- Content source
- https://malwaretips.com/
Daily Cybersecurity Roundup – July 25 2025
1. Mitel patches critical MiVoice MX‑ONE login bypass
A critical vulnerability in Mitel’s MiVoice MX‑ONE communications system allowed unauthenticated attackers to bypass the Provisioning Manager and gain administrator access, due to improper access control. Mitel has patched the flaw and also fixed a separate SQL‑injection bug in its MiCollab platform.
*Source: https://www.bleepingcomputer.com/ne...l-mivoice-mx-one-authentication-bypass-flaw/*
2. CastleLoader malware hits hundreds via fake GitHub repos
Researchers exposed “CastleLoader,” a modular malware loader that spreads through Cloudflare‑themed “ClickFix” phishing sites and typosquatted GitHub repositories. The loader uses dead‑code injection to evade detection and acts as a staging mechanism for info‑stealers and RATs; by July 24 it had compromised about 469 devices.
*Source: https://thehackernews.com/2025/07/castleloader-malware-infects-469.html*
3. Sophos and SonicWall rush to fix pre‑auth RCE flaws
Sophos warned customers that flaws in its firewall’s SPX feature (CVE‑2025‑6704) and SMTP proxy (CVE‑2025‑7624) could allow attackers to write files or inject SQL and remotely execute code; patches are available. SonicWall simultaneously patched a critical SMA 100 vulnerability (CVE‑2025‑40599) that allows arbitrary file uploads and recommends disabling remote management.
*Source: https://thehackernews.com/2025/07/sophos-and-sonicwall-patch-critical-rce.html*
4. “Fire Ant” espionage group exploits VMware to pivot across networks
The China‑linked threat actor dubbed Fire Ant is targeting ESXi hosts and vCenter servers by chaining VMware vulnerabilities CVE‑2023‑34048 and CVE‑2023‑20867. The group uses layered techniques, including V2Ray for cross‑segment tunneling and log tampering, to infiltrate restricted network segments.
*Source: https://thehackernews.com/2025/07/fire-ant-exploits-vmware-flaw-to.html*
5. Coyote banking Trojan abuses Windows UI Automation
A new variant of the Coyote banking malware is the first seen abusing Microsoft’s UI Automation accessibility framework. When the malware fails to detect targeted banking sites, it uses UIA to scrape browser address bars and tabs to identify more than 75 financial and cryptocurrency services, evading detection.
*Source: https://www.bleepingcomputer.com/ne...dows-accessibility-framework-for-data-theft/*
6. ToolShell SharePoint zero‑day breaches more than 400 servers
The supply‑chain attack dubbed “ToolShell” exploited a spoofing flaw and a remote‑code‑execution bug to compromise at least 400 SharePoint servers. Chinese threat groups Linen Typhoon, Violet Typhoon and Storm‑2603 deployed malware including Warlock and LockBit ransomware, and U.S. victims included federal agencies.
*Source: https://www.securityweek.com/toolsh...repoint-servers-us-government-victims-named/*
7. FBI warns of “Interlock” ransomware’s drive‑by infection method
A joint FBI‑CISA‑HHS advisory describes Interlock ransomware, which gains initial access through drive‑by downloads on compromised websites and uses “ClickFix” social engineering to trick users into executing malicious payloads. The operation targets critical infrastructure, employs double‑extortion and sometimes drops information‑stealing malware.
*Source: https://industrialcyber.co/cisa/us-...ical-infrastructure-in-north-america-europe/*
8. UK proposes ban on ransomware payments by critical services
The UK government is consulting on rules that would prohibit public bodies and critical infrastructure operators from paying ransoms, with mandatory notification for private companies considering payments. Officials hope the measure will cut off criminals’ revenue, though experts warn it could shift focus to data theft.
*Source: https://www.gov.uk/government/news/uk-to-lead-crackdown-on-cyber-criminals-with-ransomware-measures*
9. White House rolls out AI Cybersecurity Action Plan
The Trump administration released a 24‑page AI security strategy outlining over 90 actions, from “secure by design” AI systems to the creation of an AI Information Sharing and Analysis Center. The plan tasks NIST with integrating AI into incident‑response playbooks and has sparked debate over its balance between innovation and safety.
*Source: https://www.cybernewscentre.com/24t...asic-takes-legal-action-compliance-failures/*
10. Australian regulator sues wealth firm after dark‑web data leak
The Australian Securities and Investments Commission filed a lawsuit against Fortnum Private Wealth, alleging poor cybersecurity allowed hackers to steal 9,828 clients’ personal data and post it on the dark web. The breaches occurred between 2021 and 2023 and included compromised email accounts and a September 2022 intrusion that exfiltrated 200 GB of data.
*Source: Australian Regulator Alleges Financial Firm Exposed Clients to Unaccep
11. Europol arrests administrator of major hacking forum
Europol, with Ukrainian police, arrested the suspected administrator of the Russian‑language cybercrime forum xss.is. The forum had over 50,000 users, and the suspect allegedly earned more than €7 million by facilitating ransomware negotiations and selling stolen data, marking a notable international law‑enforcement success.
