Sharepoint 0-day, Vmware Exploitation, Threats and Cyber Attacks

Sharepoint 0-day, Vmware Exploitation, Threats and Cyber Attacks

Welcome to this week’s Cybersecurity Recap. We’re looking at important updates from July 21-27, 2025, in the world of digital threats and defenses.

This week has seen significant developments that highlight the ongoing risks of cyber attacks and the need for constant awareness. There is a serious SharePoint vulnerability that puts organizations at risk.

We’ve also seen advanced attacks targeting VMware infrastructure, along with a rise in new threats and cyber attacks that are changing global security strategies.

Google News

This recap provides key insights and practical advice to help you stay informed and secure. Let’s dive into what happened and what it means for you.

Cyber Attacks

Ransomware Destroys 158-Year-Old Logistics Firm via Weak Password

A single compromised password enabled a ransomware gang to devastate KNP Logistics, a historic UK-based company, leading to the loss of 730 jobs and a complete operational shutdown. The attack underscores the severe risks associated with inadequate password hygiene in critical infrastructure.

Read more: https://cybersecuritynews.com/weak-password-destroy-158-year-old-company/

APT41 Targets African Government with Impacket Tools

Chinese-linked hackers APT41 launched a targeted espionage campaign against African government IT services, using Impacket’s Atexec and WmiExec modules for lateral movement and malware deployment. They embedded internal network details in payloads and compromised a SharePoint server for command-and-control. This marks increased APT41 activity in the region since late 2022.

Read more: https://cybersecuritynews.com/apt41-hackers-leveraging-atexec/

DeerStealer Malware Spread via Fake Google Authenticator Sites

Threat actors are abusing Windows Run prompts to deliver DeerStealer, an info-stealer that extracts browser credentials, crypto wallets, and app data from over 800 extensions. Distributed through deceptive sites mimicking legitimate tools, it uses Telegram bots for victim tracking and employs obfuscation for evasion. Campaigns often involve GitHub-hosted payloads with XOR encryption.

Read more: https://cybersecuritynews.com/deerstealer-malware-delivered/

US Nuclear Agency Breached in SharePoint Zero-Day Attacks

Unknown hackers exploited a Microsoft SharePoint vulnerability chain to infiltrate the National Nuclear Security Administration, part of the Department of Energy. The breach affected a small number of systems but spared classified data; restoration is underway. This follows a 2019 APT29 intrusion via SolarWinds.

Read more: https://cybersecuritynews.com/us-nuclear-weapons-agency-breached/

UNC3944 Exploits VMware vSphere for Ransomware Deployment

The UNC3944 group (aka Scattered Spider) is social-engineering IT helpdesks to reset passwords, escalate privileges, and access vSphere environments. They modify GRUB bootloaders for root access, install reverse shells, and extract domain data offline before encrypting VMs. Defenses emphasize multi-factor authentication and monitoring.

Read more: https://cybersecuritynews.com/unc3944-attacking-vmware-vsphere/

Gaming Mouse Software Infected with Malware from the Official Site

Endgame Gear’s website was hacked, distributing trojanized drivers for their OP1w 4K V2 mouse between late June and mid-July 2025. The malware enabled remote access, evading some antivirus software like Windows Defender. The company quietly replaced files without full disclosure, prompting users to scan systems.

Read more: https://cybersecuritynews.com/gaming-mouse-software-compromised/

Threats

Interlock Ransomware Targets Critical Infrastructure

Interlock ransomware, active since September 2024, employs a double extortion model by encrypting and exfiltrating data from victims in North America and Europe. It often spreads via drive-by downloads disguised as fake browser updates or security software, using the ClickFix social engineering technique to trick users into executing malicious PowerShell commands. This has impacted businesses and critical sectors, with ransom notes directing victims to a .onion URL for negotiations. Notably, it focuses on virtual machines while sparing physical servers, but defenders should deploy robust EDR tools to mitigate risks.

Read more: https://cybersecuritynews.com/interlock-ransomware-attack/

New ClickFake Interview Attack Leveraging ClickFix

The ClickFake Interview campaign, linked to North Korean actors like the Lazarus Group, targets job seekers in cryptocurrency firms by mimicking legitimate interview sites. It uses the ClickFix tactic, presenting fake error messages or CAPTCHAs that prompt users to run malicious commands, leading to backdoor installations on Windows and macOS. This has seen a 517% surge in detections from late 2024 to early 2025, deploying threats like infostealers and ransomware.

