Monthly Threat Report

A quick summary of relavent threats to the SMB evvironment

July 2025

Critical SharePoint Zero-Day & Ransomware Surge 

This July, attackers began exploiting newly disclosed zero-day vulnerabilities in on-premises Microsoft SharePoint servers (not Online) to gain remote code execution access. Over 400 systems have already been compromised, with sophisticated ransomware groups—like Warlock—using these vulnerabilities to gain footholds in small- to mid-sized environments.

Why it matters for SMBs: 

  • Many SMBs host SharePoint on-premise without continuous patching routines. 

  • An unpatched server could mean a rapid full-disk encryption attack, potentially locking your entire infrastructure within hours. 

Action Tip: Immediately inventory all on-prem SharePoint servers, apply Microsoft's July patches, and ensure endpoint protection covers these entry points. 

Ransomware Boom Hits SMB Segment 

A recent NordStellar report shows ransomware attacks spiked 49% in H1 2025, totaling over 4,000 cases—with SMBs (51–200 employees & $5M–$25M revenue) among the most targeted groups IT Pro

Why SMBs are at risk: 

  • Many rely on third-party IT providers or lack strong vendor oversight. 

  • Attackers exploit ransomware-as-a-service models, using basic vulnerabilities or phished credentials. 

Action Tip: Implement regular backups, multifactor authentication (MFA), and frequent tabletop exercises to strengthen your response readiness. 

 

Supply Chain & Password Weaknesses 

SMB-targeted breaches often originate from third-party and credential-based vulnerabilities: 

  • 15% of SMB breaches in 2025 trace back to supply chain compromise.

  • 63% of SMB employees reuse passwords, making credential-stuffing attacks more effective.

  • Nearly 47% lack any incident response plan—leaving them exposed to extended downtime.

Why these are critical: 
Unvetted vendors, reused credentials, and a lack of formal IR planning all increase the likelihood and impact of an inevitable breach. 

Action Tip: Adopt a vendor-risk framework, enforce MFA and password hygiene, and formalize an IR plan you can realistically execute during a crisis. 

 

Putting This Into Practice 

To protect your SMB from the latest cyber threats: 

  • Patch ASAP: Focus on zero-days like SharePoint vulnerabilities. Even a single unpatched server creates a wedge for attack. 

  • Simulate & Prepare: Tabletop exercises reveal gaps before a real crisis—empowering your team to act decisively. 

  • Secure Your Ecosystem: Improve password hygiene, implement MFA for staff and vendors, back up regularly, and automate vulnerability scanning. 

 

Cyber threats are evolving fast—and attackers see SMBs as high-value targets. But with proactive planning, vigilance, and strategic preparation, even lean teams can stay ahead of the threats. 

If you’d like help with rapid assessments, patch prioritization, tabletop simulations, or vendor-risk programs, we’re here to help. 

June 2025

As summer ramps up, cybercriminals don’t take a break—and SMBs are often the easiest target. Below are June’s most significant threats, real-world breaches, and what your business can do now to stay protected.

Qilin Ransomware Group Surges 212%

The emerging Qilin ransomware gang executed 81 known attacks in June alone, marking a 212% spike over the previous month. Heavily targeted sectors include Professional Services, Healthcare, and IT1.

Why SMBs Should Care: Even small firms with limited attack surfaces are seeing enterprise-grade tactics. Qilin is using stolen RMM tools and phishing kits to gain footholds.

Ransomware Attacks Nearly Double Year-over-Year

More than 4,100 ransomware incidents were reported in the first half of 2025—up 49% compared to the same period last year. SMBs in the 25–250 employee range were hit hardest, especially in the U.S.2

Why This Matters: Ransomware-as-a-service kits are now accessible to lower-skilled attackers, making SMBs ideal entry points and easy targets.

Microsoft WebDAV Zero-Day (CVE‑2025‑33053)

Microsoft patched a zero-day vulnerability in its WebDAV module for IIS/SharePoint systems. This flaw was actively exploited by espionage groups throughout June3.

