Cyber Threat Weekly – #87
The week of July 14th through July 20th, about 367 cyber news articles were reviewed. A moderate amount of cyber threat trends and adversarial behavior news to share. Been thinkin about small businesses and cybersecurity.
SMBs should not have to choose between affordability and effectiveness. Coveware’s Q1 2025 ransomware report shows organizations with 11 – 100 employees accounted for 35.6% of attacks. The highest of any group. The median size of victim organizations is 228 employees. Small business is disproportionately affected by ransomware. There are affordable enterprise security controls available for small businesses.
Let’s start with on-prem Microsoft SharePoint servers under active exploitation with zero-day bug. FIDO2 authentication downgrade attack. CrushFTP zero-day bug exploited. Open-source repositories under attack.
LameHug malware uses large language model to create commands. Citrix Bleed 2 exploited before exploits available. Social engineering malware installs via Microsoft Teams. Katz Stealer malware-as-a-service analysis and IoCs.
Disclosed ransomware incidents increase 63% in Q2 2025. Researchers share novel attack method, ‘native phishing’. FileFix abused in Interlock remote access trojan attack campaign. Researchers share initial access techniques.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – July 14th to July 20th:
CVE-2025-47812 – Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability:
Can allow injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).
CVE-2025-25257 – Fortinet FortiWeb SQL Injection Vulnerability:
May allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
CVE-2025-53770 – Microsoft SharePoint Deserialization of Untrusted Data Vulnerability:
Affects Microsoft SharePoint Server on-premises - could allow an unauthorized attacker to execute code over a network.
Critical Zero-Day SharePoint Bug Actively Exploited
These new bugs effect on-prem SharePoint only. These are remote code execution (RCE) bugs that appear to be a bypass for the ToolShell bugs fixed in the July Patch Tuesday. New patches have been released for CVE-2025-53770 and CVE-2025-53771. No mitigations are available; patching is the fix. Detection can be performed with Defender AV.
https://isc.sans.edu/diary/rss/32122
https://research.eye.security/sharepoint-under-siege/
Using Adversary-in-the-Middle to Downgrade FIDO2 Authentication
There has been an update, turns out the evidence did not support their findings.
https://www.darkreading.com/remote-workforce/poisonseed-attacker-fido-keys
https://expel.com/blog/an-important-update-and-apology-on-our-poisonseed-blog/
Another Zero-Day Exploited, CrushFTP
The flaw appears to be reverse engineered based on a fix to AS2 in HTTP(S) previously. The prior fix turned off a rarely used feature that blocked this flaw as well. Tracked as CVE-2025-54309, allows administrative access via the web interface.
https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025
Open-Source Repositories Continue to be Targeted
Every week, multiple stories of open-source repositories attacked. Here are several for this week, rolling them into a single thread.
https://thehackernews.com/2025/07/hackers-use-github-repositories-to-host.html
Large Language Model Used by LameHug Malware to Create Commands
This is more for tracking purposes, but is interesting. Leave it to nation state threat actors to come up with novel approaches to use AI. The LameHug malware uses the Hugging Face API to interact with the open-source Qwen2.5-Coder-32B-Instruct model. The malware generates execution commands allowing for the threat actors to change tactics and stay stealthy.
https://www.infosecurity-magazine.com/news/new-lamehug-malware-deploys/
https://exchange.xforce.ibmcloud.com/osint/guid:a7ac52655f8248d6a48c41258c8b771e
Exploitation of Citrix Bleed 2 Started Before Exploit Availability
Lack of visibility or lack of transparency from the vendor, neither is good for the industry. This one is mainly for tracking purposes. We are seeing a lot of zero-day bugs coming out. Several in this issue alone. Citrix shares indicators of attempted exploitation.
Social Engineering Through Teams for Initial Access
The malware is Matanbuchus 3.0, a loader, it’s been around since 2021 as a Malware-as-a-Service (MaaS). Researchers analyze an updated version. The delivery is the interesting, a team’s call pretending to be IT help desk and an install of Quick Assist.
https://engage.morphisec.com/hubfs/Matanbuchus%20Threat%20Analysis.pdf
Newer Malware-as-a-Service (MaaS) Katz Stealer Analyzed
A newer stealer, available since early 2025, Katz includes all the features you would expect from a modern stealer malware. It has robust data discovery and credential theft features as well as current anti-analysis and evasion features.
A 63% Increase in Disclosed Ransomware Attacks in Q2 2025
With a whopping 276 confirmed attacks in Q2 2025 a 63% increase compared to the same period 2024. Even worse are undisclosed attacks at 1446 in Q2 2025. Clearly ransomware is here for the long haul. Data exfiltration transpired 95% of the time.
https://www.infosecurity-magazine.com/news/retail-ransomware-jump-globally-q2/
Social Engineering is all About Trust – Native Phishing
One compromised internal user account shares a malicious OneNote containing the lure URL, stored on OneDrive. Hundreds of users received a legitimate Microsoft email notification from a trusted colleague, it feels natural and normal. Researchers observed a high success rate.
https://www.varonis.com/blog/onenote-phishing
Interlock Remote Access Trojan Delivered via FileFix
A new PHP-based variant is making the rounds. Researcher mrd0x shared FileFix as a proof-of-concept last month. It’s a variation of the popular ClickFix technique. It was conceptual, now it’s in the wild. Hopefully it doesn’t get adopted in mass.
https://thehackernews.com/2025/07/new-php-based-interlock-rat-variant.html
https://thedfirreport.com/2025/07/14/kongtuke-filefix-leads-to-new-interlock-rat-variant/
https://thehackernews.com/2025/06/new-filefix-method-emerges-as-threat.html
Researchers Share Initial Access Techniques
Experts from Red Canary, MITRE ATT&CK, and Proofpoint share the ways adversaries are breaking into victim environments. They cover trends over the last two decades, ClickFix, email bombing, identity theft, and more.
https://redcanary.com/blog/threat-detection/initial-access-techniques/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
