CyberSecurity Newsletter July 21st 2025
In this week’s news: Malware named LameHug is using a large language model (LLM) to generate commands to be executed on compromised Windows systems, a critical container escape vulnerability in the NVIDIA Container Toolkit that could pose a severe threat to managed AI cloud services, SharePoint security updates for two zero-day vulnerabilities tracked as CVE-2025-53770 and CVE-2025-53771 that have compromised services worldwide in "ToolShell" attacks, Microsoft has mistakenly tagged an ongoing Windows Firewall error message bug as fixed, Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, critical vulnerability in Cisco’s Identity Services Engine (ISE) has received the highest possible CVSS severity score, PoisonSeed phishing campaign is bypassing FIDO2 security key protections by abusing the cross-device sign-in feature, Proof of Concept (PoC) exploiting CVE-2025-24813 and the PoC for Ivanti Remote Command Execution exploit.
A novel malware family named LameHug is using a large language model (LLM) to generate commands to be executed on compromised Windows systems. LameHug was discovered by Ukraine’s national cyber incident response team (CERT-UA) and attributed the attacks to Russian state-backed threat group APT28 (a.k.a. Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Forest Blizzard).
https://www.bleepingcomputer.com/news/security/lamehug-malware-uses-ai-llm-to-craft-windows-data-theft-commands-in-real-time/
Cybersecurity researchers have disclosed a critical container escape vulnerability in the NVIDIA Container Toolkit that could pose a severe threat to managed AI cloud services. The vulnerability, tracked as CVE-2025-23266, carries a CVSS score of 9.0 out of 10.0. It has been codenamed NVIDIAScape by Google-owned cloud security company Wiz.
https://thehackernews.com/2025/07/critical-nvidia-container-toolkit-flaw.html
Microsoft has released emergency SharePoint security updates for two zero-day vulnerabilities tracked as CVE-2025-53770 and CVE-2025-53771 that have compromised services worldwide in "ToolShell" attacks. In May, during the Berlin Pwn2Own hacking contest, researchers exploited a zero-day vulnerability chain called "ToolShell," which enabled them to achieve remote code execution in Microsoft SharePoint. These flaws were fixed as part of the July Patch Tuesday updates; However, threat actors were able to discover two zero-day vulnerabilities that bypassed Microsoft's patches for the previous flaws.
https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-patches-for-sharepoint-rce-flaws-exploited-in-attacks/
Microsoft has mistakenly tagged an ongoing Windows Firewall error message bug as fixed in recent updates, stating that they are still working on a resolution. Earlier this month, Microsoft warned that, starting with the June 2025 Windows 11 preview update, users would see Windows Firewall errors in the Event Viewer.
https://www.bleepingcomputer.com/news/microsoft/microsoft-mistakenly-tags-windows-firewall-error-log-bug-as-fixed/
The Japanese police have released a Phobos and 8-Base ransomware decryptor that lets victims recover their files for free, with BleepingComputer confirming that it successfully decrypts files. Phobos is a ransomware-as-a-service operation that launched in December 2018, enabling other threat actors to join as affiliates and utilize their encryption tool in attacks. In exchange, any ransom payments were split between the affiliate and the operators.
https://www.bleepingcomputer.com/news/security/new-phobos-ransomware-decryptor-lets-victims-recover-files-for-free/
Researchers are seeing exploitation attempts for the CVE-2025-48927 vulnerability in the TeleMessage SGNL app, which allows retrieving usernames, passwords, and other sensitive data. TeleMessage SGNL is a Signal clone app now owned by Smarsh, a compliance-focused company that provides cloud-based or on-premises communication solutions to various organizations.
https://www.bleepingcomputer.com/news/security/hackers-scanning-for-telemessage-signal-clone-flaw-exposing-passwords/
A new attack campaign has compromised more than 3,500 websites worldwide with JavaScript cryptocurrency miners, marking the return of browser-based cryptojacking attacks once popularized by the likes of CoinHive. Although the service has since shuttered after browser makers took steps to ban miner-related apps and add-ons, researchers from the c/side said they found evidence of a stealthy miner packed within obfuscated JavaScript that assesses the computational power of a device and spawns background Web Workers to execute mining tasks in parallel without raising any alarm.
https://thehackernews.com/2025/07/3500-websites-hijacked-to-secretly-mine.html
Direwolf ransomware group has claimed responsibility for coordinated cyberattacks on four major institutions across Asia and Latin America. These include Akribis Systems, Pergamon Status, Anadolu Hastaneleri, and Universidad Mayor, all of which have reportedly suffered data breaches and operational disruptions.
https://undercodenews.com/cyber-chaos-unleashed-direwolf-ransomware-strikes-four-major-organizations-worldwide/
A newly disclosed critical vulnerability in Cisco’s Identity Services Engine (ISE) has received the highest possible CVSS severity score—10 out of 10—raising urgent concerns for enterprise security teams. The flaw, tracked as CVE-2025-20337, allows unauthenticated attackers to exploit ISE by submitting specially crafted API requests, enabling them to upload malicious files, execute arbitrary code, and even gain root-level privileges.