*Source: https://www.europol.europa.eu/media...peaking-cybercrime-forum-targeted-in-ukraine*
12. Active exploitation of Cisco ISE vulnerabilities
Attackers are actively exploiting maximum‑severity flaws (CVE‑2025‑20281, ‑20282 and ‑20337) in Cisco Identity Services Engine that allow unauthenticated remote code execution. Cisco released patches in June and July, but exploitation attempts prompted urgent update advisories from security agencies.
*Source: https://www.bleepingcomputer.com/ne...rity-ise-rce-flaws-now-exploited-in-attacks/*
13. SysAid vulnerabilities added to CISA KEV catalogue
CISA added two critical SysAid flaws (CVE‑2025‑2775 and ‑2776) to its Known Exploited Vulnerabilities catalogue. Discovered by WatchTowr and patched in March, the pre‑authentication XML external entity (XXE) issues allow reading arbitrary files and administrative account takeover.
*Source: https://www.securityweek.com/cisa-warns-of-sysaid-vulnerability-exploitation/*
14. AMEOS hospital network discloses cyber‑attack
AMEOS Group, operating more than 100 hospitals across Switzerland, Germany and Austria, announced that hackers accessed its IT systems and may have obtained patient, staff and partner data. The breach occurred July 7 but was disclosed on July 22; forensic investigations are ongoing, with no ransomware detected.
*Source: https://www.bleepingcomputer.com/ne...ealthcare-network-discloses-security-breach/*
15. Phishing attack compromises popular NPM packages
Attackers created a copy of the NPM site at npnjs.com and sent personalized phishing emails with tokenized links to popular package maintainers. Stolen credentials were used to publish malicious versions of widely used packages (eslint‑config‑prettier, napi‑postinstall, @pkgr/core, synckit) that attempted to run a malicious DLL; the compromise could affect millions of projects.
*Source: https://www.securityweek.com/high-value-npm-developers-compromised-in-new-phishing-campaign/*
---
Let’s Discuss
1. Which of today’s stories concerns you the most, and why?
2. Have you implemented any of the recommended mitigations (e.g., patching SharePoint or Cisco ISE, restricting MiVoice access)?
3. What additional defenses should organizations adopt to prepare for sophisticated espionage campaigns like Fire Ant or emergent threats such as GPU‑level attacks?
Feel free to share your thoughts and experiences below!
1. Mitel patches critical MiVoice MX‑ONE login bypass
A critical vulnerability in Mitel’s MiVoice MX‑ONE communications system allowed unauthenticated attackers to bypass the Provisioning Manager and gain administrator access, due to improper access control. Mitel has patched the flaw and also fixed a separate SQL‑injection bug in its MiCollab platform.
*Source: https://www.bleepingcomputer.com/ne...l-mivoice-mx-one-authentication-bypass-flaw/*
2. CastleLoader malware hits hundreds via fake GitHub repos
Researchers exposed “CastleLoader,” a modular malware loader that spreads through Cloudflare‑themed “ClickFix” phishing sites and typosquatted GitHub repositories. The loader uses dead‑code injection to evade detection and acts as a staging mechanism for info‑stealers and RATs; by July 24 it had compromised about 469 devices.
*Source: https://thehackernews.com/2025/07/castleloader-malware-infects-469.html*
3. Sophos and SonicWall rush to fix pre‑auth RCE flaws
Sophos warned customers that flaws in its firewall’s SPX feature (CVE‑2025‑6704) and SMTP proxy (CVE‑2025‑7624) could allow attackers to write files or inject SQL and remotely execute code; patches are available. SonicWall simultaneously patched a critical SMA 100 vulnerability (CVE‑2025‑40599) that allows arbitrary file uploads and recommends disabling remote management.
*Source: https://thehackernews.com/2025/07/sophos-and-sonicwall-patch-critical-rce.html*
4. “Fire Ant” espionage group exploits VMware to pivot across networks
The China‑linked threat actor dubbed Fire Ant is targeting ESXi hosts and vCenter servers by chaining VMware vulnerabilities CVE‑2023‑34048 and CVE‑2023‑20867. The group uses layered techniques, including V2Ray for cross‑segment tunneling and log tampering, to infiltrate restricted network segments.
*Source: https://thehackernews.com/2025/07/fire-ant-exploits-vmware-flaw-to.html*
5. Coyote banking Trojan abuses Windows UI Automation
A new variant of the Coyote banking malware is the first seen abusing Microsoft’s UI Automation accessibility framework. When the malware fails to detect targeted banking sites, it uses UIA to scrape browser address bars and tabs to identify more than 75 financial and cryptocurrency services, evading detection.