SMB Impact: Many small organizations still host legacy or hybrid environments where these services run quietly in the background—unpatched and exposed.

What SMBs Can Do Now

  1. Patch Immediately – Apply Microsoft’s June critical patches, especially CVE‑2025‑33053.

  2. Run a Vulnerability Scan – Focus on public-facing services and exposed endpoints.

  3. Simulate Real Attacks – Use Qilin-style ransomware scenarios in tabletop drills.

  4. Tighten Identity Controls – Enforce MFA, rotate admin credentials, and reduce privilege sprawl.

  5. Verify Offline Backups – Confirm you can recover quickly—even if the network is locked down.

How Tier 5 Can Help

With deep military and DoD cybersecurity experience, Tier 5 offers practical, right-sized protection for SMBs:

  • vCISO Leadership & Fractional Security Team

  • Ransomware Readiness & Tabletop Simulations

  • Patch Prioritization & Vulnerability Management

  • Backup Testing & Incident Workflow Development

Don’t Wait for a Crisis

SMBs are increasingly targeted not because of what they have—but because of what they connect to. Threat actors know your defenses are stretched. Tier 5 can close the gap.

Sources
CYFIRMA Ransomware Report – June 2025: https://www.cyfirma.com/research/tracking-ransomware-june-2025 
Identity Week Report on H1 2025 Ransomware Trends: https://identityweek.net/ransomware-attacks-nearly-double-in-2025 
Help Net Security – Microsoft Zero-Day Exploited in June: https://www.helpnetsecurity.com/2025/06/11/microsoft-fixes-zero-day-exploited

May 2025

Nation-state cyber operators are increasingly targeting small-to-mid-sized companies—frequently as weak links in larger campaigns. Here are three current examples illustrating the need for robust defensive measures:

APT31 Strikes Czech Foreign Ministry

In late May 2025, the Czech Republic officially blamed China's APT31 (also known as “Zirconium”) for infiltrating its Ministry of Foreign Affairs. The group used stealthy cyber-espionage tools to gather sensitive diplomatic communications and credentials. Although not an SMB, the attack reinforces that every organization—even small third-party vendors—can be leveraged in larger campaigns

APT Logistics: Supply-Chain Compromise Hits SMBs

A recent analysis confirms that 92% of cyber incidents analyzed by Verizon involved small firms in supply-chain attacks. APT groups often breach smaller vendors first to pivot into larger targets.²

Volt Typhoon Escalates Telecom Intrusions

Microsoft warns that Volt Typhoon (UNC3236)—a China-linked APT—continues its intrusions into U.S. telecom infrastructure. Although targeting critical systems, SMBs that support or integrate with telecoms are often part of the collateral damage.³

Why SMBs Should Care

  • You’re the entry point: APTs often target smaller suppliers or partners to reach bigger objectives.

  • Stealth breeds impact: Long-term intrusions can silently siphon data or distribute malware deep into the network.

  • No industry safe zone: Even non-regulated SMBs—like tech resellers, regional consultancies, or manufacturing vendors—can be targeted.

How Tier 5 Helps You Defend

  1. Supply-Chain Security Enhancements
    We help secure your third-party integrations and vet vendor code to block APT pivot paths.

  2. Endpoint Hardening & EDR Monitoring
    We deploy and manage EDR tooling that detects living-off-the-land tactics and suspicious behaviors in real time.

  3. vCISO & Fractional Security Expertise
    Our team—including former national-level cyber operators—guides your security strategy, designs segmentation, and manages incident readiness.

  4. Tabletop Exercises with APT Scenarios
    We simulate real-world persistence and lateral movement to test your defenses proactively.

Sources
CSIS Cyber Incidents Tracker – May 2025
Wikipedia: Supply Chain Attack Overview
Wikipedia: Volt Typhoon Profile
The Australian: ASIO Warns All Organizations Are Vulnerable
ConnectWise: May 2025 Cyber Threat Brief
VMblog: N-Able SMB Threat Report

April 2025

While many small and mid-sized businesses scale into summer, adversaries ramp up their campaigns—targeting overlooked vendors, legacy systems, and third-party tools. April reminded us: threats don’t wait for budgets or attention to catch up. Below are three key events and why they matter.

