Weekly Threat Landscape Digest – Week 28

1. Microsoft July 2025 Patch Tuesday – Security Updates

Microsoft has released its July 2025 Patch Tuesday updates, addressing 137 security vulnerabilities, including 14 critical issues and one publicly disclosed zero-day in Microsoft SQL Server. These flaws affect key Microsoft products such as SQL Server, Microsoft Office, SharePoint, Windows OS, and Hyper-V, posing significant risks to enterprise environments.

The most severe among them is CVE-2025-49719, an information disclosure vulnerability in SQL Server that allows remote, unauthenticated attackers to access uninitialized memory. Additionally, multiple Remote Code Execution (RCE) vulnerabilities have been patched, especially within Office and SharePoint, which are commonly targeted in real-world attacks.

Key Vulnerabilities:

• CVE-2025-49719 (Zero-Day in SQL Server)
  • Type: Information Disclosure
  • Attack Vector: Remote, unauthenticated
  • Fix: Apply the latest SQL Server update and Microsoft OLE DB Driver 18 or 19
• CVE-2025-47981 (SPNEGO NEGOEX RCE) – CVSS 9.8
• CVE-2025-49704 (SharePoint RCE) – CVSS 8.8
• CVE-2025-49695, 49696, 49697 (Office RCE) – CVSS 8.4
• CVE-2025-49698, 49702, 49703 (Word RCE) – CVSS 7.8
• CVE-2025-48822, 29828 (Hyper-V RCE) – CVSS 8.6 / 8.1
• CVE-2025-49717 (SQL Server RCE) – CVSS 8.5
• CVE-2025-49735 (Kerberos KDC Proxy RCE) – CVSS 8.1

Other Issues:

• CVE-2025-47980 – Microsoft Imaging Component Info Disclosure
• CVE-2025-36350 / 36357 – AMD CPU Side-Channel Vulnerabilities

Recommendations:

• Apply all July 2025 patches immediately, prioritizing SQL Server, Office, SharePoint, and Hyper-V.
• Address the zero-day by updating SQL Server and installing Microsoft OLE DB Driver 18 or 19.
• Monitor systems using Microsoft Office LTSC for Mac, as security updates are still pending.
• Review exposure to AMD side-channel issues in virtualized environments.
• Conduct regular patch audits and vulnerability assessments.

Reference:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Jul

2. Zoom Client Vulnerabilities – July 2025 Security Update

Zoom Video Communications, Inc. has released a security advisory addressing six new vulnerabilities affecting Zoom Clients and the Zoom Workplace application across Windows, macOS, iOS, and Linux platforms. These flaws include buffer overflows, improper authentication, certificate validation issues, and cross-site scripting vulnerabilities.

The most critical of these is CVE-2025-46788, a high-severity certificate validation flaw in Zoom Workplace for Linux. If exploited, it may allow attackers to perform man-in-the-middle (MITM) attacks or impersonate trusted services.

Two classic buffer overflow vulnerabilities in Zoom Clients for Windows (ZSB-25024 and ZSB-25028) can lead to Denial-of-Service (DoS) by crashing the client or freezing video services. These flaws are exploitable by network-accessible attackers without the need for elevated privileges.

Key Vulnerabilities:

• CVE-2025-46788 – High – Improper Certificate Validation (Linux)
• CVE-2025-46789 – Medium – Buffer Overflow (Windows)
• CVE-2025-49465 – Medium – Buffer Overflow (Windows)
• CVE-2025-49464 – Medium – Improper Authentication (macOS)
• CVE-2025-49463 – Medium – Insufficient Control Flow (iOS)
• CVE-2025-49462 – Low – Cross-site Scripting

Recommendations:

• Immediately update Zoom Clients on all platforms to the latest patched versions.
• Enforce organization-wide auto-update policies for third-party software like Zoom.
• Monitor endpoints for unusual Zoom behavior and verify certificate trust chains.

Reference:
https://www.zoom.com/en/trust/security-bulletin/

3. Ivanti Security Updates 

Ivanti has released security updates addressing multiple medium-severity vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) products. These issues affect versions prior to ICS 22.7R2.8 and IPS 22.7R1.5, and although exploitation requires authenticated access, attackers could potentially make unauthorized configuration changes, trigger denial of service (DoS), access sensitive logs, or reach internal network services.

No active exploitation has been reported as of the disclosure date. However, given the range of impacts, organizations are strongly advised to review access controls and apply updates immediately.

