New Tooling
New Phobos And 8base Ransomware Decryptor Recover Files For Free"The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files. Phobos is a ransomware-as-a-service operation that launched in December 2018, enabling other threat actors to join as affiliates and utilize their encryption tool in attacks. In exchange, any ransom payments were split between the affiliate and the operators. While the ransomware operation did not receive as much media attention as other ransomware operations, Phobos is considered one of the most widely distributed ransomware operations, responsible for many attacks on businesses worldwide."
https://www.bleepingcomputer.com/news/security/new-phobos-ransomware-decryptor-lets-victims-recover-files-for-free/
https://www.npa.go.jp/english/bureau/cyber/ransomdamagerecovery.html
https://therecord.media/decryptor-phobos-8base-ransomware-japan-national-police
https://securityaffairs.com/180108/malware/authorities-released-free-decryptor-for-phobos-and-8base-ransomware.html
Vulnerabilities
Microsoft SharePoint Zero-Day Exploited In RCE Attacks, No Patch Available"Critical zero-day vulnerabilities in Microsoft SharePoint, tracked as CVE-2025-53770 and CVE-2025-53771, have been actively exploited since at least July 18th, with no patch available and at least 85 servers already compromised worldwide. In May, Viettel Cyber Security researchers chained two Microsoft SharePoint flaws, CVE-2025-49706 and CVE-2025-49704, in a "ToolShell" attack demonstrated at Pwn2Own Berlin to achieve remote code execution. While Microsoft patched both ToolShell flaws as part of the July Patch Tuesday, it is now warning that threat actors were able to bypass the fixes with new exploits."
https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/
https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
https://thehackernews.com/2025/07/critical-microsoft-sharepoint-flaw.html
https://www.securityweek.com/sharepoint-under-attack-microsoft-warns-of-zero-day-exploited-in-the-wild-no-patch-available/
https://www.helpnetsecurity.com/2025/07/20/microsoft-sharepoint-servers-under-attack-via-zero-day-vulnerability-with-no-patch-cve-2025-53770/ HPE Warns Of Hardcoded Passwords In Aruba Access Points
"Hewlett-Packard Enterprise (HPE) is warning of hardcoded credentials in Aruba Instant On Access Points that allow attackers to bypass normal device authentication and access the web interface. Aruba Instant On Access Points are compact, plug-and-play wireless (Wi-Fi) devices, designed primarily for small to medium-sized businesses, offering enterprise-grade features (guest networks, traffic segmentation) with cloud/mobile app management. The security issue, tracked as CVE-2025-37103 and rated “critical” (CVSS v3.1 score: 9.8), impacts Instant On Access Points running firmware version 3.2.0.1 and below."
https://www.bleepingcomputer.com/news/security/hpe-warns-of-hardcoded-passwords-in-aruba-access-points/ New CrushFTP Zero-Day Exploited In Attacks To Hijack Servers
"CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers. CrushFTP is an enterprise file transfer server used by organizations to securely share and manage files over FTP, SFTP, HTTP/S, and other protocols. According to CrushFTP, threat actors were first detected exploiting the vulnerability on July 18th at 9AM CST, though it may have begun in the early hours of the previous day."
https://www.bleepingcomputer.com/news/security/new-crushftp-zero-day-exploited-in-attacks-to-hijack-servers/
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
https://thehackernews.com/2025/07/hackers-exploit-critical-crushftp-flaw.html NVIDIAScape - Critical NVIDIA AI Vulnerability: A Three-Line Container Escape In NVIDIA Container Toolkit (CVE-2025-23266)
"Wiz Research discovered a critical container escape vulnerability in the NVIDIA Container Toolkit (NCT), which we've dubbed #NVIDIAScape. This toolkit powers many AI services offered by cloud and SaaS providers, and the vulnerability, now tracked as CVE-2025-23266, has been assigned a CVSS score of 9.0 (Critical). It allows a malicious container to bypass isolation measures and gain full root access to the host machine. This flaw stems from a subtle misconfiguration in how the toolkit handles OCI hooks, and it can be exploited with a stunningly simple three-line Dockerfile. Because the NVIDIA Container Toolkit is the backbone for many managed AI and GPU services across all major cloud providers, this vulnerability represents a systemic risk to the AI ecosystem, potentially allowing attackers to tear down the walls separating different customers, affecting thousands of organizations."