Read more: https://cybersecuritynews.com/new-clickfake-interview-attack-using-clickfix-technique/

Threat Actors Targeting Linux SSH Servers

Poorly managed Linux SSH servers are under attack via brute-force and dictionary methods to guess credentials, enabling the installation of DDoS bots, coinminers, and scanning tools. Attackers scan for open port 22, deploy malware like ShellBot or XMRig, and sometimes sell breached access on the dark web. Recommendations include strong, regularly updated passwords and firewall protections to block unauthorized access.

Read more: https://cybersecuritynews.com/threat-actors-attacking-linux-ssh-servers/

Lumma Stealer Distributed via Fake Cracked Software

Lumma Stealer, a malware-as-a-service since 2022, spreads through fake cracked software and keygens promoted via malvertising and search engine manipulation. Victims are tricked into downloading password-protected loaders that execute via PowerShell, often bypassing antivirus with open-source evasion techniques. Recent campaigns have targeted global industries, including telecom, using fake CAPTCHAs to initiate infections.

Read more: https://cybersecuritynews.com/lumma-stealer-via-fake-cracked-software/

Stealthy Backdoor Hidden in WordPress Plugins

A new backdoor malware hides in WordPress’s mu-plugins folder, which auto-runs and evades admin panel detection. It fetches obfuscated payloads using ROT13 encoding, stores them in the database, and creates hidden admin accounts for persistent access. This allows attackers to install malicious plugins, suppress logs, and maintain control even after removal attempts.

Read more: https://cybersecuritynews.com/stealthy-backdoor-in-wordpress-plugins/

SharePoint Zero-Day Exploited for Ransomware Attacks

A zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) has been exploited since July 18, 2025, affecting over 400 organizations, including U.S. government entities. Attackers, identified as Storm-2603, deploy ransomware like Warlock, shifting from espionage to data encryption and extortion. Microsoft has issued emergency patches, urging immediate updates to prevent further compromises.

Read more: https://cybersecuritynews.com/sharepoint-0-day-ransomware-attack/

Vulnerabilities

CISA Warns of Microsoft SharePoint Server Zero-Day RCE Exploit

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical zero-day vulnerability in Microsoft SharePoint Server to its Known Exploited Vulnerabilities catalog. Tracked as CVE-2025-12345, this flaw allows remote code execution (RCE) without authentication, potentially enabling attackers to compromise sensitive data or deploy malware on affected servers. Microsoft released a patch in their latest security update, urging immediate application to mitigate risks.

Read more: https://cybersecuritynews.com/cisa-microsoft-sharepoint-server-0-day-rce/

Researchers Uncover SS7 Protocol Bypass Attack Technique

Security experts have detailed a new attack method that bypasses the Signaling System 7 (SS7) protocol, commonly used in mobile networks for call routing and SMS delivery. This exploit allows adversaries to intercept communications, spoof identities, or disrupt services by manipulating network signals. Telecom providers are advised to implement enhanced authentication and monitoring to counter these threats, which have been observed in targeted espionage campaigns.

Read more: https://cybersecuritynews.com/ss7-bypass-attack/

Cisco ISE RCE Vulnerabilities Actively Exploited in the Wild

Cisco has confirmed active exploitation of multiple critical RCE flaws in its Identity Services Engine (ISE), including CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337. These unauthenticated vulnerabilities enable attackers to execute arbitrary code as root, potentially leading to full system compromise. Patches are available for ISE versions 3.3 and 3.4. Admins should upgrade immediately to prevent unauthorized access.

Read more: https://cybersecuritynews.com/cisco-ise-rce-vulnerability-exploited-in-wild/

Google Chrome Hit by Type Confusion Attacks in V8 Engine

A high-severity type confusion vulnerability (CVE-2024-12053) in Chrome’s V8 JavaScript engine has been exploited, allowing remote attackers to execute code via crafted web pages. This could result in data theft or malware installation. Google patched it in version 131.0.6778.108—users should verify their browser is updated to avoid drive-by attacks.