*Source: https://www.bleepingcomputer.com/ne...dows-accessibility-framework-for-data-theft/*
6. ToolShell SharePoint zero‑day breaches more than 400 servers
The supply‑chain attack dubbed “ToolShell” exploited a spoofing flaw and a remote‑code‑execution bug to compromise at least 400 SharePoint servers. Chinese threat groups Linen Typhoon, Violet Typhoon and Storm‑2603 deployed malware including Warlock and LockBit ransomware, and U.S. victims included federal agencies.
*Source: https://www.securityweek.com/toolsh...repoint-servers-us-government-victims-named/*
7. FBI warns of “Interlock” ransomware’s drive‑by infection method
A joint FBI‑CISA‑HHS advisory describes Interlock ransomware, which gains initial access through drive‑by downloads on compromised websites and uses “ClickFix” social engineering to trick users into executing malicious payloads. The operation targets critical infrastructure, employs double‑extortion and sometimes drops information‑stealing malware.
*Source: https://industrialcyber.co/cisa/us-...ical-infrastructure-in-north-america-europe/*
8. UK proposes ban on ransomware payments by critical services
The UK government is consulting on rules that would prohibit public bodies and critical infrastructure operators from paying ransoms, with mandatory notification for private companies considering payments. Officials hope the measure will cut off criminals’ revenue, though experts warn it could shift focus to data theft.
*Source: https://www.gov.uk/government/news/uk-to-lead-crackdown-on-cyber-criminals-with-ransomware-measures*
9. White House rolls out AI Cybersecurity Action Plan
The Trump administration released a 24‑page AI security strategy outlining over 90 actions, from “secure by design” AI systems to the creation of an AI Information Sharing and Analysis Center. The plan tasks NIST with integrating AI into incident‑response playbooks and has sparked debate over its balance between innovation and safety.
*Source: https://www.cybernewscentre.com/24t...asic-takes-legal-action-compliance-failures/*
10. Australian regulator sues wealth firm after dark‑web data leak
The Australian Securities and Investments Commission filed a lawsuit against Fortnum Private Wealth, alleging poor cybersecurity allowed hackers to steal 9,828 clients’ personal data and post it on the dark web. The breaches occurred between 2021 and 2023 and included compromised email accounts and a September 2022 intrusion that exfiltrated 200 GB of data.
*Source: Australian Regulator Alleges Financial Firm Exposed Clients to Unaccep
11. Europol arrests administrator of major hacking forum
Europol, with Ukrainian police, arrested the suspected administrator of the Russian‑language cybercrime forum xss.is. The forum had over 50,000 users, and the suspect allegedly earned more than €7 million by facilitating ransomware negotiations and selling stolen data, marking a notable international law‑enforcement success.
*Source: https://www.europol.europa.eu/media...peaking-cybercrime-forum-targeted-in-ukraine*
12. Active exploitation of Cisco ISE vulnerabilities
Attackers are actively exploiting maximum‑severity flaws (CVE‑2025‑20281, ‑20282 and ‑20337) in Cisco Identity Services Engine that allow unauthenticated remote code execution. Cisco released patches in June and July, but exploitation attempts prompted urgent update advisories from security agencies.
*Source: https://www.bleepingcomputer.com/ne...rity-ise-rce-flaws-now-exploited-in-attacks/*
13. SysAid vulnerabilities added to CISA KEV catalogue
CISA added two critical SysAid flaws (CVE‑2025‑2775 and ‑2776) to its Known Exploited Vulnerabilities catalogue. Discovered by WatchTowr and patched in March, the pre‑authentication XML external entity (XXE) issues allow reading arbitrary files and administrative account takeover.
*Source: https://www.securityweek.com/cisa-warns-of-sysaid-vulnerability-exploitation/*
14. AMEOS hospital network discloses cyber‑attack
AMEOS Group, operating more than 100 hospitals across Switzerland, Germany and Austria, announced that hackers accessed its IT systems and may have obtained patient, staff and partner data. The breach occurred July 7 but was disclosed on July 22; forensic investigations are ongoing, with no ransomware detected.
*Source: https://www.bleepingcomputer.com/ne...ealthcare-network-discloses-security-breach/*
15. Phishing attack compromises popular NPM packages
Attackers created a copy of the NPM site at npnjs.com and sent personalized phishing emails with tokenized links to popular package maintainers. Stolen credentials were used to publish malicious versions of widely used packages (eslint‑config‑prettier, napi‑postinstall, @pkgr/core, synckit) that attempted to run a malicious DLL; the compromise could affect millions of projects.
*Source: https://www.securityweek.com/high-value-npm-developers-compromised-in-new-phishing-campaign/*
---
Let’s Discuss
1. Which of today’s stories concerns you the most, and why?
2. Have you implemented any of the recommended mitigations (e.g., patching SharePoint or Cisco ISE, restricting MiVoice access)?
3. What additional defenses should organizations adopt to prepare for sophisticated espionage campaigns like Fire Ant or emergent threats such as GPU‑level attacks?
Feel free to share your thoughts and experiences below!