https://www.wiz.io/blog/nvidia-ai-vulnerability-cve-2025-23266-nvidiascape
https://thehackernews.com/2025/07/critical-nvidia-container-toolkit-flaw.html
https://www.securityweek.com/critical-nvidia-toolkit-flaw-exposes-ai-cloud-services-to-hacking/ CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2025-25257 Fortinet FortiWeb SQL Injection Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/07/18/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/180162/hacking/u-s-cisa-adds-fortinet-fortiweb-flaw-to-its-known-exploited-vulnerabilities-catalog.html Nearly 2,000 MCP Servers Possess No Security Whatsoever
"Approximately all of the nearly 2,000 Model Context Protocol (MCP) servers exposed to the Web today are totally bereft of authentication or access controls. Every technology experiences awkward growing pains when it's first released, particularly when it comes to cybersecurity. That's especially true of artificial intelligence (AI), and most emblematic of AI's rush to adoption before security is the MCP server. MCP servers conveniently allow users to connect their AI models to data sources. Thousands have been spawned in the nine or so months since Anthropic invented the MCP protocol, including thousands that break best practices and expose themselves to the open Web."
https://www.darkreading.com/vulnerabilities-threats/2000-mcp-servers-security
https://www.knostic.ai/blog/find-mcp-server-shodan CISA Adds One Known Exploited Vulnerability, CVE-2025-53770 “ToolShell,” To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. See CISA’s Alert Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770) for more information and to apply the recommended mitigations.
CVE-2025-53770: Microsoft SharePoint Server Remote Code Execution Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/07/20/cisa-adds-one-known-exploited-vulnerability-cve-2025-53770-toolshell-catalog
Malware
UK Calls Out Russian Military Intelligence For Use Of Espionage Tool"The Government has today (18 July) exposed Russian military intelligence actors for using previously unknown malicious software to enable espionage against victim email accounts, in a move that will keep the UK and its allies safer. The National Cyber Security Centre – a part of GCHQ – has revealed for the first time that the cyber threat group APT 28 has been responsible for deploying a sophisticated malware dubbed AUTHENTIC ANTICS as part of its operations. The UK has previously said APT 28 is part of Russia’s GRU 85th Main Special Service Centre, Military Unit 26165."
https://www.ncsc.gov.uk/news/uk-call-out-russian-military-intelligence-use-espionage-tool
https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/authentic-antics/ncsc-mar-authentic_antics.pdf
https://www.bleepingcomputer.com/news/security/uk-ties-russian-gru-to-authentic-antics-credential-stealing-malware/
https://www.infosecurity-magazine.com/news/new-malware-targeting-email/
https://www.theregister.com/2025/07/20/uk_microsoft_snooping_russia/ Arch Linux Pulls AUR Packages That Installed Chaos RAT Malware
"Arch Linux has pulled three malicious packages uploaded to the Arch User Repository (AUR) were used to install the CHAOS remote access trojan (RAT) on Linux devices. The packages were named "librewolf-fix-bin", "firefox-patch-bin", and "zen-browser-patched-bin," and were uploaded by the same user, "danikpapas," on July 16. The packages were removed two days later by the Arch Linux team after being flagged as malicious by the community. "On the 16th of July, at around 8pm UTC+2, a malicious AUR package was uploaded to the AUR," warned the AUR maintainers."
https://www.bleepingcomputer.com/news/security/arch-linux-pulls-aur-packages-that-installed-chaos-rat-malware/
https://lists.archlinux.org/archives/list/[email protected]/thread/7EZTJXLIAQLARQNTMEW2HBWZYE626IFJ/ PoisonSeed Downgrading FIDO Key Authentications To ‘fetch’ User Accounts
"Our SOC has recently spotted a novel attack technique that involves socially engineering a target to get around the security protections provided by FIDO keys. The attacker does this by taking advantage of cross-device sign-in features available with FIDO keys. These features are designed to help users sign into their accounts on systems without a passkey by using an additional registered device, like a mobile phone. However, the bad actors in this case are using this feature in adversary-in-the-middle (AitM) attacks. This is a concerning development, given that FIDO keys are often regarded as one of the pinnacles of secure multifactor authentication (MFA). And while we haven’t uncovered a vulnerability in FIDO keys, IT and SecOps folks will want to sit up and take notice—this attack demonstrates how a bad actor could run an end-route around an installed FIDO key."
