{"id":20112,"date":"2025-07-28T11:49:17","date_gmt":"2025-07-28T09:49:17","guid":{"rendered":"https:\/\/kordon.app\/?p=20112"},"modified":"2025-07-28T11:49:17","modified_gmt":"2025-07-28T09:49:17","slug":"latest-cybersecurity-news-28-july-2025","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/latest-cybersecurity-news-28-july-2025\/","title":{"rendered":"14 Cybersecurity News Worth Your Attention This Week Summarised &#8211; 28\/07\/2025"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>This week we have cute? panda images delivering rootkits, US-nuclear weapons facility breached by a zero day and yet again a few examples of companies failing at the basics &#8211; handing out passwords over support phone calls and blindly accepting pull requests from unknown parties \u2026<\/p>\n\n\n\n<p><strong>P.S. Scroll to the bottom to subscribe and get these weekly cyber security news summaries to your inbox. <\/strong><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Microsoft issues emergency patches for SharePoint ToolShell zero-days<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Microsoft has released emergency patches for the exploited <strong>SharePoint zero-days CVE-2025-53770<\/strong> and <strong>CVE-2025-53771<\/strong> known as <strong>ToolShell<\/strong>, <strong>actively exploited<\/strong> by Chinese state-backed groups Linen Typhoon, Violet Typhoon, and Storm-2603. <br><br>These vulnerabilities <strong>enable unauthenticated remote code execution, key theft, and malware installation on on-premises SharePoint servers<\/strong>, impacting over 400 organizations including US government agencies. <br><br><strong>The first patch was incomplete, <\/strong>allowing rapid bypass and exploitation. CISA added the vulnerabilities to its Known Exploited Vulnerabilities catalog, urging immediate remediation. <strong>Microsoft recommends AMSI integration and Defender deployment,<\/strong> and highlights the importance of rotating server machine keys and restarting IIS after patching.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The flaws <strong>allow unauthenticated, remote code execution when chained together.<\/strong><\/li>\n\n\n\n<li>Eye Security and Google TAG observed<strong> initial attacks on July 18 <\/strong>planting webshells.<\/li>\n\n\n\n<li>ShadowServer reports <strong>over 9,000 internet-exposed SharePoint instances<\/strong>, mostly in North America and Europe.<\/li>\n\n\n\n<li>Palo Alto Networks saw related exploitation of earlier CVE-2025-49704\/49706 variants.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Install the July 21 SharePoint patches <\/strong>immediately.<\/li>\n\n\n\n<li><strong>Enable<\/strong> SharePoint\u2019s Antimalware Scan Interface (<strong>AMSI<\/strong>) in full mode.<\/li>\n\n\n\n<li>Rotate SharePoint cryptographic keys after patching or mitigation.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.securityweek.com\/microsoft-patches-toolshell-zero-days-exploited-to-hack-sharepoint-servers\/\" target=\"_blank\" rel=\"noopener\" title=\"\">SecurityWeek: Microsoft patches \u2018ToolShell\u2019 zero-days exploited to hack SharePoint servers<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Amazon AI Coding Agent Compromised with Malicious System Commands in Supply Chain Attack<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A malicious pull request was injected into version 1.84.0 of Amazon's AI coding assistant<\/strong> extension <strong>'Amazon Q'<\/strong> for Visual Studio Code, <strong>containing destructive system commands to wipe local files and AWS resources.<\/strong> The malicious <strong>code was pushed through an unverified GitHub account and released to users before being mitigated.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The attacker gained access via an unverified GitHub account and submitted a malicious pull request in late June.<\/li>\n\n\n\n<li>Malicious<strong> code was inserted on July 13 <\/strong>and <strong>released as version 1.84.0 on July 17 before detection.<\/strong><\/li>\n\n\n\n<li>The <strong>code instructed the AI agent to act as a system cleaner, aiming to delete user data and cloud resources.<\/strong><\/li>\n\n\n\n<li>Amazon mitigated the issue quickly; users are advised to update to version 1.85 as a precaution.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enforce strict code review and least-privilege access in DevSecOps.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.csoonline.com\/article\/4027963\/hacker-inserts-destructive-code-in-amazon-q-as-update-goes-live.html\">CSO Online<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.404media.co\/hacker-plants-computer-wiping-commands-in-amazons-ai-coding-agent\/\">404 Media<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Arizona Woman Sentenced to 8.5 Years for Facilitating North Korean IT Worker Infiltration<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Christina Chapman was sentenced to 102 months in prison <strong>for running a \"laptop farm\" that enabled North Korean government\u2013linked IT workers to access networks at 309 U.S. companies<\/strong> using stolen identities. Her scheme generated $17 million for North Korea\u2019s Munitions Industry Department and underscores the insider threat posed by fraudulent remote hires. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>309 U.S. companies targeted,<\/strong> including a major TV network, automaker, and Silicon Valley tech firm<\/li>\n\n\n\n<li><strong>FBI seized over 90 laptops<\/strong> from Chapman\u2019s home and 49 devices shipped overseas<\/li>\n\n\n\n<li>Chapman <strong>used 68 stolen identities to forge payroll checks<\/strong> and launder $17 million<\/li>\n\n\n\n<li>Operation linked to DPRK\u2019s Munitions Industry Department supporting weapons development<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor remote-access software installations for unauthorized backdoor tools<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/therecord.media\/arizona-woman-sentenced-north-korean-laptop-farm\">The Record<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/therecord.media\/arizona-woman-pleads-guilty-north-korean-laptop-farm\">The Record (Guilty Plea)<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/therecord.media\/north-korea-it-workers-accused-money-laundering-5million-reward\">The Record (Operation Background)<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. International Operation Seizes BlackSuit Ransomware Gang\u2019s Darknet Sites<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Law enforcement from nine countries, led by U.S. Homeland Security Investigations, seized the BlackSuit gang\u2019s darknet extortion sites, halting its ability to post victims and negotiate ransoms. <\/strong><br>Active since mid-2023 as a Royal\/Conti rebrand, BlackSuit had extorted over $500 million globally and forced the temporary closure of nearly 200 blood plasma centers. <br>Following the takedown, core operators are resurfacing under the Chaos ransomware scheme, signaling a continuing threat.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The operation involved 17 law enforcement agencies and Bitdefender alongside HSI.<\/li>\n\n\n\n<li>BlackSuit targeted high-profile victims including Kadokawa and Tampa Bay Zoo.<\/li>\n\n\n\n<li>In April 2024, its attack on Octapharma closed almost 200 plasma collection centers.<\/li>\n\n\n\n<li>Cisco Talos links former BlackSuit members to the emerging Chaos ransomware.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/therecord.media\/blacksuit-ransomware-gang-website-takedown\" target=\"_blank\" rel=\"noopener\" title=\"\">The Record: BlackSuit ransomware gang\u2019s website takedown<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Fire Ant Campaign Abuses VMware Flaws to Infiltrate Segmented Networks<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Suspected China-linked APT<strong> \"Fire Ant\" <\/strong>has exploited unpatched <strong>VMware vCenter and ESXi vulnerabilities<\/strong><br>to gain initial access, forge credentials, and i<strong>mplant hypervisor-level backdoors that persist across<br>reboots<\/strong>. The threat actors then bypassed network segmentation\u2014using F5 load balancer exploits, IPv6<br>bypasses, and tunneled web shells\u2014to reach isolated environments, demonstrating deep knowledge of target infrastructure.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Exploited CVE-2023-34048 and CVE-2023-20867 to compromise vCenter and guest VMs<\/li>\n\n\n\n<li>Used CVE-2022-1388 on F5 load balancers and IPv6 gaps to tunnel into isolated networks<\/li>\n\n\n\n<li><strong>Custom tools disabled SentinelOne EDR<\/strong> and maintained persistence post-reboot<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Apply latest VMware vCenter and ESXi security patches<\/strong> <\/li>\n\n\n\n<li>Enforce PIM, unique complex passwords, and MFA for vCenter\/ESXi accounts<\/li>\n\n\n\n<li><strong>Restrict vCenter administrative access <\/strong>and <strong>enable ESXi Normal Lockdown Mode<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/fire-ant-cyber-spies-siloed-vmware-systems\">Dark Reading<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.sygnia.co\/blog\/fire-ant-a-deep-dive-into-hypervisor-level-espionage\/\">Sygnia Blog<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. AI-Generated Panda Images Used to Deploy Persistent Linux Cryptominer \u2018Koske\u2019 via JupyterLab<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A new <strong>Linux malware strain dubbed \"Koske\"<\/strong> <strong>uses AI-assisted code and polyglot JPEGs of panda images to deliver in-memory cryptomining rootkits that evade antivirus detection.<\/strong> Attackers <strong>exploit misconfigured JupyterLab instances<\/strong>\u2014potentially via CVE-2025-30370\u2014and weaponize benign-looking images to establish stealthy, persistent mining operations on compromised servers. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Initial access via unauthenticated JupyterLab<\/strong> (Serbian IP 178.220.112.53), possibly exploiting CVE-2025-30370.<\/li>\n\n\n\n<li>Polyglot JPEGs append C code and shell scripts, <strong>executing entirely in memory to bypass disk-based AV.<\/strong><\/li>\n\n\n\n<li>Rootkit hooks readdir() and hijacks Bash configs to hide \u201cKoske\u201d processes and ensure persistence.<\/li>\n\n\n\n<li>AI-assisted logic selects among 18 cryptocurrency miners, checks proxy status, and uses fallback routines.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit and patch all internet-exposed JupyterLab instances.<\/li>\n\n\n\n<li>Block execution of polyglot image payloads at ingress points.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.csoonline.com\/article\/4028933\/ai-forged-panda-images-hide-persistent-cryptomining-malware-koske.html\">CSO Online<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.aquasec.com\/blog\/ai-generated-malware-in-panda-image-hides-persistent-linux-threat\/\">Aqua Nautilus blog<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Clorox Files $380M Negligence Suit Against Cognizant Over Helpdesk Enabling Social Engineering Attack<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Clorox alleges Cognizant helpdesk agents handed over network credentials and reset MFA without identity verification, enabling a social engineering attack that caused $380 million in damages. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>August 2023 <strong>attack<\/strong> by <strong>Scattered Spider<\/strong> group via <strong>simple phone calls.<\/strong><\/li>\n\n\n\n<li><strong>Transcripts show agents provided passwords, MFA resets, and SMS changes with no verification.<\/strong><\/li>\n\n\n\n<li>Clorox incurred $49 million in remediation and &#8220;hundreds of millions&#8221; in business interruption<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce zero-trust identity checks for all helpdesk resets.<\/li>\n\n\n\n<li>Require supervisor co-approval on credential and MFA changes.<\/li>\n\n\n\n<li>Audit outsourcing contracts for clear security controls and vendor liability.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.csoonline.com\/article\/4027266\/clorox-sues-cognizant-for-380m-over-alleged-helpdesk-failures-in-cyberattack.html\" target=\"_blank\" rel=\"noopener\" title=\"\">CSO Online<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Allianz Life Breach Exposes Data of 1.4 Million Customers via Third-Party CRM Attack<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Allianz Life<\/strong> <strong>Insurance<\/strong> confirmed that on July 16 <strong>attackers used social engineering<\/strong> to compromise its cloud-based CRM, <strong>exposing personal details for the majority of its 1.4 million U.S. customers and select employees<\/strong>. The insurer alerted the FBI, found no evidence of further network intrusion, and will begin state-required notifications around August 1.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Breach disclosed in a mandatory filing with Maine\u2019s attorney general.<\/li>\n\n\n\n<li><strong>Attackers impersonated trusted parties to extract CRM login credentials.<\/strong><\/li>\n\n\n\n<li>No compromise detected on critical policy administration or other systems.<\/li>\n\n\n\n<li>Security firms link a surge in insurance breaches to the \u201cScattered Spider\u201d group.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Run targeted social-engineering simulations on staff.<\/li>\n\n\n\n<li>Audit CRM vendor\u2019s access controls and enforce multi-factor authentication.<\/li>\n\n\n\n<li>Verify breach-notification processes meet all state requirements.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cybersecuritynews.com\/allianz-life-insurance-data-breach\/\" target=\"_blank\" rel=\"noopener\" title=\"\">Cybersecurity News<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Stealthy Backdoor in WordPress mu-plugins Directory Bypasses Detection and Grants Persistent Access<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A sophisticated WordPress backdoor named wp-index.php is leveraging the rarely monitored <strong>mu-plugins directory<\/strong> to maintain undeactivatable, stealthy access to compromised sites. It uses ROT13 obfuscation, stores and executes payloads from the database under \u201c_hdra_core\u201d, and <strong>creates hidden admin accounts to evade file-based scans and UI detection.<\/strong> <strong>This approach gives attackers persistent remote code execution<\/strong> and <strong>full administrative control,<\/strong> increasing risk of data theft, defacement, or further compromise.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Must-use plugin loader in mu-plugins prevents deactivation via admin panel.<\/li>\n\n\n\n<li>Downloads Base64-encoded payloads from hxxps:\/\/1870y4rr4y3d1k757673q[.]xyz\/cron.php.