July 27, 2025

Cyber OSINT Overview, Jul 21 - Jul 27, 2025

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics

  • Multiple critical vulnerabilities in on-premises Microsoft SharePoint Server, collectively dubbed ‘ToolShell’, are being actively exploited. The flaws, including CVE-2025-53770 (RCE) and CVE-2025-53771 (Spoofing), allow unauthenticated attackers to achieve remote code execution, gain full access to server content, and deploy backdoors or ransomware. These are variants of previously patched vulnerabilities (CVE-2025-49704, CVE-2025-49706), indicating the initial fixes were insufficient. Microsoft has released emergency out-of-band patches and strongly urges immediate updates, rotation of ASP.NET machine keys, and enabling AMSI integration.
  • Ransomware continues to be a dominant threat, with multiple advisories and reports detailing new campaigns, tactics, and notable incidents. The Interlock ransomware variant, first seen in late 2024, is actively targeting organizations in North America and Europe using double extortion. Other new groups like Gunra, which uses code similar to the infamous Conti ransomware, have also emerged. Established groups like Medusa are behind significant breaches, such as the one affecting NASCAR, while the Warlock ransomware is being deployed by Chinese threat actors exploiting the recent SharePoint vulnerabilities.
  • Multiple advisories highlighted a wide range of vulnerabilities affecting Industrial Control Systems (ICS) and Operational Technology (OT). CISA released several alerts for products from major vendors like Schneider Electric, Honeywell, Mitsubishi Electric, and Medtronic. The vulnerabilities range from remote code execution and authentication bypass to information disclosure, posing significant risks to critical infrastructure sectors including energy, manufacturing, and healthcare. These frequent alerts emphasize the need for robust security and timely patching in OT environments.
  • A significant number of security advisories from CERT-Bund and other national CERTs focused on vulnerabilities within the Linux Kernel. These flaws could be exploited by local or remote attackers to cause denial-of-service conditions, manipulate data, or achieve other unspecified impacts. The high frequency of these alerts, affecting multiple distributions like Ubuntu and Red Hat Enterprise Linux, indicates a continuous need for diligent kernel patching and system updates to mitigate risks of system compromise or instability.

Critical Vulnerabilities

  • A critical, actively exploited zero-day vulnerability in Microsoft SharePoint Server (CVE-2025-53770) allows unauthenticated remote code execution. With a CVSS score of 9.8, this flaw enables attackers to gain complete access to SharePoint content, file systems, and internal configurations by exploiting an untrusted data deserialization issue. This is a variant of a previously patched flaw, CVE-2025-49706, highlighting an incomplete fix. Microsoft released an out-of-band emergency patch and CISA has added it to the KEV catalog, mandating immediate action.
  • Multiple maximum-severity (CVSS 10.0) vulnerabilities in Cisco Identity Services Engine (ISE) and ISE-PIC are being actively exploited. The flaws, including CVE-2025-20281 and CVE-2025-20337, permit unauthenticated remote attackers to execute arbitrary commands with root privileges. These vulnerabilities are in the API interface and affect recent versions 3.3 and 3.4. Cisco has released patches and urges administrators to apply them immediately as there are no workarounds.
  • An unprotected alternate channel vulnerability in CrushFTP (CVE-2025-54309) is being actively exploited in the wild, allowing unauthenticated attackers to gain administrative access. The vulnerability affects CrushFTP versions 10 prior to 10.8.5 and versions 11 prior to 11.3.4_23. CISA has added this flaw to its KEV catalog. Administrators are urged to apply the necessary updates immediately to mitigate the risk of system compromise.
  • Multiple critical vulnerabilities have been identified in Sophos Firewall and SonicWall SMA 100 series appliances. Sophos Firewall versions v21.0 and v21.5 are affected by flaws (including CVE-2025-6704, CVE-2025-7624) that could lead to remote code execution. Similarly, SonicWall SMA 100 series devices contain multiple vulnerabilities allowing a remote attacker to execute arbitrary code, cause denial-of-service, or perform XSS attacks. Both vendors have released updates, and administrators should patch these critical network security devices promptly.
  • An actively exploited input validation vulnerability (CVE-2025-6558) was discovered in Google Chrome’s ANGLE and GPU components. This flaw could allow for arbitrary code execution in the context of the logged-on user. Google has acknowledged the existence of an exploit in the wild and released updates for Chrome for Desktop (versions prior to 138.0.7204.168/.169). CISA has added the vulnerability to its KEV catalog, emphasizing the need for users to update their browsers immediately to mitigate the risk of drive-by compromise.
  • Mitel has disclosed critical vulnerabilities in its MiVoice MX-ONE and MiCollab products. In MiVoice MX-ONE, an authentication bypass flaw in the Provisioning Manager component allows unauthenticated remote access to user or administrator accounts. MiCollab is affected by a SQL injection vulnerability that could allow an authenticated remote attacker to execute arbitrary SQL commands and expose sensitive information. Mitel has released security advisories and patches, and users are strongly advised to update their systems.
  • Multiple vulnerabilities have been discovered across a wide range of Adobe products, with the most severe allowing for arbitrary code execution. Affected products include Adobe Experience Manager, ColdFusion, After Effects, and Illustrator, among others. Successful exploitation could permit an attacker to install programs, view or delete data, or create new accounts with full user rights. Adobe has released security updates to address these flaws, and users should apply them promptly to prevent potential compromise.