https://expel.com/blog/poisonseed-downgrading-fido-key-authentications-to-fetch-user-accounts/
https://www.darkreading.com/remote-workforce/poisonseed-attacker-fido-keys
https://www.bleepingcomputer.com/news/security/threat-actors-downgrade-fido2-mfa-auth-in-poisonseed-phishing-attack/
https://hackread.com/poisonseed-trick-users-bypassing-fido-keys-qr-codes/ NailaoLocker Ransomware’s “Cheese”
"FortiGuard Labs recently ran across NailaoLocker, a ransomware variant targeting Microsoft Windows systems. Like many ransomware families, it uses AES-256-CBC to encrypt user files. What sets it apart is the presence of hard-coded SM2 cryptographic keys and a built-in decryption function—an uncommon combination that raises immediate questions about intent."
https://www.fortinet.com/blog/threat-research/nailaolocker-ransomware-cheese Qilin Ransomware Is Growing, But How Long Will It Last?
"Qilin is a ransomware-as-a-service (RaaS) operation that is thought to be based out of Russia or other former Soviet states. It has affiliates worldwide and has become a significant global threat. A "Qilin" is a mythical creature deeply rooted in Chinese, Korean, Japanese, and Vietnamese cultures, most often associated with peace, prosperity, justice, and protection. This is a great branding choice for a threat group because the visual is a cool dragon-like creature, and ransomware affiliates can consider themselves the embodiment of any of those characteristics. If you’re a ransomware criminal, there’s really no downside to saying you act on behalf of peace and justice, or that you’re a powerful punisher."
https://blog.barracuda.com/2025/07/18/qilin-ransomware-growing Malware Identified In Attacks Exploiting Ivanti Connect Secure Vulnerabilities
"JPCERT/CC Eyes previously introduced the malware SPAWNCHIMERA and DslogdRAT, which were deployed by exploiting vulnerabilities in Ivanti Connect Secure. At JPCERT/CC, we have continued to observe active exploitation of these vulnerabilities. In this report, we explain the following malware, tools, and penetration tactics used by attackers leveraging CVE-2025-0282 and CVE-2025-22457 in attacks observed from December 2024 to the present, July 2025."
https://blogs.jpcert.or.jp/en/2025/07/ivanti_cs.html
https://thehackernews.com/2025/07/ivanti-zero-days-exploited-to-drop.html Singapore Accuses Chinese State-Backed Hackers Of Attacking Critical Infrastructure Networks
"Singapore’s critical infrastructure is being targeted by a Chinese espionage hacking group, a senior official said Friday. In a speech, Singapore’s Coordinating Minister for National Security K. Shanmugam highlighted the activity of UNC3886, an espionage group that has previously targeted routers and network security devices to infiltrate critical entities. “The intent of this threat actor in attacking Singapore is quite clear,” Shanmugan said. “It is going after high value strategic threat targets, vital infrastructure that deliver essential services.”"
https://therecord.media/singapore-accuses-chinese-backed-hackers-critical-infrastructure-attacks
https://securityaffairs.com/180179/uncategorized/singapore-warns-china-linked-group-unc3886-targets-its-critical-infrastructure.html Hackers Scanning For TeleMessage Signal Clone Flaw Exposing Passwords
"Researchers are seeing exploitation attempts for the CVE-2025-48927 vulnerability in the TeleMessage SGNL app, which allows retrieving usernames, passwords, and other sensitive data. TeleMessage SGNL is a Signal clone app now owned by Smarsh, a compliance-focused company that provides cloud-based or on-premisses communication solutions to various organizations."
https://www.bleepingcomputer.com/news/security/hackers-scanning-for-telemessage-signal-clone-flaw-exposing-passwords/
https://www.greynoise.io/blog/active-exploit-attempts-signal-based-messaging-app
https://hackread.com/telemessage-sgnl-flaw-actively-exploited-by-attackers/ SnakeKeylogger Phishing Campaign — IOC Analysis And Malware Infrastructure Breakdown
"In today’s evolving cyber threat landscape, phishing continues to be a dominant attack vector — often used to deliver credential-stealing malware like SnakeKeylogger. Recently, I investigated a real-world malware campaign that used phishing emails, deceptive domains, and stealthy payload delivery to compromise user systems. This article presents a deep dive into the infection chain, the infrastructure used, and Indicators of Compromise (IOCs) identified during the investigation. The full IOC list is available on my GitHub repository."
