All Articles

Technical Analysis and Threat Intelligence Report

Date: July 10, 2025
Analysis Period: July 9, 2025
Classification: Technical Intelligence Report
Distribution: Internal Use

Executive Summary

July 9, 2025, marked a significant date in the cybersecurity landscape, primarily characterized by the public confirmation of the Qantas Airways data breach affecting 5.7 million customers and Microsoft's comprehensive July 2025 Patch Tuesday release addressing 137 critical vulnerabilities. This analysis provides technical details, indicators of compromise (IOCs), and threat intelligence for incidents occurring on or disclosed on this date.

Key Findings:

• Primary Incident: Qantas Airways data breach confirmation (attack vector: third-party platform compromise)
• Critical Vulnerabilities: Microsoft patched 137 vulnerabilities including 1 zero-day and 14 critical flaws
• Threat Actor Attribution: Strong indicators point to Scattered Spider involvement in Qantas breach
• Attack Trends: Continued focus on supply chain and third-party platform exploitation

Major Incident Analysis

1. Qantas Airways Data Breach (Confirmed July 9, 2025)

Incident Timeline

• June 30, 2025: Initial detection of unusual activity
• July 1, 2025: Public disclosure of cyberattack
• July 7, 2025: Threat actors contacted Qantas (extortion attempt)
• July 9, 2025: Comprehensive breach confirmation and customer notification

Technical Details

Attack Vector: Third-party customer servicing platform used by Qantas Manila call center
Initial Access Method: Social engineering targeting call center operations
Affected Systems: External customer service platform (core Qantas systems remained secure)

Data Compromised

• Total Affected: 5.7 million unique customer records
• High-Impact Records (1.7M): Names, email addresses, phone numbers, addresses, dates of birth, Frequent Flyer details
• Standard Records (4M): Names, email addresses, Frequent Flyer numbers

Data NOT Compromised: - Credit card details - Personal financial information
- Passport details - Account passwords/PINs - Login credentials

Threat Actor Attribution: Scattered Spider (UNC3944)

Confidence Level: High (based on TTPs analysis)

Supporting Evidence: - FBI warning issued days before breach about Scattered Spider targeting airlines - Attack methodology consistent with known Scattered Spider TTPs - Previous attacks on Hawaiian Airlines and WestJet attributed to same group - Social engineering focus on call center operations (signature tactic)

MITRE ATT&CK Framework Mapping

Initial Access (TA0001) - T1566.004 - Phishing: Spearphishing Voice (Vishing) - Call center targeting - Supply Chain Compromise (Indirect) - Third-party platform exploitation

Credential Access (TA0006)
- T1621 - Multi-Factor Authentication Request Generation (MFA Bombing) - T1656 - Impersonation - Social engineering of help desk personnel

Collection (TA0009) - T1530 - Data from Cloud Storage - T1213.002 - Data from Information Repositories

Impact (TA0011) - T1657 - Financial Theft (attempted extortion) - Data Exfiltration for extortion purposes

Indicators of Compromise (IOCs)

Note: Specific technical IOCs were not publicly disclosed by Qantas for operational security reasons

Behavioral Indicators: - Unusual access patterns to third-party customer service platforms - Anomalous data queries against customer databases - Social engineering attempts targeting call center staff - MFA fatigue attacks against administrative accounts

Recommendations

1. Immediate Actions:
2. Audit all third-party vendor access controls
3. Implement additional MFA protections (phishing-resistant)
4. Enhanced monitoring of customer service platforms

5. Staff training on social engineering recognition

6. Strategic Improvements:

7. Zero-trust architecture implementation
8. Supply chain security assessments
9. Incident response plan updates
10. Customer communication protocols

Microsoft Patch Tuesday Analysis (July 8-9, 2025)

Overview

Microsoft released comprehensive security updates addressing 137 vulnerabilities across its software ecosystem, including 1 publicly disclosed zero-day and 14 critical vulnerabilities.