Abilene Shuts Down IT After Cyberattack

In late April, the City of Abilene, TX suffered a cyberattack that forced them to disconnect critical services, including server access and public systems. While essential services remained operational, the incident forced offline mode due to widespread server issues and loss of administrative access—demonstrating the importance of preparedness even in local public-sector environments.¹

April Threat Trends Show Rising Ransomware & Supply-Chain Tactics

The ConnectWise Cyber Research Unit’s April Threat Brief detailed an uptick in ransomware and supply-chain attacks affecting MSPs and SMBs alike—especially targeting remote-access tools like ScreenConnect and deployment environments. These campaigns highlight that what affects your MSP or vendor can quickly ripple back to your organization

Outlook on Critical Vulnerabilities

The Trellix April CyberThreat Report underscored that high-severity vulnerabilities—especially in legacy infrastructure and exposed web apps—are being actively exploited. These include on-prem servers and unpatched software scenarios common in SMB environments.³

Why These April Events Matter to SMBs

  • They reveal the weak points where adversaries pivot—your MSP, your legacy server, or your supply chain.

  • They underscore that visibility isn’t optional: awareness and rapid response plans save hours—and thousands.

  • They prove attackers don’t discriminate—they compromise trusted tools, forgotten servers, and third parties, no matter how small.

How Tier 5 Helps You Hold the Line

  1. Proactive Vendor Monitoring
    We help you assess and monitor third-party tools—like ConnectWise or legacy systems—for early warning signs.

  2. Legacy Risk Reduction
    We flag outdated servers, unmonitored terminals, or exposed endpoints, and include them in vulnerability scanning and patch planning.

  3. Incident Response Readiness
    Backed by our vCISO and Fractional Security Team, we help craft and test IR plans so you can act fast—before going offline.

  4. APT & Targeted Scenario Tabletop Exercises
    Simulating realistic attack chains based on April’s threats—supply-chain compromise, municipal outages, and exploitation—ensures your team is ready.

Sources

Black Arrow Cyber Threat Intelligence Briefing – April 25, 2025 (City of Abilene attack) integrity360.com+2connectwise.com+2firecompass.com+2en.wikipedia.org+3upfort.com+3cm-alliance.com+3trellix.comcm-alliance.comblackarrowcyber.com
ConnectWise Cyber Threat Brief – April 2025 Edition (MSP supply chain & ransomware trends) connectwise.com
Trellix April 2025 CyberThreat Report (vulnerability exploitation insights) trellix.com

March 2025

This March, cyber adversaries intensified their efforts—targeting SMBs directly and using them as strategic footholds. Here are four critical events and their implications for your organization:

Palau Health Ministry Hit by Qilin Ransomware

On March 1, Palau’s Ministry of Health was hit by the Qilin ransomware gang, leading to data theft and public disclosure of patient information.¹

Why this matters for SMBs: Healthcare organizations—even small clinics—can be prime targets for high-impact ransomware groups.

Toronto Zoo Data Exposure: 20 Years of Visitor Records Leaked

A breach disclosed in March 2025 revealed visitor data spanning two decades at the Toronto Zoo—caused by Akira ransomware attackers

Why this matters for SMBs: Even non-traditional targets (like attractions or small cultural institutions) can be breached through third-party or unmanaged vendor exposures.

Leap in Manufacturing Ransomware—RansomHub Tops the Charts

Analysis from Cyfirma reports RansomHub as the top ransomware threat in March, particularly hitting manufacturing, IT firms, and consumer service providers—some of whom are SMB vendors.³

Why this matters for SMBs: Supply-chain exposure often starts with small businesses—attackers pivot to larger networks via trusted vendors.