https://kanada12.medium.com/snakekeylogger-phishing-campaign-ioc-analysis-and-malware-infrastructure-breakdown-7013a768dc5d Active Supply Chain Attack: Npm Phishing Campaign Leads To Prettier Tooling Packages Compromise
"Hours after we reported on the npm phishing campaign using the typosquatted npnjs.com site, we’re now seeing the first major fallout: popular npm packages, including eslint-config-prettier and eslint-plugin-prettier, were compromised when a maintainer’s npm token was stolen via the phishing email. A suspicious activity report in GitHub issue on the eslint-config-prettier repo revealed that four new versions of eslint-config-prettier were published with no corresponding commits or PRs on GitHub. Maintainers quickly discovered the new versions contained malicious code, including a Windows-specific payload attempting to load node-gyp.dll via rundll32."
https://socket.dev/blog/npm-phishing-campaign-leads-to-prettier-tooling-packages-compromise
https://www.bleepingcomputer.com/news/security/popular-npm-linter-packages-hijacked-via-phishing-to-drop-malware/
https://thehackernews.com/2025/07/malware-injected-into-6-npm-packages.html Uncovering Chinese Dark Web Syndicates And Money Mule Pipeline To Indian Banks
"This whitepaper exposes how Chinese cyber syndicates have built a shadow banking empire in India—using fake apps, mule accounts, and illegal payment gateways to launder over ₹5,000 crore annually. From Telegram recruitment to crypto cashouts, it reveals the full anatomy of this threat to India’s financial and national security. A must-read for policymakers, banks, and investigators. Download now to uncover the dark web’s financial warfront."
https://www.cloudsek.com/whitepapers-reports/uncovering-chinese-dark-web-syndicates-and-money-mule-pipeline-to-indian-banks
https://hackread.com/chinese-groups-launder-india-fake-apps-mule-accounts/ EncryptHub Targets Web3 Developers Using Fake AI Platforms To Deploy Fickle Stealer Malware
"The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware. "LARVA-208 has evolved its tactics, using fake AI platforms (e.g., Norlax AI, mimicking Teampilot) to lure victims with job offers or portfolio review requests," Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News. While the group has a history of deploying ransomware, the latest findings demonstrate an evolution of its tactics and a diversification of its monetization methods by using stealer malware to harvest data from cryptocurrency wallets."
https://thehackernews.com/2025/07/encrypthub-targets-web3-developers.html
https://catalyst.prodaft.com/public/report/larva-208s-new-campaign-targets-web3-developers/overview Attacks Targeting Linux SSH Servers To Install SVF DDoS Bot
"AhnLab SEcurity intelligence Center (ASEC) is monitoring attacks targeting poorly managed Linux servers by utilizing multiple honeypots. One of the most common honeypots is the SSH service using weak credentials, and a large number of DDoS and CoinMiner threat actors are attacking this service. ASEC has recently identified a case of an attack that installs DDoS Bot malware called SVF Botnet from an external source. SVF Bot is developed in Python and uses Discord as its C&C server. It also utilizes multiple proxy servers during DDoS attacks."
https://asec.ahnlab.com/en/89083/
General News
Why We Must Go Beyond Tooling And CVEs To Illuminate Security Blind Spots"In April, the cybersecurity community held its breath as the Common Vulnerabilities and Exposures (CVE) program was plunged into a moment of existential crisis. In the end, an eleventh-hour reprieve saved the day. While CVEs do not encompass the full scope of network security issues, they are still a critical component to track as part of a security program. Over the last 25 years, the CVE program has evolved into a critical, shared, and global resource that helps IT defenders keep their constituents safe and secure, and it’s important for this work to continue."
https://www.helpnetsecurity.com/2025/07/18/attack-surface-exposure-management/ Making Security And Development Co-Owners Of DevSecOps
"In this Help Net Security interview, Galal Ibrahim Maghola, former Head of Cybersecurity at G42 Company, discusses strategic approaches to implementing DevSecOps at scale. Drawing on experience in regulated industries such as finance, telecom, and critical infrastructure, he offers tips on ownership models, automation, and compliance. His approach focuses on collaborative practices that balance speed, security, and developer productivity."
