Daily Brief

Microsoft released critical patches for a severe Remote Code Execution (RCE) flaw in SharePoint after identifying active exploitation of the vulnerability. The security flaw, tracked as CVE-2025-53770 with a CVSS score of 9.8, allows attackers to execute arbitrary code by deserializing untrusted data in on-premise SharePoint Servers. An associated spoofing flaw, tracked as CVE-2025-53771 (CVSS score: 6.3), also received robust protection updates. Both vulnerabilities impact only on-premises versions of SharePoint Server, with no current implications for SharePoint Online in Microsoft 365. A related exploit chain, ToolShell, identified in previously addressed vulnerabilities (CVE-2025-49704 and CVE-2025-49706), has been patched as well. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed CVE-2025-53770 in its Known Exploited Vulnerabilities catalog, urging immediate patch application. Reports from Eye Security and Palo Alto Networks indicate that the exploitation has affected sectors including banks, universities, government entities, schools, healthcare, and large enterprises. Recommendations include immediate patch installation, cryptographic key rotation, and continued vigilance for additional incident response and security enhancement.

Microsoft has disclosed ongoing attacks exploiting a zero-day vulnerability in on-prem SharePoint Servers, which was inadequately addressed in earlier patches. The critical flaw, rated 9.8/10 on the CVSS scale, allows unauthorized code execution and is a variant of another less severe bug Microsoft attempted to patch recently. While patches for SharePoint Server Subscription Edition are available, versions 2016 and 2019 remain vulnerable, with recommendations to enable the Windows Antimalware Scan Interface and use antivirus tools effectively. CISA has issued alerts to monitor specific IPs and suspicious activities related to this vulnerability. The Electronic Frontier Foundation criticizes Amazon’s Ring for backtracking on its privacy stance by allowing police access to live CCTV feeds from homes without warrants. In China, new surveillance measures enable the government to install tracking malware on smartphones at border entries, risking privacy and data security for international visitors. Microsoft halts the involvement of Chinese engineers in projects for the US Department of Defense following a report highlighting potential security risks. These cybersecurity incidents highlight significant concerns in both corporate settings and international privacy and surveillance practices.

EncryptHub, formerly known as LARVA-208 and Water Gamayun, launches a new malware campaign targeting Web3 developers. Attackers use fake AI platforms offering job opportunities or portfolio reviews to attract victims and deploy Fickle Stealer malware. The focus on Web3 developers, commonly managing crypto wallets and sensitive project data, allows EncryptHub to monetize via data exfiltration. Initial contact is made through legitimate channels like Google Meet, then victims are directed to malicious platforms like Norlax AI under the pretext of technical issues. Once lured, victims inadvertently download malware disguised as a genuine audio driver, which gathers and transmits data to the attackers' server. The stolen information includes cryptocurrency wallet credentials, development credentials, and sensitive project data suitable for illicit markets. PRODAFT’s report hints at a significant shift in EncryptHub’s tactics from ransomware to information stealers, emphasizing data theft over system lockdown.

A critical zero-day vulnerability in Microsoft SharePoint, identified as CVE-2025-53770, is currently being exploited, with no available patch. Originally demonstrated via the "ToolShell" attack at Pwn2Own 2025, this flaw is a variant of another vulnerability patched in July. Over 85 SharePoint servers globally have been confirmed as compromised due to this exploit. Microsoft advises customers to enable AMSI integration and deploy Defender AV to prevent attacks. The vulnerability specifically affects on-premises SharePoint servers, not impacting Microsoft 365 users. Attackers have utilized stolen cryptographic keys to craft authentic SharePoint tokens for remote code execution. Administrators should check specific system files and logs for indicators of compromise to confirm if their systems are affected. Microsoft is actively working on a security update, while affected systems should be disconnected from the internet until then.

HPE has identified a critical vulnerability (CVE-2025-37103) in Aruba Instant On Access Points affecting firmware version 3.2.0.1 and below, rated 9.8 on the CVSS v3.1 scale. The vulnerability is due to hardcoded administrative credentials that let attackers bypass authentication and access device controls. Attackers exploiting this flaw can change settings, capture traffic, and potentially enable further network breaches. A second, related high-severity issue (CVE-2025-37102) involves command injection in the device's CLI, reachable only through administrative access enabled by the first flaw. Both vulnerabilities can be mitigated by upgrading to firmware version 3.2.1.0 or newer; HPE has not provided any workarounds. There have been no reported exploits yet, but immediate firmware updates are strongly advised to prevent potential security breaches. The exposure highlights the importance of regular device maintenance and the need for robust cybersecurity practices in network management.