Major Incidents

  • The active exploitation of Microsoft SharePoint vulnerabilities has impacted over 400 organizations worldwide, including multiple U.S. federal agencies like the Department of Energy and the National Nuclear Security Administration. The attackers, including Chinese state-sponsored groups, are using the ‘ToolShell’ exploit chain to gain unauthenticated remote access, steal cryptographic keys for persistent access, and deploy ransomware such as Warlock. The scale of this incident highlights the significant risk posed by vulnerabilities in widely used enterprise software and the speed at which threat actors can operationalize them.
  • Allianz Life Insurance confirmed a major data breach impacting the personal information of the ‘majority’ of its 1.4 million customers. The attack, which occurred on July 16, 2025, targeted a third-party CRM system. Attackers used social engineering to gain unauthorized access to personally identifiable information. This incident is part of a broader trend of attacks against the insurance sector, with groups like Scattered Spider (UNC3944) known for targeting such organizations.
  • NASCAR has confirmed it suffered a data breach from a cyberattack in March, which exposed Social Security numbers. The Medusa ransomware gang claimed responsibility for the attack in April, demanding a $4 million ransom. The gang alleged it exfiltrated gigabytes of company data. This incident adds to a series of attacks by Medusa, which has previously targeted critical infrastructure, schools, and government agencies globally.
  • Indian cryptocurrency exchange CoinDCX suffered a cyberattack resulting in the theft of approximately $44 million from an internal operational account. The company stated that no customer funds were compromised as they are held in secure cold wallets. In response, CoinDCX has launched a recovery bounty program, offering up to 25% of any recovered funds (up to $11 million) for information leading to the recovery of assets and prosecution of the attackers.
  • Consumer goods giant Clorox is suing its IT service desk vendor, asserting that a massive 2023 cyberattack, which cost the company $380 million, was facilitated by the vendor’s negligence. The lawsuit claims hackers repeatedly obtained password and MFA resets for employee accounts, including a privileged IT security account, simply by calling the service desk without proper identity verification. This incident highlights the critical security risks associated with third-party service providers and the effectiveness of social engineering attacks targeting human processes.