<\/li>\n\n\n\n<li><strong>Stores payloads in wp_options under key \u201c_hdra_core\u201d and removes temp files.<\/strong><\/li>\n\n\n\n<li>Creates hidden admin user \u201cofficialwp\u201d and conceals it with custom filters.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit mu-plugins for unauthorized loader scripts.<\/li>\n\n\n\n<li>Inspect wp_options for suspicious entries like \u201c_hdra_core\u201d.<\/li>\n\n\n\n<li>Review user list for hidden accounts (e.g., \u201cofficialwp\u201d).<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/cybersecuritynews.com\/stealthy-backdoor-in-wordpress-plugins\/\">Cybersecurity News<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Supply Chain Attack Inserts Backdoor into Popular npm Packages like the &#8220;is&#8221; package<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Last week, attackers hijacked maintainer accounts for several widely used npm JavaScript utilities via a typosquatted phishing domain, inserting cross-platform backdoor loaders into versions of the \u201cis\u201d package and others.<\/strong> The malicious releases remained <strong>available for up to six hours,<\/strong> putting millions of downstream projects at risk and evading most antivirus detections. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Phishing emails originated from typo-squat domain npnjs.org targeting maintainers.<\/li>\n\n\n\n<li>Malicious v3.3.1 of \u201cis\u201d was live for six hours before npm admins rolled back.<\/li>\n\n\n\n<li>\u201cScavenger\u201d malware uses a JavaScript loader and maintains a live C2 on Node.js.<\/li>\n\n\n\n<li>Socket reported 60+ malicious npm packages in May and additional backdoors in June.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce MFA on all npm maintainer accounts.<\/li>\n\n\n\n<li>Freeze approved versions using package-lock.json.<\/li>\n\n\n\n<li>Implement pre-install scanning of npm packages.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.csoonline.com\/article\/4028412\/supply-chain-attack-compromises-npm-packages-to-spread-backdoor-malware.html\" target=\"_blank\" rel=\"noopener\" title=\"\">CSO Online<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/socket.dev\/blog\/npm-is-package-hijacked-in-expanding-supply-chain-attack\">Socket<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/malpedia.caad.fkie.fraunhofer.de\/details\/win.scavenger\">Malpedia: Scavenger<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Pentagon Audits Microsoft \u2018Digital Escort\u2019 Cloud Support Model<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>ProPublica exposed that Microsoft used China-based engineers to remotely support DoD cloud systems via US-based \u201cdigital escorts,\u201d creating an unvetted foreign-access risk.<\/strong> Following Congressional inquiries, Microsoft has barred China-based support for government cloud services. The Pentagon has ordered a two-week audit of all DoD cloud contracts to identify and remediate similar counterintelligence gaps.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The digital escort model routed firewall updates and bug fixes through US-cleared personnel who executed commands from China-based engineers.<\/li>\n\n\n\n<li>Senator Tom Cotton demanded lists of DoD contractors using foreign support and details on escort training and vetting processes.<\/li>\n\n\n\n<li>Defense Secretary Pete Hegseth condemned the practice and initiated a two-week audit of all Department of Defense cloud agreements.<\/li>\n\n\n\n<li>Experts warn escorts lacked the technical expertise to detect malicious code or espionage-focused instructions.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Inventory vendor support models for foreign-based engineering involvement<\/li>\n\n\n\n<li><strong>Enforce policies prohibiting non-approved subcontractor engineer access <\/strong>to sensitive systems<\/li>\n\n\n\n<li>Provide targeted code-review training for personnel executing third-party commands<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.propublica.org\/article\/microsoft-digital-escorts-pentagon-defense-department-china-hackers\">ProPublica: Microsoft \u2018Digital Escorts\u2019 in DoD Systems<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.csoonline.com\/article\/4026022\/microsoft-digital-escorts-reveal-crucial-us-counterintelligence-blind-spot.html\">CSO Online: Microsoft Digital Escorts Reveal Blind Spot<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Attackers Hijack FIDO Cross-Device Sign-In with QR Code Trick<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">PoisonSeed phishing operators are bypassing hardware-based FIDO keys by abusing QR-based cross-device sign-in workflows. <strong>Users unwittingly scan attacker-controlled QR codes that complete legitimate FIDO challenges and hand over active sessions\u2014no physical key theft required.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Discovered by Expel, the campaign mirrors genuine login flows for providers like Okta.