The UK has attributed the novel "Authentic Antics" malware to Russia's GRU, targeting Microsoft Outlook to harvest email credentials. This malware revelation coincided with UK sanctions against three GRU units and various individuals for long-standing cyber espionage. Authentic Antics malware operates by mimicking a login screen within Outlook, stealing user credentials and OAuth tokens when entered. The stolen OAuth tokens allow unauthorized access to multiple Microsoft services such as Exchange Online, SharePoint, and OneDrive. In addition to credential theft, the malware exfiltrates data by sending emails from compromised accounts to a controlled address, without leaving traces in the "sent" folder. This cybersecurity threat is part of a broader spectrum of GRU activities, including espionage and physical attacks linked directly to conflicts like the invasion of Ukraine. Global responses include condemnations and coordinated warnings from entities like the EU, NATO, and US security agencies regarding GRU's malicious cyber operations.

A severe zero-day vulnerability in Microsoft SharePoint Server, CVE-2025-53770, is actively exploited and affecting over 75 global organizations. The flaw, with a high severity rating of 9.8, facilitates unauthorized remote code execution by deserializing untrusted data. Microsoft has acknowledged the vulnerability and is working on a security update; in the meantime, SharePoint Online users are not impacted. Interim protective measures recommended by Microsoft include enabling AMSI integration and deploying Defender AV on all SharePoint servers. The exploit named ToolShell, involves delivering malicious ASPX payloads via PowerShell to steal sensitive server configuration keys for persistent access. The stolen keys allow attackers to convert authenticated SharePoint requests into remote code execution opportunities. Large enterprises and government bodies worldwide have been confirmed as compromised. Microsoft, cybersecurity firms, and researchers continue to monitor and address the escalating impacts of these attacks.

Cybersecurity researchers have uncovered a supply chain attack targeting npm packages through the use of stolen project maintainers' npm tokens in a phishing campaign. Impacted maintainers inadvertently gave up their credentials through a typosquatted website, allowing attackers to publish malicious package updates directly to the npm registry. Malicious code integrated into the rogue npm package versions aims to execute a DLL on Windows machines, potentially leading to remote code execution. The phishing emails used for this campaign impersonated official npm communications, misleading recipients with links to a fraudulent npm login page. Developers using the affected packages are urged to verify their installed versions and revert to secure releases, while maintainers are recommended to enhance security measures using two-factor authentication and scoped tokens. The incident underscores vulnerabilities within digital supply chains, with potential widespread impacts on the broader software ecosystem. The operation is somewhat parallel to protestware-laden packages recently found on npm, designed to disrupt Russian and Belarusian domain visitors, showcasing the range of threats facing package repositories. Separate from the npm issue, the Arch Linux team removed three packages that contained malware, demonstrating a continued trend of repositories being targeted across different platforms.

A critical vulnerability in CrushFTP, CVE-2025-54309, with a CVSS score of 9.0, is being actively exploited to gain administrative access. The flaw is present in versions CrushFTP 10 prior to 10.8.5 and 11 prior to 11.3.4_23, exploiting the AS2 validation when the DMZ proxy is not utilized. CrushFTP, widely used in sectors like government, healthcare, and enterprise, acknowledged the zero-day exploitation discovered on July 18, 2025. Attackers gained access possibly by reverse engineering CrushFTP’s recent code changes and exploiting earlier undetected bugs. This administrative access permits potential data exfiltration, backdoor insertion, and internal system compromises. CrushFTP has released indicators of compromise and recommends security measures including checking modification times of user.xml and auditing permission changes. Previously, other high-severity vulnerabilities in CrushFTP have been exploited, suggesting a pattern of targeted attacks against the platform. Immediate patching and compliance with CrushFTP's mitigation recommendations are crucial to prevent further exploits.

A recent PoisonSeed phishing campaign exploits WebAuthn's cross-device sign-in feature to circumvent FIDO2 security key protections, targeting corporate login portals like Okta and Microsoft 365. The attackers guide victims to a fake website that mimics legitimate corporate portals, prompting them to enter their credentials. Utilizing an adversary-in-the-middle (AiTM) architecture, the attackers gain real-time access by submitting stolen credentials to the actual login page. The AiTM then tricks the real portal into initiating cross-device authentication, sending a QR code back to the phishing page for the victim to unknowingly authenticate. This method allows the user’s multimodal authentication sequence to be manipulated, avoiding the direct use of the victim’s FIDO2 security keys by substituting with a QR code scan. The campaigners abuse legitimate features within FIDO2 instead of exploiting direct vulnerabilities, showing advanced techniques in bypassing strong multifactor authentication. Expel's analysis highlights the need for heightened awareness and improved detection techniques to combat such sophisticated phishing approaches effectively.