Emerging Threats

  • The cybercrime group Muddled Libra (also known as Scattered Spider or UNC3944) has evolved its tactics, now operating in specialized teams to conduct large-scale, disruptive attacks. This group, highly skilled in social engineering, targets IT help desks to gain initial access and then pivots to cloud environments, particularly VMware vSphere, for data exfiltration and ransomware deployment. Their focus on the ‘human operating system’ and cloud infrastructure bypasses traditional technical defenses, posing a significant threat to enterprises worldwide.
  • The cyber-espionage group Dropping Elephant (also known as Patchwork) is targeting the Turkish defense industry with a new campaign. The attack uses malicious LNK files disguised as conference invitations to initiate a multi-stage execution chain. A notable tactic is the use of legitimate software, such as VLC Media Player, for DLL side-loading to evade defenses, representing an evolution in the group’s capabilities. The campaign appears geopolitically motivated, coinciding with increased defense cooperation between Türkiye and Pakistan.
  • A joint advisory from CISA, FBI, and HHS warns of the Interlock ransomware, which has been active since late 2024. The group targets organizations in North America and Europe, employing a double-extortion model involving data encryption and exfiltration. Unusually, initial access methods include drive-by downloads from compromised legitimate websites and a social engineering technique called ‘ClickFix’. The ransomware encryptors are designed for both Windows and Linux, specifically targeting virtual machines.
  • A new VOIP-based botnet is actively compromising routers and IoT devices globally by exploiting default Telnet credentials. The campaign was discovered after an unusual spike of malicious traffic from a single utility provider in a rural area. The botnet, exhibiting characteristics of Mirai variants, is comprised of approximately 500 devices globally that share similar hardware and network fingerprints. This highlights the persistent risk of unpatched, internet-facing edge devices with weak or default configurations being co-opted for large-scale attacks.
  • The threat actor Mimo, previously known for targeting Craft CMS, has expanded its operations to compromise Magento e-commerce platforms and Docker environments. The group exploits PHP-FPM vulnerabilities for initial access and uses sophisticated persistence techniques, including the legitimate penetration testing tool GSocket, to maintain control. This expansion indicates an evolution in Mimo’s tactics, which primarily focus on financial gain through cryptomining and bandwidth monetization, but now include more advanced tradecraft.
  • Cybercriminals are distributing infostealer malware by compromising legitimate software, highlighting significant supply chain risks. In one case, the official website for Endgame Gear’s gaming mouse was hacked to distribute trojanized drivers containing the Xred malware. In another, a pre-release version of the game ‘Chemia’ on the Steam platform was altered to include a downloader for Fickle Stealer, HijackLoader, and Vidar. These incidents demonstrate how attackers are leveraging trusted distribution channels to infect users and steal sensitive data.
  • Phishing-as-a-Service (PhaaS) platforms like Mamba2FA and Tycoon are enabling sophisticated attacks at scale. Mamba2FA is an advanced toolkit designed to bypass MFA on Microsoft 365 accounts using Adversary-in-The-Middle (AiTM) techniques. The Tycoon PhaaS kit is being used in campaigns that impersonate services like Autodesk Construction Cloud to steal credentials. The availability and low cost of these platforms lower the barrier to entry for cybercriminals, allowing them to conduct complex attacks that can lead to account takeovers and significant data breaches.

Regulatory and Policy Updates

  • The UK government has proposed new measures to combat ransomware, including a legal ban on ransom payments for all public sector organizations and critical infrastructure operators. Additionally, private businesses would be required to notify the government of any intent to pay a ransom. This mandatory reporting aims to provide law enforcement with better intelligence to track and disrupt cybercriminal operations. The policy shift is intended to undermine the financial model of ransomware gangs and reduce their incentive to target UK entities.
  • The U.S. government is intensifying its efforts to disrupt North Korea’s illicit revenue generation schemes, which fund its weapons programs. The State Department has offered rewards up to $15 million for information on seven North Korean nationals involved in cybercrime, IT worker fraud, and smuggling. Concurrently, the Treasury Department sanctioned three senior officials and a front company, Korea Sobaeksu Trading Company, for their roles in these operations. These actions coincide with the sentencing of a U.S. citizen who facilitated a laptop farm for North Korean IT workers, highlighting a multi-faceted approach to countering these state-sponsored threats.
  • The Trump administration released an AI Action Plan that encourages critical infrastructure operators to adopt AI for cyber defense. The plan also emphasizes the need for ‘secure by design’ principles in AI systems to protect against data poisoning and adversarial attacks. It proposes creating a new AI-Information Sharing and Analysis Center (AI-ISAC) led by DHS to share threat intelligence. The plan promotes a deregulatory approach, which has drawn praise from business groups but criticism from privacy advocates concerned about insufficient constraints on AI development.
  • CISA has added multiple actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch them by specified deadlines. Recently added vulnerabilities include those affecting Microsoft SharePoint (CVE-2025-53770, CVE-2025-49704, CVE-2025-49706), CrushFTP (CVE-2025-54309), and Google Chrome (CVE-2025-6558). This action, under Binding Operational Directive (BOD) 22-01, highlights the significant risk these flaws pose and serves as a strong recommendation for all organizations to prioritize their remediation to defend against ongoing threats.

