July 2025 has delivered a stark illustration of the escalating cyber threat landscape—one where critical infrastructure sits squarely in the crosshairs of both ideologically driven and financially motivated adversaries. From hacktivist campaigns and ransomware syndicates to sophisticated state-aligned operations, attackers are increasingly targeting the operational backbone of society: power grids, transportation systems, government networks, and industrial control environments. 

This month’s headlines capture a troubling dichotomy: while defenders race to patch critical vulnerabilities and adapt to evolving threats, attackers continue to exploit the gaps—in technology, in process, and in policy. This blog explores July’s key developments in cyberattacks on infrastructure, how governments and enterprises are responding, and the emerging technologies and strategies, like virtual patching and Zero Trust, that offer a new path forward in an increasingly adversarial digital landscape.

Attacks on critical infrastructure and government response 

A new report from Cyble shows a growing trend in hacktivist operations targeting ICS and access-based systems, accounting for 31% of all attacks in Q2 2025—up from 29% in Q1. These ideologically driven attackers are shifting to more sophisticated operations with potential physical consequences. 

This is certainly a trend we’ve witnessed in the news, with no signs of slowing down. Just this month, a pro-Russian group was dismantled by international law enforcement for their DDoS attacks on Western critical infrastructure. While this is a win in the battle against state-aligned hacking groups, these groups often act like a hydra – once the head is chopped off, they just emerge in another form. The incentives for these groups are plentiful. Iranian ransomware group Pay2Key.I2P offered its affiliates financial incentives for their attacks on US and Israeli targets – up to 80% of ransom earnings, bringing in $4M since February. This marks a powerful alliance between financially motivated criminals and nation-state actors, maximizing potential for impact. 

The targets of these attacks unfortunately continue to be in a precarious position. CISA issued critical alerts for vulnerabilities affecting industrial control system (ICS) products, impacting energy, transportation, and manufacturing. The coordinated disclosure underscores the fragility of ICS ecosystems and critical infrastructure that malicious actors are continuing, and increasingly exploiting. 

To counteract these types of vulnerabilities, the US House is revisiting Stuxnet alongside the testimony of cyber experts to understand OT risks and deterrents in an effort to inform OT cybersecurity policy. Meanwhile, Australia has adopted IEC 62443 as the national standard for securing critical infrastructure. The move aligns Australian cybersecurity regulation with global OT standards and is expected to influence vendor certification, operator compliance, and auditing frameworks. It marks a significant policy shift to formalize baseline protections in sectors like energy, water, and manufacturing.

Patching is not a panacea 

While a critical practice, patching is not enough to keep enterprises secure against the mounting attacks headed their way. This is especially true for OT systems, which typically get patched once or twice a year due to low tolerance for downtime and high consequences if the patching causes further disruption. This month we saw multiple significant zero days and vulnerabilities. 

Dutch authorities temporarily severed internet access for the Public Prosecution Service after detecting exploitation of the CitrixBleed2 vulnerability (CVE-2025-5777). Although patches had been applied, threat actors used session token harvesting to maintain access. The incident underscores how residual risk remains even post-patching.

Hackers exploited two zero-day vulnerabilities in Microsoft’s SharePoint server software (CVE-2025-53770 and 53771), triggering a global cyberattack that hit U.S. federal and state agencies, universities, energy firms, and a telecom company. The breach exposed sensitive documents and communications platforms. Microsoft has released emergency patches for both vulnerabilities, although experts warn that attackers may be able to bypass the fixes with new exploits. Another productivity tool, Wing FTP is experiencing active exploits against a server flaw (CVE-2024-29805). This flaw poses serious risk to organizations relying on secure file transfer systems. 

Solutions like Xage offer an alternative to traditional patching in OT environments – virtual patching. It involves using segmentation, access controls, and other security measures to shield vulnerable devices from exploitation—without modifying the device itself. This approach is especially valuable when applying patches is impractical or impossible, offering protection during the often lengthy window—months, years, or indefinitely—before a permanent fix can be implemented.

When the Frontline Fails: How Perimeter and Access Tools Became the New Breach Vector

July 2025 brought a clear reminder that enterprise perimeter and access infrastructure—once thought of as the frontline of defense—has increasingly become a high-value target for attackers. From firewalls and VPNs to widely deployed business applications, attackers are focusing on the systems that organizations trust to guard the gates. 

Fortinet’s patch of a critical SQL injection vulnerability (CVE-2025-25257) in its FortiWeb firewall is a telling example. With a CVSS score of 9.6, the flaw allowed unauthenticated remote command execution. This is especially concerning given that firewalls are designed to enforce segmentation and control, not become conduits for exploitation. The incident intensifies scrutiny of security technologies themselves, especially when misconfigurations or delayed patching can undermine their effectiveness.

Meanwhile, the ransomware attack on Ingram Micro exposed the ongoing fragility of VPNs. Threat actors from the SafePay gang reportedly gained access using stolen VPN credentials—a tactic that has now affected over 220 organizations in the past year alone. 

In an era where every internet-exposed endpoint could serve as a breach vector, these stories highlight the urgency of adopting Zero Trust architectures and limiting over-reliance on perimeter defenses. 

The Double-Edged Sword of AI: From Leaked Models to Synthetic Impersonation

Artificial intelligence is rapidly becoming a double-edged sword in cybersecurity—both as a powerful asset and a growing threat vector. 

This month, an San Francisco-based AI company, Replit AI, made the news after it went “rogue” and ignored explicit instructions to freeze code and instead deleted a live production database containing data on over 1,200 executives and nearly 1,200 companies. The AI then compounded the issue by fabricating thousands of fake user profiles, falsely claiming test results had passed, and stating the data was irrecoverable—admitting its behavior resulted from “panicking.” Read our blog on the cautionary tale. 

In a separate case, threat actors used AI-generated voice deepfakes to impersonate Secretary of State Marco Rubio, targeting diplomats in an unsophisticated but concerning social engineering campaign. 

Together, these incidents highlight how AI is reshaping the attack surface—from the systems we deploy to the tools adversaries exploit—demanding new guardrails focused on granular access and identity integrity.