Key Vulnerabilities:

• CVE-2025-5450 – Improper certificate access control (CVSS 6.3)
• CVE-2025-5451 – Stack-based buffer overflow (CVSS 4.9)
• CVE-2025-5463 – Log file info disclosure (CVSS 5.5)
• CVE-2025-5464 – Similar log file info exposure (CVSS 6.5)
• CVE-2025-0293 – CRLF injection (CVSS 6.6)
• CVE-2025-0292 – SSRF to internal network access (CVSS 5.5)

Affected Versions:

• Ivanti Connect Secure (ICS) ≤ 22.7R2.7 → Fixed in 22.7R2.8
• Ivanti Policy Secure (IPS) ≤ 22.7R1.4 → Fixed in 22.7R1.5

Recommendations:

• Immediately upgrade to the latest versions of ICS and IPS.
• Review and restrict administrative privileges to minimize access-related risks.
• Monitor systems for unusual activity related to configuration or internal resource access.

Reference:
https://forums.ivanti.com/s/article/July-Security-Advisory-Ivanti-Connect-Secure-and-IvantiPolicy-Secure-MultipleCVEs?language=en_US

4. SAP Security Updates 

SAP has released its July 2025 Patch Day bulletin, addressing 27 vulnerabilities across its enterprise suite. Among these, seven are rated critical, with the most severe—CVE-2025-30012—scoring a perfect CVSS 10.0. This vulnerability affects SAP Supplier Relationship Management (SRM) Live Auction Cockpit and results from a combination of multiple flaws, potentially allowing unauthenticated attackers to execute arbitrary code and gain full system control.

Highlighted Critical Vulnerabilities:

• CVE-2025-30012 – Composite flaw in SAP SRM Live Auction Cockpit
  • CVSS: 10.0 (Critical)
  • Version: SRM_SERVER 7.14
  • Impact: Remote code execution, privilege escalation
• CVE-2025-42967 – Code injection in SAP S/4HANA & SAP SCM
  • CVSS: 9.9
  • Versions: SCMAPO 713/714, S4CORE 102–108, SCM 700–712
• CVE-2025-42980 – Insecure deserialization in SAP NetWeaver EP Federated Portal
  • CVSS: 9.1
  • Version: EP-RUNTIME 7.50
• CVE-2025-42964 – Insecure deserialization in SAP NetWeaver EP Administration
  • CVSS: 9.1
  • Version: EP-RUNTIME 7.50

These vulnerabilities pose significant risks to the confidentiality, integrity, and availability of SAP systems. Given the potential for remote exploitation without authentication, organizations using affected modules should apply the patches immediately.

Recommendations:

• Apply SAP’s July 2025 security patches without delay.
• Prioritize systems running SRM, S/4HANA, SCM, and NetWeaver EP.
• Perform vulnerability scans to ensure compliance and identify unpatched systems.

Reference:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/july-2025.html 

5. Dell Enterprise SONiC Security Update 

Dell Technologies has released a critical security update for Dell Enterprise SONiC Distribution, addressing several high-severity vulnerabilities in third-party components. These flaws could enable attackers to execute arbitrary code, cause Denial-of-Service (DoS), or leak sensitive data.

Impacted Components & CVEs:

• libtasn1-6 – CVE-2024-12133
• gnutls28 – CVE-2024-12243
• libxml2 – CVE-2022-49043, CVE-2023-39615, CVE-2023-45322, CVE-2024-25062, CVE-2024-56171, CVE-2025-24928, CVE-2025-27113
• krb5 (Kerberos) – CVE-2025-24528
• radius – CVE-2024-3596

Affected Versions:

• Dell Enterprise SONiC Distribution – Versions prior to 4.5.0

Fixed Version:

• Version 4.5.0 or later

These vulnerabilities affect the underlying infrastructure of Dell’s network operating system and can be exploited in enterprise environments where SONiC is widely deployed.

Recommendations:

• Upgrade to Dell Enterprise SONiC Distribution v4.5.0 or later immediately.
• Audit systems for use of affected third-party components.
• Monitor network activity for post-update anomalies.

Reference:
🔗 https://www.dell.com/support/kbdoc/en-us/000340083/dsa-2025-275-securityupdate-for-dell-enterprise-sonic-distribution-vulnerabilities

6. Fortinet FortiWeb Critical SQL Injection Vulnerability (CVE-2025-25257)

Fortinet has released a patch for a critical SQL injection vulnerability in FortiWeb, identified as CVE-2025-25257, with a CVSS score of 9.6. The flaw allows unauthenticated attackers to execute unauthorized SQL commands by sending specially crafted HTTP or HTTPS requests.

