Cyber Threat Weekly – #88
The week of July 21st through July 27th, roughly 355 cyber news articles were reviewed. A moderate amount of cyber threat trends and adversarial behavior news to share. Been thinkin about principal-based security.
Zero trust, which is essentially principal based security, keeps coming up. The realization of GenAI and Agentic AI is forcing us to look at data governance, identity governance, privacy governance, and principal-based security in interesting ways. It’s always been needed to defend against an aggressive adversary, but now we need to control the access AI technologies can have.
Let’s start with an aggressive Scattered Spider VMware attack campaign. Multiple vendors are sharing on-prem SharePoint threat briefs. Open-source repositories continue to be targeted by malicious actors. Possible AI generated Linux Miner.
The FBI releases an alert on ‘The Com’. Researchers share details on the new-ish Chaos ransomware gang. Lumma Stealer appears to be back. Coveware Q2 2025 Ransomware Report. Joint advisory released on Interlock ransomware.
Cisco ISE bugs now actively exploited.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – July 21st to July 27th:
CVE-2025-2775 – SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability:
Allows for administrator account takeover and file read primitives.
CVE-2025-2776 – SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability:
Allows for administrator account takeover and file read primitives.
CVE-2025-6558 – Google Chromium ANGLE and GPU Improper Input Validation Vulnerability:
Could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
CVE-2025-54309 – CrushFTP Unprotected Alternate Channel Vulnerability:
When the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.
CVE-2025-49704 – Microsoft SharePoint Code Injection Vulnerability:
Could allow an authorized attacker to execute code over a network. This vulnerability could be chained with CVE-2025-49706. The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704.
CVE-2025-49706 – Microsoft SharePoint Improper Authentication Vulnerability:
Could allow an attacker to view sensitive information and make some changes to disclosed information. This vulnerability could be chained with CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.
VMware ESXi Scattered Spider Attack Operations
Researchers observe the threat actors and provide a walk-through of their operations. Typical Scattered Spider, starting with social engineering and then using living off the land to laterally move to ESXi environments. Researchers also share detection opportunities and a hardening guide. Worth the read.
https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944
On-Prem SharePoint Exploitation Threat Briefs
Multiple vendors share updates on SharePoint active exploitation. Unit42 shares three variants, Fortinet a high-level walk-through, and ESET a quick overview, IoCs, and TTPs. SANS decodes an exploit and shares the machine key is compromised, rotate keys.
https://www.fortinet.com/blog/threat-research/inside-the-toolshell-campaign
https://isc.sans.edu/diary/rss/32138
Open-Source Repository Attack Stories
There continues to be multiple attacks on open-source repositories, we’re rolling several stories under this thread.
Researchers Snag AI Generated Linux Miner Malware
Being skeptical, wanted to share for tracking purposes. We may be seeing AI generated malware more often than we like. Researchers caught a new malware in a honeypot and ran it through an AI detection tool revealing its AI generated and sophisticated.
https://www.darkreading.com/threat-intelligence/ai-generated-linux-miner-koske
https://www.aquasec.com/blog/ai-generated-malware-in-panda-image-hides-persistent-linux-threat/
The FBI Releases an Alert on ‘The Com’
This isn’t the first time ‘The Com’, a cybercriminal group that is loosely organized, has been detailed. The group targets younger individuals 11 to 25 years old and is comprised of mostly native English speakers. Scattered Spider is a subgroup of ‘The Com’.
https://therecord.media/fbi-the-com-ransomware-swatting-alert
https://www.ic3.gov/PSA/2025/PSA250723-3
Chaos Ransomware Group Operations
Researchers dive into the Chaos ransomware threat actor’s operations. They are a ransomware as a service operator, double extortion, and threats to DDoS and call competitors and clients if not paid. TTPs and more are shared.
https://blog.talosintelligence.com/new-chaos-ransomware/
It’s Back and Highly Evasive – Lumma Stealer
The FBI take down was short lived. It looks like the malware as a service is ramping back up. Lumma is using ClickFix, and other techniques for distribution. The group is resilient, and looking to stay in the game.
https://www.darkreading.com/endpoint-security/lumma-stealer-stealthier-than-ever
https://www.trendmicro.com/en_us/research/25/g/lumma-stealer-returns.html
Coveware Q2 2025 Ransomware Report
Targeted social engineering seems to be a go to tactic for several ransomware gangs. Average ransom payment rose to its highest level since Coveware started tracking at $1,130,070. Many threat actors are moving to the extortion only model, with 40% of victims paying.
Interlock Ransomware Joint Advisory Released
FBI, HHS, CISA, and MS-ISAC release a joint advisory on Interlock ransomware. The encryption targets Windows, Linux, and virtual machines. They utilize double extortion to pressure victims. Healthcare as well as other verticals have been hit.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a
Cisco ISE Bugs Actively Exploited
The bugs are remote code execution (RCE) in Cisco’s Identity Services Engine capability. The bugs are tracked as CVE-2025-20281, CVE-2025-20282, CVE-2025-20283, and all three are rated the maximum CVSS score of 10 / 10.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