https://dailysecurityreview.com/security-spotlight/cisco-ise-vulnerability-exposes-critical-remote-code-execution-risk-across-enterprise-networks/
A PoisonSeed phishing campaign is bypassing FIDO2 security key protections by abusing the cross-device sign-in feature in WebAuthn to trick users into approving login authentication requests from fake company portals. The PoisonSeed threat actors are known to employ large-volume phishing attacks for financial fraud. In the past, distributing emails containing crypto seed phrases used to drain cryptocurrency wallets.
https://www.bleepingcomputer.com/news/security/threat-actors-downgrade-fido2-mfa-auth-in-poisonseed-phishing-attack/
The UK government is warning that Russia's APT28 (also known as Fancy Bear or Forest Blizzard) has been deploying previously unknown malware to harvest Microsoft email credentials and steal access to compromised accounts.
https://www.theregister.com/2025/07/20/uk_microsoft_snooping_russia/
Cybersecurity researchers have disclosed details of a new malware called MDifyLoader that has been observed in conjunction with cyber attacks exploiting security flaws in Ivanti Connect Secure (ICS) appliances. According to a report published by JPCERT/CC today, the threat actors behind the exploitation of CVE-2025-0282 and CVE-2025-22457 in intrusions observed between December 2024 and July 2025 have weaponized the vulnerabilities to drop MDifyLoader, which is then used to launch Cobalt Strike in memory.
https://thehackernews.com/2025/07/ivanti-zero-days-exploited-to-drop.html
Cybersecurity researchers have shed light on a mobile forensics tool called Massistant that's used by law enforcement authorities in China to gather information from seized mobile devices. The hacking tool, believed to be a successor of MFSocket, is developed by a Chinese company named SDIC Intelligence Xiamen Information Co., Ltd., which was formerly known as Meiya Pico. It specializes in the research, development, and sale of electronic data forensics and network information security technology products.
https://thehackernews.com/2025/07/chinas-massistant-tool-secretly.html
Aircraft systems are getting more connected and ground operations increasingly integrated, and attackers are taking notice. They’re shifting from minor disruptions to targeting critical systems with serious intent. Any time an aircraft transmits data, whether it’s flight position updates or maintenance alerts, it is vulnerable to interception by third parties.
https://www.helpnetsecurity.com/2025/07/21/aviation-industry-cybersecurity-crisis/
One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work. In 2023, KNP was running 500 lorries – most under the brand name Knights of Old. The company said its IT complied with industry standards and it had taken out insurance against cyber-attack. But a gang of hackers, known as Akira, got into the system leaving staff unable to access any of the data needed to run the business. The only way to get the data back, said the hackers, was to pay.
https://www.bbc.com/news/articles/cx2gx28815wo
Proof of Concept (PoC) exploiting CVE-2025-24813, a Remote Code Execution (RCE) vulnerability in Apache Tomcat. The vulnerability allows an attacker to upload a malicious serialized payload to the server, leading to arbitrary code execution via deserialization when specific conditions are met.
https://github.com/absholi7ly/POC-CVE-2025-24813
CVE-2025-0282 is a critical vulnerability found in Ivanti Connect Secure, allowing Remote Command Execution (RCE) through a buffer overflow exploit. This vulnerability enables attackers to upload malicious files (e.g., web shells) and execute commands on the target system with elevated privileges. It is highly recommended to update affected systems to the latest version to mitigate the risk of exploitation.
https://github.com/absholi7ly/CVE-2025-0282-Ivanti-exploit
Hewlett-Packard Enterprise (HPE) has released security updates to address a critical security flaw affecting Instant On Access Points that could allow an attacker to bypass authentication and gain administrative access to susceptible systems. The vulnerability, tracked as CVE-2025-37103, carries a CVSS score of 9.8 out of a maximum of 10.0.
https://thehackernews.com/2025/07/hard-coded-credentials-found-in-hpe.html
Singapore accused China-linked APT group UNC3886 of targeting its critical infrastructure. UNC3886 is a sophisticated China-linked cyber espionage group that targets network devices and virtualization technologies using zero-day exploits. Its primary focus is on defense, technology, and telecommunications sectors in the US and Asia.
https://securityaffairs.com/180179/uncategorized/singapore-warns-china-linked-group-unc3886-targets-its-critical-infrastructure.html
The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that's targeting Web3 developers to infect them with information stealer malware.
https://thehackernews.com/2025/07/encrypthub-targets-web3-developers.html
Trellix Advanced Research Center has exposed a new wave of highly sophisticated SquidLoader malware actively targeting financial services institutions in Hong Kong. This discovery, detailed in Trellix’s technical analysis, shared with Hackread.com, highlights a significant threat due to the malware’s near-zero detection rates on VirusTotal at the time of analysis. Evidence also points to a broader campaign, with similar samples observed targeting entities in Singapore and Australia.