https://www.helpnetsecurity.com/2025/07/18/galal-ibrahim-maghola-devsecops-practices-tips/ AI Adoption Is Booming But Secure Scaling Not So Much
"96% of organizations are deploying AI models, and virtually no organization can move into the future without considering how ML and intelligent apps might soon affect its operations, according to F5. Only 2% of global organizations are highly ready to scale AI securely across operations. The report compiles insights from 650 global IT leaders and additional research with 150 AI strategists, representing organizations with at least $200 million in annual revenue."
https://www.helpnetsecurity.com/2025/07/18/ai-readiness-in-organizations/ Buy Now, Pay Later… With Your Data
"Buy Now, Pay Later (BNPL) apps are everywhere these days. Whether you’re buying sneakers or groceries, chances are you’ve seen the option to split your payments over time. It’s quick and easy. But behind the convenience is a growing privacy concern that most users know little about. A new study from Incogni digs into just how much personal information BNPL apps collect and share. The research looked at eight of the most popular BNPL apps in the U.S. Google Play store, including Afterpay, Klarna, Affirm, and others. What it found was a pattern of aggressive data collection and sharing, with limited transparency."
https://www.helpnetsecurity.com/2025/07/18/buy-now-pay-later-bnpl-privacy/ Retail Becomes New Target As Healthcare Ransomware Attacks Slow
"Ransomware attacks targeting the healthcare industry have grown at a far slower rate than most other sectors in the first half of 2025, according to a new analysis by Comparitech. This comes as other sectors like retail are increasingly being viewed as an easier/more lucrative target, resulting in some threat actors shifting focus, according to Rebecca Moody, head of data research at Comparitech. The consumer awareness firm tracked 211 ransomware attacks on healthcare organizations in H1 2025, which is a 4% year-on-year increase when compared to H1 2024. This compares to an average 50% rise in ransomware attacks across all industries over the same period."
https://www.infosecurity-magazine.com/news/retail-target-healthcare/ Fraud: A Growth Industry Powered By Gen-AI
"The rising tide of AI is lifting all fraud – the current situation is bad and getting worse. Proof’s Transaction & Identity Fraud Bulletin (PDF) highlights and explains a surge in cyber-driven fraud. The primary causes are the growth of personal data on the internet (from sources such as social media), the ability of AI to harvest and collate that data, and the emergence of fraud-as-a-service turbo-charged by AI. “Fraud today doesn’t look like it did five years ago. It’s synthetic, it’s autonomous, and it’s scaling,” comments Pat Kinsel, CEO of Proof. “We’re seeing high-risk interactions involving billions in assets… trust must now be engineered in a world where identity can be convincingly faked and monetized at scale.”"
https://www.securityweek.com/fraud-a-growth-industry-powered-by-gen-ai/
https://lp.proof.com/hubfs/The Trust Ledger.pdf UK Sanctions Russian Spies At The Heart Of Putin’s Malicious Regime
"Russian spies and hackers targeting the UK and others are today exposed and sanctioned in decisive action by the UK Government to deliver security for working people. Today’s measures target three units of the Russian military intelligence agency (GRU) and 18 military intelligence officers who are responsible for conducting a sustained campaign of malicious cyber activity over many years, including in the UK. The GRU routinely uses cyber and information operations to sow chaos, division and disorder in Ukraine and across the world with devastating real-world consequences."
https://www.gov.uk/government/news/uk-sanctions-russian-spies-at-the-heart-of-putins-malicious-regime
https://therecord.media/uk-sanctions-gru-personnel-accused-murder-civilians-ukraine Ex-IDF Cyber Chief On Iran, Scattered Spider, And Why Social Engineering Worries Him More Than 0-Days
"Scattered Spider and Iranian government-backed cyber units have more in common than a recent uptick in hacking activity, according to Ariel Parnes, a former colonel in the Israeli Defense Forces' cyber unit 8200. Both the financially motivated crew and Tehran's APT groups excel at social engineering attacks, and are proof positive that cybercriminals don't necessarily need to use zero-days to inflict damage. "One of the famous cases in Israel was with an insurance company," Parnes, co-founder and COO at cloud threat detection and response firm Mitiga, told The Register."
https://www.theregister.com/2025/07/19/idf_cyber_chief_iran/
อ้างอิง
Electronic Transactions Development Agency(ETDA) 761d2840-5c2f-4d3e-8b01-73413073dd74-image.png