Read more: https://cybersecuritynews.com/chrome-type-confusion-attacks/

Mozilla Releases Firefox 141 with Fixes for Critical Vulnerabilities

Mozilla’s Firefox 141 update addresses 18 vulnerabilities, including high-impact memory safety bugs and flaws in JavaScript handling (e.g., CVE-2025-8027 and CVE-2025-8028). These could enable arbitrary code execution or privilege escalation on 64-bit systems. The release also patches moderate issues like sandbox bypasses—update now to secure your browsing.

Read more: https://cybersecuritynews.com/firefox-141-released-fix-for-vulnerabilities/

SonicWall SMA 100 Series Vulnerable to Critical RCE Flaw

SonicWall has issued patches for a critical authenticated RCE vulnerability (CVE-2025-40599) in SMA 100 appliances, stemming from unrestricted file uploads. Attackers with admin credentials could upload and execute malicious files. While this specific flaw has not yet been exploited, related attacks on SMA devices have been reported. Apply updates to versions 10.2.1.0-17sv or later.

Read more: https://cybersecuritynews.com/sonicwall-sma-100-vulnerabilities/

Other News

Wireshark 4.4.8 Released with Bug Fixes

The latest version of the popular network protocol analyzer, Wireshark 4.4.8, focuses on stability improvements and protocol updates. This release addresses several bugs, including crashes related to Bluetooth process IDs and fuzz testing assertions. It builds on features from 4.4.0 like automatic profile switching and enhanced display filter support1. Available for Windows, macOS, and source code.

Read more: https://cybersecuritynews.com/wireshark-4-4-8-released/

Kali Linux Boosts Raspberry Pi Wi-Fi Capabilities

Kali Linux 2025.1 introduces new packages—brcmfmac-nexmon-dkms and firmware-nexmon—that enable native monitor mode and packet injection on Raspberry Pi’s onboard Wi-Fi. This leverages the Nexmon framework to overcome hardware limitations in Broadcom/Cypress chipsets, simplifying wireless security assessments without external adapters. Installation is now streamlined for models including the Raspberry Pi 5.

Read more: https://cybersecuritynews.com/kali-linux-new-wi-fi-packages/

Arrest of Key Russian Cybercrime Forum Admin

Ukrainian authorities arrested the suspected administrator of XSS.is, a major Russian-language cybercrime forum with over 50,000 users. The platform facilitated stolen data sales, hacking tools, and ransomware services, generating an estimated €7 million for the admin. The arrest follows a four-year investigation involving French police and Europol, with the suspect also linked to a private messaging service for criminals.

Read more: https://cybersecuritynews.com/key-admin-russian-cybercrime-forum/

WhoFi: AI Wi-Fi Tech Tracks Humans Without Cameras

Researchers unveiled WhoFi, an AI system that uses Wi-Fi signals to identify and track individuals with up to 95.5% accuracy. It analyzes channel state information (CSI) distortions caused by human bodies, creating unique biometric signatures similar to fingerprints. The technology works without visual input and can detect gestures, raising privacy concerns for surveillance applications.

Read more: https://cybersecuritynews.com/new-ai-powered-wi-fi-biometrics-whofi-tracks-humans/

BreachForums Resurfaces After FBI Takedown

Notorious hacking site BreachForums is back online, reportedly revived by admin ShinyHunters using the same domains despite an FBI seizure earlier this month. The platform, a hub for malware and stolen data, was briefly defaced by law enforcement, but operators regained control via a domain registrar appeal. This marks another revival for the site, successor to RaidForums.

Read more: https://cybersecuritynews.com/breachforums-back-online/

Bulletproof Hosting Provider Aeza Shifts Infrastructure

Sanctioned bulletproof hosting firm Aeza Group is migrating over 2,100 IPs to a new autonomous system (AS211522) to evade U.S. Treasury penalties. Detected on July 20, 2025, this move follows OFAC actions against Aeza for enabling ransomware and data theft. The shift to Hypercore LTD infrastructure aims to sustain services for cybercriminals.

Read more: https://cybersecuritynews.com/bulletproof-hosting-provider-shifting-infrastructure/


Source link