine Amrane, Red Hot Cyber, Sri Lanka Guardian, The Telegraph
Senator Maggie Hassan (D-NH) sent a letter to SpaceX CEO Elon Musk urging him to block transnational criminal groups in Southeast Asia from using Starlink satellite internet service to commit fraud against Americans.
She cited recent reports that Starlink is being used to facilitate fraud against Americans by a broad range of transnational criminal organizations operating "scam compounds" in Southeast Asia. The US Treasury Department’s Financial Crimes Enforcement Network said these groups defrauded Americans out of billions of dollars, she added.
"Scam networks in Myanmar, Thailand, Cambodia, and Laos, however, have apparently continued to use Starlink despite service rules permitting SpaceX to terminate access for fraudulent activity," Hassan wrote in the letter. "SpaceX has a responsibility to block criminals from using the service to target Americans." (David Shepardson / Reuters)
Google suspended the account of phone surveillance operator Catwatchful, which was using the tech giant’s servers to host and operate the monitoring software.
Catwatchful was an Android-specific spyware that presented itself as a child-monitoring app “undetectable” to the user.
Google’s move to shut down the spyware operation comes a month after TechCrunch alerted the technology giant that the operator was hosting the operation on Firebase, one of Google’s developer platforms. Catwatchful relied on Firebase to host and store vast amounts of data stolen from thousands of phones compromised by its spyware.
“We’ve investigated these reported Firebase operations and suspended them for violating our terms of service,” Google spokesperson Ed Fernandez told TechCrunch in an email this week.
Catwatchful is no longer functioning, nor does it appear to transmit or receive data, according to a network traffic analysis of the spyware. (Zack Whittaker / TechCrunch)
Related: TipRanks, Cryptopolitan
VPN demand is soaring in the UK as Britons get ready to work around new age verification checks, with Proton VPN reporting an hourly increase in sign-ups of over 1,400% starting from Friday, July 25, 2025.
This coincides with new age verification requirements under the Online Safety Act, which force all platforms displaying adult content and potentially harmful materials to ensure users are over 18 via robust identity checks.
Related: Financial Times, David Buchanan, The Verge, Mashable


Cyber specialists from Ukraine's Defense Intelligence (HUR) reportedly carried out a days-long, large-scale special operation targeting the occupation authorities in Crimea, with one DDoS attack paralyzing the information systems and network infrastructure in Crimea.
While Russian occupiers were scrambling to identify the cause of the government systems' failure, HUR cyber experts are said to have infiltrated the electronic accounts of the leadership of the occupation administration in temporarily occupied Crimea.
Over two days, 100 terabytes of documents belonging to the occupation authorities of the peninsula were downloaded.
Among the files were "top secret" documents containing data on military facilities and logistics routes used to supply occupying forces in Crimea.
"There's so much data extracted that we're about to learn a lot of explosive details about the operations and crimes of Russian occupiers in Ukrainian Crimea," the source said. We'd like to extend our thanks for helping this special operation succeed to Anton Lyaskovsky, the deputy health minister of the occupation government in Crimea," the interlocutor said. (Yuliia Akymova, Kateryna Danishevska / RBC-Ukraine)
Related: Ukrinform, Kyiv Post, Babel, Mezha, UNN, The New Voice of Ukraine
Police in Cyprus are investigating the theft of digital assets from a crypto wallet after a report by a 48-year-old man.
The official complaint, which was filed by the man on July 26, claimed that digital assets worth €381,653 or around $448,000 were stolen from his wallet.
The theft occurred after hackers accessed the victim’s email and used it to obtain the wallet password on June 11. The stolen funds were swiftly moved to another wallet, prompting police to warn that recovery will be tough. (Sohrab Khawas / CoinPedia)
Related: AInvest, Bitcoin, The Crypto Times, Cryptopolitan
The US Cybersecurity and Infrastructure Security Agency (CISA) revealed that LG Innotek LNV5110R cameras are affected by an authentication bypass vulnerability that can allow an attacker to gain administrative access to the device.
The attack left hundreds of devices vulnerable to remote hacking due to a recently discovered flaw, and they will not receive a patch.
The flaw, tracked as CVE-2025-7742 and assigned a ‘high severity’ rating, can allow an attacker to upload an HTTP POST request to the device’s non-volatile storage, which can result in remote code execution with elevated privileges, according to CISA.
LG Innotek has been notified, but said the vulnerability cannot be patched as the product has reached end of life.
Souvik Kandar, the MicroSec researcher credited by CISA for reporting the vulnerability, said there are roughly 1,300 cameras that are exposed to the internet and which can be remotely hacked. (Eduard Kovacs / Security Week)
Related: CISA, GBHackers, Cyber Security News
More than 200,000 WordPress websites are using a vulnerable version of the Post SMTP plugin that allows hackers to take control of the administrator account.
Post SMTP is a popular email delivery plugin for WordPress that has more than 400,000 active installations. It’s marketed as a replacement for the default ‘wp_mail()’ function that is more reliable and feature-rich.
On May 23, a security researcher reported the vulnerability to WordPress security firm PatchStack. The flaw is now identified as CVE-2025-24000 and received a medium severity score of 8.8.
The security issue affects all versions of Post SMTP up to 3.2.0 and is due to a broken access control mechanism in the plugin’s REST API endpoints, which only verified if a user was logged in, without checking their permission level.
This means that low-privileged users, such as Subscribers, could access email logs containing full email content.
The plugin’s developer, Saad Iqbal, was informed about the flaw and responded with a fix for Patchstack to review on May 26. (Bill Toulas / Bleeping Computer)
Related: Security Week
According to a new policy brief from the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), maritime ports, responsible for 80 percent of global trade and serving as critical NATO logistics hubs, are facing a surge in cyberattacks from state-linked actors.
The report highlights a sharp rise in threats targeting European and Mediterranean port facilities, with many attacks traced to Russia, Iran, and China.
It revealed that nearly all surveyed countries have experienced cyber attacks within the past five years, with access control systems and vessel traffic management systems identified as the main reported risks. (Anna Ribeiro / Industrial Cyber)
Related: CCDCOE, Port Strategy, Dataconomy, Help Net Security, Freight Waves
Evidence-based cybersecurity startup Root Evidence announced it has raised $12.5 million in a seed round.
The oversubscribed financing was led by Ballistic Ventures with participation from Grossman Ventures and others. (PR Newswire)
Related: FinSMEs
Cybersecurity unicorn Axonius is acquiring Cynerio, a healthcare IoT cybersecurity and asset management startup, in an all-Israeli deal worth $180 million.
The total value of the acquisition could grow to $250 million, contingent on Cynerio achieving specific milestones.
Founded in 2018 by CEO Leon Lerman and CTO Daniel Brodie, both veterans of the IDF’s elite Unit 8200, Cynerio builds firewalls designed to protect medical devices from cyberattacks.
Cynerio employs approximately 70 people across Israel, the US, and Europe. Most of the team is expected to be absorbed into Axonius, which plans to leverage the acquisition to expand its product suite into healthcare and critical infrastructure sectors. The move is projected to increase Axonius' annual recurring revenue (ARR) by tens of millions of dollars within the first year post-acquisition. (Golan Hazani / CTech)
Related: SiliconANGLE
Best Thing of the Day: It Takes a Strong Company to Admit It Was Wrong
Managed security provider Expel issued a post backtracking from its earlier report that a new form of phishing attack allowed an attacker to circumvent a FIDO passkey-protected login.
Worst Thing of the Day: How Many People Needlessly Died?
Google admitted its earthquake early warning system failed to alert people during Turkey's deadly earthquake of 2023 accurately.
Closing Thought

,