Security Operations

  • Several major technology vendors have launched new platforms and initiatives aimed at improving security operations and visibility. Microsoft introduced the Microsoft Sentinel data lake, designed to unify security data from diverse sources at a lower cost, enhancing threat detection and AI-driven analysis. Cisco launched Cisco XDR Connect, a tool to help users browse and discover integrations and automation for its XDR platform. Additionally, Google announced OSS Rebuild, a project to strengthen open-source supply chain security by reproducing upstream package artifacts and generating SLSA Level 3 provenance.
  • 0patch has released micropatches for a local privilege escalation vulnerability in the Windows Disk Cleanup tool (CVE-2025-21420), which was originally addressed in Microsoft’s February 2025 updates. The vulnerability allows a low-privileged user to achieve arbitrary file deletion, potentially leading to code execution as SYSTEM, by exploiting a symbolic link redirection issue. The micropatches provide protection for Windows versions that are no longer receiving official security updates, demonstrating a method of extending security for legacy systems.
  • The MITRE ATT&CK framework remains a critical tool for security teams to develop stronger defenses. Understanding and applying the framework helps organizations move beyond compliance checklists from standards like CIS and NIST CSF. By mapping attacker tactics, techniques, and procedures (TTPs), security professionals can better model threats, prioritize defensive measures, and communicate risks effectively. It serves as a common language for both red and blue teams to analyze threats and validate security controls.
  • A new open-source tool, ficheck.py, has been released for file integrity monitoring (FIM) on Linux systems. Inspired by the older ‘fcheck’ Perl script, this Python-based tool is designed to be fast and efficient, running in under 90 seconds on test systems. It monitors for file creation, deletion, and changes to metadata such as size, ownership, permissions, and hashes. The tool can help defenders detect unauthorized changes to critical system files, a common indicator of compromise.
  • A new penetration testing guide has been released on GitBook, aiming to provide a beginner-friendly yet comprehensive resource for the community. The guide covers various aspects of penetration testing, offering structured methodologies and practical examples. Such community-driven resources are valuable for both new and experienced professionals to standardize processes, share knowledge, and improve the quality of security assessments.

Wins

  • An international law enforcement operation has seized the darknet websites of the BlackSuit ransomware gang. The operation, involving agencies from over nine countries including U.S. Homeland Security Investigations, took down the group’s main TOR-based leak site and private negotiation portals. BlackSuit, believed to be a rebrand of the Royal ransomware and linked to the Conti syndicate, was responsible for numerous attacks on critical infrastructure and businesses. This takedown represents a significant disruption to a major cybercrime operation.
  • A four-year international investigation led by French and Ukrainian authorities, coordinated by Europol, has resulted in the arrest of the alleged administrator of the prominent Russian-language cybercrime forum XSS.is. The forum, active since 2013, was a major hub for selling malware, stolen data, and ransomware services, with over 50,000 users. Following the arrest in Ukraine, the forum’s domain was seized, dealing a major blow to a long-standing fixture of the cybercrime ecosystem that had reportedly generated over $8.2 million in illicit profits.
  • Japanese police have released a free decryption tool for victims of the Phobos ransomware and its offshoot, 8Base. This release follows a series of international law enforcement actions against the Phobos ransomware-as-a-service operation, including arrests and server seizures. The decryptor is available via the ‘No More Ransom’ project, providing a way for past victims to recover their encrypted files without paying a ransom and marking a significant success in counter-ransomware efforts.
  • An international law enforcement operation has disrupted the pro-Kremlin hacktivist group NoName057(16), known for its DDoS attacks against government and critical infrastructure targets in Europe and North America. The operation, dubbed ‘Operation Eastwood,’ resulted in the takedown of over 100 servers, two arrests, and seven arrest warrants. Authorities also sent warning messages to over 1,100 individuals who participated in the group’s DDoSia botnet, signaling a crackdown on participants in politically motivated cyberattacks.
  • An Arizona woman involved in a major North Korean IT worker fraud scheme has been sentenced to 8.5 years in prison. Christina Chapman operated a ’laptop farm,’ enabling North Korean IT workers to fraudulently obtain remote jobs at over 300 U.S. companies and generate more than $17 million in revenue for the North Korean regime. This sentencing is a key success for the Department of Justice in its efforts to dismantle the networks that facilitate North Korea’s state-sponsored cyber-enabled revenue generation.

Disclaimer

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.