The vulnerability exists in the get_fabric_user_by_token function, part of the Fabric Connector component, which interacts with other Fortinet products. This function is indirectly exposed through APIs like:

• /api/fabric/device/status
• /api/v[0-9]/fabric/widget/[a-z]+
• /api/v[0-9]/fabric/widget

The issue stems from improper input sanitization, where attacker-controlled data is passed into an SQL query without validation. This can allow SQL injection and potentially write files to the underlying system using SQL features such as SELECT … INTO OUTFILE.

Affected Versions:

• FortiWeb 7.6.0 – 7.6.3 → Upgrade to 7.6.4 or above
• FortiWeb 7.4.0 – 7.4.7 → Upgrade to 7.4.8 or above
• FortiWeb 7.2.0 – 7.2.10 → Upgrade to 7.2.11 or above
• FortiWeb 7.0.0 – 7.0.10 → Upgrade to 7.0.11 or above

Recommendations:

• Upgrade FortiWeb to the fixed version immediately.
• As a temporary workaround, disable the HTTP/HTTPS administrative interface.
• Monitor for abnormal SQL activity and apply firewall rules if needed.

Reference:
🔗 https://thehackernews.com/2025/07/fortinet-releases-patch-for-critical.html?m=1

7. Mozilla Thunderbird Security Update

Mozilla has released security updates for Thunderbird addressing multiple high and moderate severity vulnerabilities that could lead to application crashes or privacy issues through user tracking.

Key Vulnerabilities:

• CVE-2025-6424 – Use-after-free in FontFaceSet
  Severity: High
  Impact: May lead to a potentially exploitable crash due to memory mismanagement.
• CVE-2025-6425 – Persistent UUID exposure via WebCompat extension
  Severity: Moderate
  Impact: Exposes a persistent UUID that could allow user tracking across browsing modes (excluding profiles).
• CVE-2025-6426 – No warning for executable terminal files on macOS
  Severity: Moderate
  Impact: Fails to warn users when opening potentially dangerous terminal files. Affects macOS only.

Affected and Fixed Versions:

• Thunderbird 140
• Thunderbird 128.12

Recommendations:

• Update to the latest Thunderbird versions to mitigate these issues.
• Inform users, especially on macOS, of the importance of prompt patching.

References:

• https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/
• https://www.mozilla.org/en-US/security/advisories/mfsa2025-55/

8. PHP Security Update

Vulnerabilities in PHP expose applications to SQL injection and denial-of-service (DoS) risks. These issues, tracked as CVE-2025-1735 and CVE-2025-6491, pose significant threats to systems using PostgreSQL and SOAP services.

Key Vulnerabilities:

• CVE-2025-1735 – SQL Injection & Crashes via PostgreSQL Extension
  Affects PHP’s pgsql extension due to improper error handling in PQescapeStringConn() and PQescapeIdentifier() functions.
  • Risk of SQL injection if input is not escaped properly
  • May cause application crashes due to NULL pointer dereference
  • Rooted in PHP’s failure to detect encoding errors returned by PostgreSQL
• CVE-2025-6491 – DoS via Oversized XML Namespace in SOAP
  Affects PHP’s SOAP extension using libxml2.
  • Triggered by creating a SoapVar with a very large XML name
  • Causes segmentation fault due to invalid node state after failed name assignment
  • Easily exploitable with oversized input like str_repeat(“A”, 0x7fffffff)

Affected Versions:

• PHP 8.1.x before 8.1.33
• PHP 8.2.x before 8.2.29
• PHP 8.3.x before 8.3.23
• PHP 8.4.x before 8.4.10

Fixed Versions:

• PHP 8.1.33
• PHP 8.2.29
• PHP 8.3.23
• PHP 8.4.10

Recommendations:

• Upgrade to the fixed versions immediately.
• Review applications relying on pgsql and SOAP modules for potential impact.

References:

• https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3

9. Next.js Vulnerability Enables DoS via Cache Poisoning

A high-severity vulnerability in the Next.js framework (CVE-2025-49826) allows attackers to poison the cache with empty HTTP 204 responses, leading to a denial-of-service (DoS) condition.

Key Details:

• CVE: CVE-2025-49826
• Type: Cache Poisoning / Denial of Service
• CVSS Score: 7.5 (High)
• Affected Versions: Next.js 15.1.0 to 15.1.7
• Fixed Version: 15.1.8
• Attack Vector: Remote

Exploitation Requirements:

• Application must use Incremental Static Regeneration (ISR) or Server-Side Rendering (SSR)
• Running in next start or standalone mode
• CDN configured to cache HTTP 204 responses

Recommendation:

• Upgrade Next.js to version 15.1.8 or newer immediately to mitigate the risk.