https://hackread.com/squidloader-malware-hits-hong-kong-financial-firms/
CloudSEK has exposed a large-scale illegal financial operation in India, allegedly run by Chinese cyber syndicates, that’s laundering over $580 million (₹5,000 crores) annually. This shadow banking empire uses illegal payment gateways, fake mobile apps, and a network of mule accounts to move dirty money, posing a significant threat to India’s financial and national security.
https://hackread.com/chinese-groups-launder-india-fake-apps-mule-accounts/
Radiology Associates of Richmond has disclosed a data breach that impacted personal and health information of over 1.4 million individuals. Radiology Associates of Richmond (RAR) is a private radiology practice founded in 1905 and based in central Virginia. With over 100 years of continuous operation, RAR provides comprehensive diagnostic and interventional imaging services, including X‑rays, CT scans, MRI, ultrasound, mammography, nuclear medicine, and advanced vascular and neuro‑interventional procedures, across several hospital and outpatient facilities in the Richmond area.
https://securityaffairs.com/180128/data-breach/radiology-associates-of-richmond-data-breach-impacts-1-4-million-people.html
Hackers began exploiting a critical Fortinet FortiWeb flaw, tracked as CVE-2025-25257 (CVSS score of 9.6), on the same day a proof-of-concept (PoC) exploit was published, leading to dozens of compromised systems. Exploitation of Fortinet’s CVE-2025-25257 began on July 11 after the PoC was published.
https://securityaffairs.com/180118/hacking/fortinet-fortiweb-flaw-cve-2025-25257-exploited-hours-after-poc-release.html
CrushFTP is warning that threat actors are actively exploiting a zero-day vulnerability tracked as CVE-2025-54309, which allows attackers to gain administrative access via the web interface on vulnerable servers. CrushFTP is an enterprise file transfer server used by organizations to securely share and manage files over FTP, SFTP, HTTP/S, and other protocols.
https://www.bleepingcomputer.com/news/security/new-crushftp-zero-day-exploited-in-attacks-to-hijack-servers/
Arch Linux has pulled three malicious packages uploaded to the Arch User Repository (AUR) were used to install the CHAOS remote access trojan (RAT) on Linux devices. The packages were named "librewolf-fix-bin", "firefox-patch-bin", and "zen-browser-patched-bin," and were uploaded by the same user, "danikpapas," on July 16.
https://www.bleepingcomputer.com/news/security/arch-linux-pulls-aur-packages-that-installed-chaos-rat-malware/
WineLab, the retail store of the largest alcohol company in Russia, has closed its stores following a cyberattack that is impacting its operations and causing purchase problems to its customers. Its parent company, Novabev Group, informed earlier this week that hackers had breached its IT systems. “On July 14, the group was subjected to an unprecedented cyberattack—a large-scale and coordinated operation carried out by hackers,” the company said.
https://www.bleepingcomputer.com/news/security/russian-alcohol-retailer-winelab-closes-stores-after-ransomware-attack/
Multiple sectors in China, Hong Kong, and Pakistan have become the target of a threat activity cluster tracked as UNG0002 (aka Unknown Group 0002) as part of a broader cyber espionage campaign. "This threat entity demonstrates a strong preference for using shortcut files (LNK), VBScript, and post-exploitation tools such as Cobalt Strike and Metasploit, while consistently deploying CV-themed decoy documents to lure victims," Seqrite Labs researcher Subhajeet Singha said in a report published this week.
https://thehackernews.com/2025/07/ung0002-group-hits-china-hong-kong.html
Cryptocurrency exchange BigONE confirmed a major security breach on July 16, during which threat actors stole $27 million worth of digital assets from the platform’s hot wallet. The breach was detected in the early hours, when abnormal asset movements triggered internal alarms:
https://dailysecurityreview.com/security-spotlight/bigone-crypto-exchange-hacked-27-million-stolen-in-hot-wallet-attack/
Louis Vuitton has confirmed that multiple regional data breaches affecting customers in the UK, South Korea, Turkey, Italy, and Sweden are all tied to the same cybersecurity incident. The announcement comes amid a series of customer notifications issued over the past week, as the company works to contain the breach and investigate its origins.
https://dailysecurityreview.com/security-spotlight/louis-vuitton-confirms-multi-country-data-breaches-linked-to-single-cyberattack/
The UK National Cyber Security Centre (NCSC) has formally attributed ‘Authentic Antics’ espionage malware attacks to APT28 (Fancy Bear), a threat actor already linked to Russia’s military intelligence service (GRU). The NCSC revealed in a detailed technical analysis of the Authentic Antics malware dated May 6th that it is stealing credentials and OAuth 2.0 tokens that allow access to a target's email account.
https://www.bleepingcomputer.com/news/security/uk-ties-russian-gru-to-authentic-antics-credential-stealing-malware/
Russian military intelligence (GRU)-linked threat actors have been using previously unknown malicious software to enable espionage against victim email accounts, the UK’s National Cyber Security Centre (NCSC) has reported. The new sophisticated malware has been dubbed “Authentic Antics,” and the NCSC has said threat group APT28, which itself is linked to the GRU, has been responsible for deploying the malicious software.
https://www.infosecurity-magazine.com/news/new-malware-targeting-email/