Popular npm packages eslint-config-prettier and eslint-plugin-prettier were hijacked to distribute malware, impacting over 30 million weekly downloads. Compromise occurred through a phishing attack that enabled unauthorized access to npm maintainer credentials, used to publish infected package versions. Affected versions contain a malicious script designed to execute a DLL trojan on Windows systems, posing significant security risks. Initial detection was prompted by the community after observing discrepancies between published packages on npm and their corresponding GitHub repositories. Package maintainer quickly responded by revoking the compromised npm token and deprecating the malicious versions. Developers advised to avoid specific versions of the packages, check system logs, and consider security measures like rotating exposed secrets. These incidents highlight ongoing vulnerabilities in the supply chain and the importance of enhancing security practices among open-source maintainers.

Ariel Parnes, former commander in Israel's elite cyber unit, highlights the growing sophistication of social engineering in cyberattacks led by Iran-backed groups and other hackers. Iranian threat actors and the hacker group Scattered Spider do not rely solely on advanced malware but employ effective social engineering to compromise targets. In a notable 2020 incident, Iranian hackers targeted an Israeli insurance company, stealing and leaking sensitive data which had a major psychological impact. Techniques include spear-phishing, the creation of fake professional profiles, and strategic misinformation spread via social media to amplify the effects of the breaches. Parnes emphasizes that the real power of such attacks lies not just in the data theft itself, but in the attackers' ability to manipulate public perception and fear. With advancements in AI, these actors can now expedite their target reconnaissance, generating detailed reports on individuals to craft more believable phishing attempts. The former IDF officer pointed out that even without state-level resources, effective social engineering only requires a deep understanding of the target's operations and culture. Moreover, he indicated potential collaborations between financially motivated groups like Scattered Spider and state-backed entities, illustrating a fusion of tactics that enhance these groups' threat capacity.

Zero-day vulnerability identified in CrushFTP, allowing administrative access via the web interface. CVE-2025-54309 exploited initially around July 18th; affects versions prior to CrushFTP v10.8.5 and v11.3.4_23. CrushFTP's recent patches post-July 1 address the vulnerability; unpatched systems remain at risk. Threat actors likely reverse-engineered software to discover and exploit the new vulnerability. CrushFTP highlights the significance of regular patching to prevent exploitation. Systems using a DMZ configuration and timely patches are reportedly not impacted. CrushFTP advises administrators of compromised systems to restore settings from backups prior to July 16th. Rapid7 cautions against using DMZs alone as a mitigation strategy against such exploits.

CrushFTP has identified an active exploitation of a zero-day vulnerability, CVE-2025-54309, which allows administrative access via its web interface. This vulnerability impacts versions prior to CrushFTP v10.8.5 and v11.3.4_23, with patched versions available since around July 1st. The flaw was inadvertently blocked by a prior unrelated fix, but has since been specifically addressed in later updates. CrushFTP advises that systems regularly updated are not at risk, and affected systems should restore configurations from backups before July 16th as a precaution. Rapid7 has criticized the use of DMZs (demilitarized zones) as an ineffective preventive measure against this type of exploit. The exact motives of the attackers remain unclear, but managed file transfer systems have historically been targeted for data theft and ransomware attacks. Security experts recommend regular system updates and monitoring upload/download logs for anomalies to mitigate such vulnerabilities.

A zero-day vulnerability in CrushFTP software, tracked as CVE-2025-54309, allows attackers administrative access via the web interface. The vulnerability affects versions prior to CrushFTP v10.8.5 and CrushFTP v11.3.4_23; systems updated after July 1st are patched against this exploit. Threat actors possibly reverse-engineered the software to exploit outdated versions, which had not patched this newly discovered bug. The initial detection of the exploit occurred on July 18th, with potential earlier activity starting the previous day. CrushFTP's previous security updates inadvertently mitigated the issue, though they targeted a different problem related to HTTP(S) AS2. Administrators with compromised systems should restore configurations from backups prior to July 16th and review logs for unusual activity. Rapid7 cautions against using DMZ (demilitarized zone) configurations as the sole strategy for defending against such exploits. It is still unclear if this exploit has been used for data theft or to deploy other malicious software.