Tracked as CVE-2025-12345, this flaw allows remote code execution (RCE) without authentication, potentially enabling attackers to compromise sensitive data or deploy malware on affected servers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical zero-day vulnerability in Microsoft SharePoint Server to its Known Exploited Vulnerabilities catalog. It often spreads via drive-by downloads disguised as fake browser updates or security software, using the ClickFix social engineering technique to trick users into executing malicious PowerShell commands. A zero-day vulnerability in Microsoft SharePoint (CVE-2025-53770) has been exploited since July 18, 2025, affecting over 400 organizations, including U.S. government entities. A high-severity type confusion vulnerability (CVE-2024-12053) in Chrome’s V8 JavaScript engine has been exploited, allowing remote attackers to execute code via crafted web pages. Unknown hackers exploited a Microsoft SharePoint vulnerability chain to infiltrate the National Nuclear Security Administration, part of the Department of Energy. The platform facilitated stolen data sales, hacking tools, and ransomware services, generating an estimated €7 million for the admin. We’ve also seen advanced attacks targeting VMware infrastructure, along with a rise in new threats and cyber attacks that are changing global security strategies. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Chinese-linked hackers APT41 launched a targeted espionage campaign against African government IT services, using Impacket’s Atexec and WmiExec modules for lateral movement and malware deployment. Detected on July 20, 2025, this move follows OFAC actions against Aeza for enabling ransomware and data theft. Interlock ransomware, active since September 2024, employs a double extortion model by encrypting and exfiltrating data from victims in North America and Europe. It uses the ClickFix tactic, presenting fake error messages or CAPTCHAs that prompt users to run malicious commands, leading to backdoor installations on Windows and macOS. Attackers, identified as Storm-2603, deploy ransomware like Warlock, shifting from espionage to data encryption and extortion. These unauthenticated vulnerabilities enable attackers to execute arbitrary code as root, potentially leading to full system compromise. Attackers scan for open port 22, deploy malware like ShellBot or XMRig, and sometimes sell breached access on the dark web. Poorly managed Linux SSH servers are under attack via brute-force and dictionary methods to guess credentials, enabling the installation of DDoS bots, coinminers, and scanning tools. Microsoft released a patch in their latest security update, urging immediate application to mitigate risks. Security experts have detailed a new attack method that bypasses the Signaling System 7 (SS7) protocol, commonly used in mobile networks for call routing and SMS delivery. Threat actors are abusing Windows Run prompts to deliver DeerStealer, an info-stealer that extracts browser credentials, crypto wallets, and app data from over 800 extensions. They modify GRUB bootloaders for root access, install reverse shells, and extract domain data offline before encrypting VMs. Telecom providers are advised to implement enhanced authentication and monitoring to counter these threats, which have been observed in targeted espionage campaigns. Cisco has confirmed active exploitation of multiple critical RCE flaws in its Identity Services Engine (ISE), including CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337. The platform, a hub for malware and stolen data, was briefly defaced by law enforcement, but operators regained control via a domain registrar appeal. Recent campaigns have targeted global industries, including telecom, using fake CAPTCHAs to initiate infections. The malware enabled remote access, evading some antivirus software like Windows Defender. It fetches obfuscated payloads using ROT13 encoding, stores them in the database, and creates hidden admin accounts for persistent access.
This Cyber News was published on cybersecuritynews.com. Publication date: Sun, 27 Jul 2025 15:35:22 +0000