Multiple Zero-Day Exploits Disclosed in March Patch Tuesday

March saw critical vulnerabilities across VMware ESXi, Windows, Cisco, and Android systems—many actively exploited.¹⁰ CVE‑2025‑22224 impacted over 37,000 exposed VMware servers, while multiple Android zero-days targeted unpatched devices.⁴

Why this matters for SMBs: Even a single unpatched server at a small business can be used to infiltrate broader networks.

Why These March Events Matter

  • Attackers don’t discriminate—they target weaknesses, not size.

  • SMBs often serve as entry points to larger systems or chains.

  • Tools and techniques are weaponized quickly, leaving little time for response.

How Tier 5 Helps You Rally

  1. Proactive Vulnerability Scanning
    We monitor for zero-day and high-risk exploits—patching them before attackers find them.

  2. Supply-Chain Risk Assessment
    We audit vendor exposure and test breakout scenarios—closing potential pivot paths.

  3. Ransomware Preparedness & Response
    With our vCISO and Fractional Security Team, you’ll have playbooks, readiness tests, and live escalation support.

  4. Managed Endpoint Security
    We deploy managed EDR and file integrity tooling to detect stealthy setups and suspicious behaviors on key systems.

Sources
CT “Palau Health Ministry recovers from Qilin ransomware attack” – March 1, 2025 (cm-alliance.com)
CT “Toronto Zoo visitor records stolen by Akira ransomware” – March 5, 2025 (cm-alliance.com)
Cyfirma Tracking Ransomware – March 2025 (data on RansomHub targeting SMB sectors) ([turn0search14])
CM Alliance “CVE‑2025‑22224 VMware ESXi exploited zero‑day alert” – March 2025 patch analysis
VikingCloud SMB threat briefing – “Nearly 1 in 5 SMBs would shut down after $10K attack” ([turn0search11])

February 2025

Cyber adversaries intensified activity in February—targeting businesses through ransomware, cryptojacking, supply-chain vectors, and espionage. Below are four notable incidents that highlight areas of vulnerability for small and mid-sized organizations.

Lazarus Group Steals $1.5B from Bybit (Feb 21)

North Korea–linked Lazarus Group orchestrated a record-breaking theft of approximately $1.5 billion in Ethereum from the Dubai-based crypto exchange Bybit. Exploiting a third-party wallet vulnerability, the breach underscores how attackers leverage software dependencies to target high-value assets.¹²

Lee Enterprises Disrupted by Qilin Ransomware (Feb 9)

Media conglomerate Lee Enterprises, which runs hundreds of local newspapers, fell victim to a ransomware attack attributed to the Qilin gang. The breach disrupted printing and publishing operations across multiple states and highlighted that legacy or poorly secured publishing platforms remain high-risk.²⁴

Genea (Fertility Clinic) Data Exposed — ~700GB Stolen (Feb 14)

Australian fertility provider Genea was hit by the Termite ransomware group, resulting in 700 GB of personal health data being leaked. Patient records—including Medicare numbers, health histories, and identities—were exposed, causing severe reputational damage and regulatory scrutiny.³⁴

Espionage Campaigns Surge Against SMEs in Asia

Chinese cyber actors launched widespread espionage targeting government bodies, manufacturing firms, telecom vendors, and media organizations across Southeast Asia and Taiwan. These campaigns often leveraged cloud tools like Dropbox for stealth data exfiltration—a tactic increasingly seen in SMB environments.⁶

Why These Events Matter for SMBs

  • SMBs act as indirect targets: Adversaries exploit vendors or cloud-delivered software to bypass defenses.

  • Operational disruption = revenue loss: Even smaller-scale attacks can halt key functions, like newspaper printing or payroll access.

  • Patient data = regulatory and reputational risk: Health, legal, and professional services firms face long-term fallout from privacy breaches.

  • Espionage extends beyond governments: Small suppliers to strategic industries can be exposed via cloud platforms or unmanaged endpoints.

How Tier 5 Protects You

  1. Continuous Vulnerability Monitoring
    Detect and remediate third-party software risks, cloud tool misconfigurations, and unpatched infrastructure.

  2. Ransomware Preparedness & Response Planning
    Including vCISO oversight, playbooks, tabletop exercises, and live crisis support.