Critical Zero-Day Vulnerability

CVE-2025-49719: Microsoft SQL Server Information Disclosure

Severity: Important (CVSS 7.5)
Status: Publicly disclosed with PoC available
Exploitation: No evidence of active exploitation in wild

Technical Details: - Vulnerability Type: Improper input validation (CWE-20) - Attack Vector: Network (AV:N) - Attack Complexity: Low (AC:L) - Privileges Required: None (PR:N) - User Interaction: None (UI:N)

Impact: Unauthenticated attackers can access uninitialized memory contents, potentially exposing: - Application data - Credentials - Connection strings - Sensitive database information

Affected Versions: - SQL Server 2022 (16.0.1000.6 – 16.0.4195.2) - SQL Server 2019 (15.0.2000.5 – 15.0.4430.1)
- SQL Server 2017 (14.0.1000.169 – 14.0.3490.10) - SQL Server 2016 (13.0.6300.2 – 13.0.6455.2)

Top Critical Remote Code Execution Vulnerabilities

CVE-2025-47981: SPNEGO Extended Negotiation RCE

Severity: Critical (CVSS 9.8)
Type: Heap-based buffer overflow
Impact: Unauthenticated remote code execution without user interaction

CVE-2025-49704: Microsoft SharePoint RCE

Severity: Critical (CVSS 8.8)
Type: Code injection
Impact: Authenticated attackers with Site Owner privileges can execute arbitrary code

Microsoft Office RCE Vulnerabilities

• CVE-2025-49695, CVE-2025-49696, CVE-2025-49697: Critical (CVSS 8.4)
• Exploitation: Can be triggered through preview pane without user interaction
• Risk: High due to preview pane exploitation capability

Vulnerability Distribution

• Elevation of Privilege: 53 patches (38%)
• Remote Code Execution: 41 patches (29%)
• Information Disclosure: 18 patches (13%)
• Other categories: DoS, Spoofing, Security Feature Bypass

Additional Cybersecurity Events (July 9, 2025)

Strategic Developments

Israeli-U.S. Ransomware Partnership

• Participants: Israel's National Cyber Directorate (INCD) and U.S. CISA
• Scope: Real-time IOC sharing, coordinated darknet takedowns
• Target Threats: Hive v4, BlackCat ransomware strains
• Significance: National security approach to ransomware threats

Emerging Threat Trends

• New Ransomware Wave: Targeting South Asian telecommunications
• Attack Vectors: 5G backhauls, OT networks exploitation
• Human Factor: 75% of Bangladeshi cyber incidents traced to human error

Other Notable Security Updates

• Google Chrome: CVE-2025-6554 (actively exploited zero-day patched)
• Third-party vendors: Cisco, Fortinet, Ivanti, SAP released security updates
• End of Support: SQL Server 2012 reached end-of-life

Threat Intelligence Assessment

Current Threat Landscape

1. Supply Chain Attacks: Continued focus on third-party platform exploitation
2. Social Engineering: Sophisticated vishing campaigns targeting help desk operations
3. Ransomware Evolution: New strains with enhanced evasion capabilities
4. Zero-Day Exploitation: Increased public disclosure before patching

Threat Actor Activity

• Scattered Spider: Active targeting of aviation/transportation sector
• Ransomware Groups: Hive v4, BlackCat showing increased sophistication
• Nation-State Actors: Continued focus on critical infrastructure

Emerging Attack Vectors

• 5G Infrastructure: New attack surface exploitation
• OT Networks: Increased targeting of operational technology
• AI-Powered Attacks: Enhanced social engineering capabilities
• MFA Bypass: Advanced techniques including MFA fatigue attacks

Recommendations and Mitigations

Immediate Actions (0-30 days)

1. Patch Management:
2. Prioritize CVE-2025-49719 (SQL Server zero-day)
3. Deploy critical Microsoft patches immediately

4. Update Google Chrome to address CVE-2025-6554

5. Third-Party Risk:

6. Audit all vendor access controls
7. Implement additional monitoring for third-party platforms

8. Review and update vendor security requirements

9. Social Engineering Defense:

10. Enhanced training for call center and help desk staff
11. Implement verification procedures for sensitive requests
12. Deploy phishing-resistant MFA solutions