<\/li>\n\n\n\n<li>Victims enter credentials on a fake page, then scan a cloned QR prompt that finalizes the session for attackers.<\/li>\n\n\n\n<li>No flaw in FIDO\u2019s cryptography\u2014the abuse lies in the cross-device feature and social engineering.<\/li>\n\n\n\n<li>Experts advise disabling QR-based sign-ins, monitoring new device registrations and anomalous geolocations.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Disable cross-device QR logins where policies allow.<\/li>\n\n\n\n<li>Alert on registrations from unfamiliar devices or unusual geographies.<\/li>\n\n\n\n<li>Train users to verify QR origins before scanning.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.csoonline.com\/article\/4025710\/poisonseed-outsmarts-fido-keys-without-touching-them.html\">CSO Online: PoisonSeed Outsmarts FIDO Keys Without Touching Them<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/expel.com\/blog\/poisonseed-downgrading-fido-key-authentications-to-fetch-user-accounts\/\">Expel: PoisonSeed Downgrading FIDO Key Authentications<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">13. US Nuclear Security Administration Breached via SharePoint Zero-Day Exploit<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Chinese government-affiliated hackers exploited an unpatched zero-day in on-premises Microsoft SharePoint Server to infiltrate the National Nuclear Security Administration\u2019s network. <strong>No classified data was accessed thanks to the agency\u2019s Microsoft 365 cloud migration,<\/strong> but the breach highlights the critical risk of legacy on-premise software. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attack exploited a deserialization flaw plus authentication bypass (CVSS 9.8).<\/li>\n\n\n\n<li>Vulnerabilities were demonstrated at Pwn2Own Vancouver 2024 in May.<\/li>\n\n\n\n<li>Over 50 organizations\u2014including NNSA\u2014were targeted.<\/li>\n\n\n\n<li><strong>Cloud-based SharePoint Online deployments were unaffected.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deploy Microsoft\u2019s SharePoint Server emergency security updates.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2025-07-23\/us-nuclear-weapons-agency-breached-in-microsoft-sharepoint-hack?embedded-checkout=true\">Bloomberg<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.theverge.com\/news\/712080\/microsoft-sharepoint-hack-us-nuclear-weapons-agency\">The Verge<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/cybersecuritynews.com\/us-nuclear-weapons-agency-breached\/\">Cybersecurity News<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Microsoft confirms Warlock ransomware in SharePoint CVE-2025-49706 attacks<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Microsoft attributes new Warlock ransomware activity to China-based Storm-2603 exploiting on-premises SharePoint servers via CVE-2025-49706.  <br><strong>Over 400 governments and businesses\u2014including U.S. agencies NNSA, NIH and DHS\u2014may be impacted as operators disable Defender and encrypt environments.  <\/strong><br>CISA and MS-ISAC are coordinating notifications and mitigation efforts for state, local and federal partners.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Storm-2603 began deploying Warlock ransomware on July 18 after exploiting CVE-2025-49706.<\/li>\n\n\n\n<li>Warlock emerged in June as a RaaS advertised on Russian forum RAMP; at least 11 victims are confirmed.<\/li>\n\n\n\n<li>Attackers disable Microsoft Defender, then encrypt file shares and servers.<\/li>\n\n\n\n<li>Government bodies notified include the National Nuclear Security Administration, NIH and DHS.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Apply Microsoft\u2019s SharePoint security updates immediately.<\/li>\n\n\n\n<li>Audit logs for CVE-2025-49706 exploitation indicators.<\/li>\n\n\n\n<li>Restrict external SharePoint exposure and enforce zero-trust access.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/therecord.media\/microsoft-says-warlock-ransomware-deployed-in-sharepoint-attacks\">The Record<\/a><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe?<\/h2>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>\n            ","protected":false},"excerpt":{"rendered":"<p>Latest interesting and actionable cybersecurity news summarised from the last week of July 2025. <\/p>","protected":false},"author":1,"featured_media":20172,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-20112","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=20112"}],"version-history":[{"count":57,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20112\/revisions"}],"predecessor-version":[{"id":20169,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20112\/revisions\/20169"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/20172"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=20112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=20112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=20112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}