Weekly Cybersecurity Recap - 30 June 2025

Introduction

From urgent warnings about quantum computing threats to active campaigns against the energy sector, the cybersecurity landscape saw significant developments. A new study showed the UAE leading its region in cyber readiness, while critical vulnerabilities were found in widely used systems ranging from Brother printers to Microsoft Entra ID logins. Here’s a full recap of the most important cybersecurity stories.

Targeted Campaigns and Malware

OneClik Malware Targets Energy Sector Using Microsoft ClickOnce and Golang Backdoors

Cybersecurity researchers have detailed a new phishing campaign aimed at the energy sector that abuses Microsoft’s ClickOnce deployment technology. Attackers use a .NET loader called OneClikNet to deploy a custom Golang backdoor named RunnerBeacon, which communicates with attacker-controlled infrastructure masked by AWS services. This sophisticated approach reflects the increasing targeting of critical infrastructure with stealthy, multi-stage attacks.

Cyber Criminals Exploit Open-Source Tools to Compromise Financial Institutions Across Africa

Security experts have tracked sustained attacks on financial institutions across Africa, dating back to at least July 2023. The threat actors are using a mix of open-source and publicly available tools to maintain persistent access. Dubbed CL-CRI-1014 by Palo Alto Networks Unit 42, these campaigns often aim to sell initial access to other criminals on underground forums, highlighting the growing role of initial access brokers in the cybercrime ecosystem.

Vulnerabilities and Exploits

New Vulnerabilities Expose Millions of Brother Printers to Hacking

Security researchers from Rapid7 have discovered eight serious vulnerabilities affecting hundreds of Brother printer models. These flaws impact at least 689 models of printers, scanners, and label makers from Brother, and some of the issues also affect Fujifilm, Ricoh, Konica Minolta, and Toshiba devices. As a result, millions of enterprise and consumer printers are at risk of attack if not patched.

Microsoft 365 Direct Send Abused for Phishing

Attackers are exploiting Microsoft 365’s Direct Send feature to distribute convincing phishing emails that appear to come from within the victim’s organization. Because Direct Send relies on a smart host and lacks authentication requirements, it enables spoofed emails to bypass security controls. Varonis researchers warn that this technique doesn’t require compromising any account in the target tenant, making it especially insidious.

'CitrixBleed 2' Shows Signs of Active Exploitation

A new critical vulnerability in NetScaler ADC and Gateway, tracked as CVE-2025-5777 and dubbed "CitrixBleed 2," is showing signs of active exploitation in the wild. Like the original CitrixBleed flaw, this vulnerability allows attackers to steal valid session tokens from the memory of exposed devices. With a critical CVSS score of 9.3, it poses a serious threat to organizations that haven't applied patches.

nOAuth Lives on in Cloud App Logins Using Entra ID

Researchers say the nOAuth vulnerability, initially disclosed in 2023, never fully went away despite Microsoft’s rapid mitigation claims. The flaw allows attackers to take over accounts on SaaS apps that rely on Microsoft Entra ID for SSO by modifying an attacker-controlled Entra ID account to match a victim’s email. This method remains trivial to execute and continues to affect apps that don’t properly validate Entra ID identifiers.

Strategy and Readiness

UAE employees outpace EMEA peers in cyber confidence, study reveals

A recent study underscores the UAE workforce’s strong cyber-readiness, showing higher confidence levels than peers in Europe. According to research from Cohesity, 86% of UAE employees believe they can recognize a cyber threat, ahead of the UK (81%), Germany (80%), and France (62%). Almost nine in ten also trust their employer’s ability to prevent and recover from attacks, reflecting the country’s broader commitment to digital resilience and AI-driven defense.

Quantum risk is already changing cybersecurity

A new report from the Cyber Threat Alliance argues that quantum threats aren’t a distant worry but an active security challenge. The "Approaching Quantum Dawn" study urges organizations to prepare now, as future quantum computers could break today’s encryption. It’s not all alarm, though: the report focuses on actionable steps like adopting cryptographic agility to help companies get ahead of the risk.

UAE companies pay $1.33mn median ransom as cybersecurity threats rise

The latest Sophos State of Ransomware report shows nearly half of UAE companies paid ransoms in 2024, with a median payment of $1.33 million. Despite this, UAE organizations also excel in response, with 63% achieving full recovery within a week - well above the global average of 53%. This demonstrates both the intense threat landscape and the region’s growing maturity in cyber defense.