Strategic Improvements (30-90 days)

1. Architecture Enhancements:
2. Implement Zero Trust Network Access (ZTNA)
3. Deploy AI-driven deception grids

4. Enhance endpoint detection and response (EDR)

5. Threat Intelligence:

6. Subscribe to Scattered Spider threat feeds
7. Implement behavioral analytics for anomaly detection

8. Establish threat hunting capabilities

9. Incident Response:

10. Update playbooks for supply chain incidents
11. Establish communication protocols for data breaches
12. Conduct tabletop exercises for ransomware scenarios

Long-term Strategic Initiatives (90+ days)

1. Technology Adoption:
2. Evaluate quantum-resistant cryptography
3. Implement homomorphic encryption for sensitive data

4. Deploy blockchain-based identity management

5. Organizational Resilience:

6. Establish cross-border threat intelligence sharing
7. Implement sustainable security practices
8. Develop comprehensive workforce training programs

Indicators of Compromise (IOCs)

Behavioral Indicators

• Unusual third-party platform access patterns
• Repeated MFA authentication requests (MFA bombing)
• Social engineering attempts targeting help desk
• Anomalous database queries against customer records
• Unexpected VM creation in cloud environments
• Suspicious RMM tool installations

Network Indicators

• Connections to known Scattered Spider infrastructure
• Unusual data transfer volumes to cloud storage services
• SSH tunneling activities in targeted environments
• Reverse proxy tool installations (rsocx)

File System Indicators

• Deployment of commercial RMM tools (AnyDesk, LogMeIn)
• Privilege escalation utilities (LINpeas)
• Cloud-specific tools (aws_consoler)
• Port scanning tools (RustScan)

Conclusion

July 9, 2025, represents a critical inflection point in the cybersecurity landscape, highlighting the persistent evolution of threat actors and attack methodologies. The Qantas breach demonstrates the continued effectiveness of supply chain attacks combined with sophisticated social engineering, while Microsoft's extensive patch release underscores the ongoing challenge of vulnerability management in complex enterprise environments.

Organizations must adopt a multi-layered defense strategy that addresses both technical vulnerabilities and human factors, with particular attention to third-party risk management and advanced threat actor TTPs. The emergence of new attack vectors and the increasing sophistication of threat actors necessitate continuous adaptation of security strategies and technologies.

The strategic partnerships between nations and the focus on sustainable security practices indicate a maturing approach to cybersecurity that extends beyond traditional technical controls to encompass broader organizational and societal considerations.

References

1. Qantas Airways. (2025, July 9). Update on Qantas cyber incident. Retrieved from https://www.qantasnewsroom.com.au/media-releases/update-on-qantas-cyber-incident-wednesday-9-july-2025/

2. Qualys. (2025, July 9). Microsoft Patch Tuesday, July 2025 Security Update Review. Retrieved from https://threatprotect.qualys.com/2025/07/09/microsoft-patch-tuesday-july-2025-security-update-review/

3. CrowdStrike. (2025, July 9). July 2025 Patch Tuesday: Updates and Analysis. Retrieved from https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-july-2025/

4. BleepingComputer. (2025, July 9). Qantas confirms data breach impacts 5.7 million customers. Retrieved from https://www.bleepingcomputer.com/news/security/qantas-confirms-data-breach-impacts-57-million-customers/

5. Hipther. (2025, July 9). Cybersecurity Roundup: Partnerships, Funding, and Emerging Threats. Retrieved from https://hipther.com/latest-news/2025/07/09/95313/cybersecurity-roundup-partnerships-funding-and-emerging-threats-july-9-2025-cyberark-ai%E2%80%91ops-databahn-ai-zero%E2%80%91day-exploits-ransomware-gangs/0/