  3. Data Protection & Incident Response for Sensitive Networks
    Especially tailored for healthcare, legal, and professional services with compliance-aware protocols.

  4. Threat Intelligence & Enterprise Tools for SMBs
    We deploy behavior monitoring and exfiltration detection strategies—regardless of your team size.

Sources
Lazarus Group’s $1.5B Bybit heist – detection in February 2025 ([turn0search27], [turn0search12])
Lee Enterprises attack by Qilin ransomware – disruption of media operations in February ([turn0search6])
Genea data breach – stolen IVF patient records totaling ~700 GB by Termite gang ([turn0news23], [turn0news20])
Espionage activity across Asia SMBs via cloud tools – Chinese threat actors in February ([turn0search12])
Reference overview: February 2025 Major Cyber Attacks list ([turn0search0])

January 2025

Cyberattacks kicked off the year with vendor breaches, AI-enhanced ransomware, and exposed cloud data. For SMBs, January was a reminder that evolving threats still target the basics—and no organization is too small to be hit.

TalkTalk Supplier Breach

A third-party vendor servicing TalkTalk exposed personal data for nearly 19 million individuals, including names and IP addresses—though no payment info was affected.¹

Gravy Analytics & Unacast Data Exposures

Misconfigured AWS storage belonging to Gravy Analytics and its subsidiary Unacast led to the leak of location data, including sensitive individual tracking.²

PowerSchool Breach Impacts 60M Students

PowerSchool’s support platform was compromised, exposing student/staff data like names, SSNs, medical records, and grades across U.S. and Canadian schools.³

Play Ransomware Exploits SimpleHelp RMM

Since January, the Play ransomware group has exploited known flaws in SimpleHelp RMM tools, impacting SMBs and utilities alike.⁴

Rising Ransomware Volume

Q1 logged a staggering 2,314 ransomware victims—a 213% increase over Q1 2024—highlighting how SMBs continue to feed data-leak sites.⁵

New AI‑Enhanced APT Malware Surfaces

Groups like FunkSec and Weyhro deployed AI-driven ransomware with obfuscation and intermittent encryption techniques that outpace legacy defenses.⁶

Why These Matter to SMBs

  • Third-party tools and vendors are direct threat vectors.

  • Cloud misconfiguration and overlooked storage remain top sources for leaks.

  • Flexible, evolving attackers use AI-driven malware that evades outdated tools.

  • SMBs are foundational targets—not just collateral damage in broader campaigns.

How Tier 5 Strengthens Your Defenses

  1. Vendor & RMM Exposure Assessment
    We audit third-party and RMM tools like SimpleHelp for misconfiguration or exploits.

  2. Continuous Vulnerability & Cloud Configuration Monitoring
    Our scanning tools detect leaks, exposed databases, and unpatched servers early.

  3. Advanced Ransomware & APT Preparedness
    Including vCISO guidance, incident response planning, and tabletop scenarios based on Play and FunkSec patterns.

  4. Managed Endpoint Defense & Threat Hunting
    Deploying EDR, behavior analytics, and proactive detection strategies to contain stealthy adversaries.

Sources
Strobes Security “Top Data Breaches of January 2025” (TalkTalk supplier breach) ConnectWise+1VikingCloud+1Strobes Security+1TechRadar+1CISA+1CISA+1Optiv+1The HIPAA Journal+1CISA+5dragos.com+5CM Alliance+5Cloud Storage SecurityStrongDM
Pomerium Data Breach List – January 2025 (Gravy Analytics / Unacast) Pomerium
Strobes Security – PowerSchool breach reported January 2025 Strobes Security
CISA Advisory AA25-071A – Play ransomware via SimpleHelp RMM Verizon+5CISA+5CISA+5
Optiv “First Quarter 2025 Ransomware Trends” (2,314 victims, +213%) bdemerson.com+7Optiv+7dragos.com+7
Dragos Q1 2025 Ransomware Analysis (FunkSec, AI-enhanced threats) dragos.com