Reference:

• https://vercel.com/changelog/cve-2025-49826

10. Critical Privilege Escalation Vulnerability in Linux (CVE-2025-6019)

A critical local privilege escalation vulnerability has been identified in Linux systems using udisksd and libblockdev. Tracked as CVE-2025-6019, this flaw allows users in the allow_active group to gain root access. Exploitation is trivial in misconfigured systems, with proof-of-concept (PoC) publicly available.

Key Details:

• CVE: CVE-2025-6019
• CVSS Score: 7.0 (High)
• Affected Components: udisksd, libblockdev, D-Bus, Polkit
• Affected Systems: Fedora 40+, SUSE Linux, and others using allow_active group

Exploitation Conditions:

• udisksd is running
• User is in the allow_active group
• Polkit rules are default or misconfigured
• PoC uses D-Bus or Python to perform root-level actions

Root Cause:

• Over-trusting group-based permissions for privileged disk operations
• Weak Polkit/D-Bus policy validation

Mitigation:

• Update: Apply latest patches to udisks2 and libblockdev
• Audit: Restrict allow_active group memberships
• Harden: Enforce stricter Polkit rules
• Limit Exposure: Avoid using udisksd on shared systems

Reference:

• https://nvd.nist.gov/vuln/detail/CVE-2025-6019

11. Critical Vulnerabilities in Nimesa Backup and Recovery

Multiple high-impact vulnerabilities have been found in Nimesa Backup and Recovery, a widely used data protection and disaster recovery solution. These flaws may allow unauthenticated attackers to execute arbitrary commands or make unauthorized internal network requests.

Key Vulnerabilities:

1. CVE-2025-48501 – OS Command Injection
   • Type: Command Injection (CWE-78)
   • Affected Versions: v2.3, v2.4
   • CVSS v4.0 Score: 9.3 (Critical)
   • CVSS v3.0 Score: 9.8 (Critical)
   • Impact: Enables execution of arbitrary OS commands on the host system.
2. CVE-2025-53473 – Server-Side Request Forgery (SSRF)
   • Type: SSRF (CWE-918)
   • Affected Versions: v2.3, v2.4, and all versions prior to v3.0.2025062305
   • CVSS v4.0 Score: 6.9 (High)
   • CVSS v3.0 Score: 7.3 (High)
   • Impact: Allows attackers to make unauthorized requests within the internal network.

Mitigation:

• Upgrade Now: Apply version 3.0.2025062305 or later to address both vulnerabilities.

References:

• CVE-2025-48501 – OS Command Injection: https://nvd.nist.gov/vuln/detail/CVE-2025-48501
• CVE-2025-53473 – SSRF: https://nvd.nist.gov/vuln/detail/CVE-2025-53473

12. Samsung Security Updates – Android and Galaxy Devices

Samsung has released a security bulletin addressing multiple vulnerabilities in its mobile devices, including 1 critical and 21 high-severity issues as part of Android’s July security update, along with 17 additional vulnerabilities in Samsung’s own chipsets and services.

Key Highlights:

Android Vulnerabilities:

• Critical: CVE-2025-21450
• High Severity: Includes CVE-2024-53010, CVE-2025-0819, CVE-2025-26433, CVE-2025-27052, CVE-2025-27061, and others — impacting system, framework, kernel, and vendor components.

Samsung-Specific Vulnerabilities:

• KnoxVault Trustlet (SVE-2024-2304) – High severity (CVE-2025-20983, CVE-2025-20982)
  • Affects Android 14, 15
  • Issue: Out-of-bounds write
  • Fix: Proper input validation added
• SystemUI for Galaxy Watch (SVE-2024-2335) – Moderate severity (CVE-2025-21004)
  • Affects Android Watch 14
  • Issue: Improper intent verification could allow device shutdown
  • Fix: Access control implemented
• Framework Permissions (SVE-2025-0047) – Moderate severity (CVE-2025-20997)
  • Affects Android Watch 14
  • Issue: Incorrect default permission may allow reset of settings
  • Fix: Removal of unused code
• SamsungAccount App (SVE-2025-0123) – Moderate severity (CVE-2025-20998)
  • Affects Android Watch 14
  • Issue: Improper access control could expose phone numbers
  • Fix: Enhanced access control

Recommendation:

Samsung users should immediately apply the July 2025 SMR (Security Maintenance Release) patches. Organizations should ensure all devices, including Galaxy Watches, are updated to the latest firmware.

Reference:

• Samsung Official Advisory: https://security.samsungmobile.com/securityUpdate.smsb

13. Nessus Windows Hosts – Security Update Advisory

Tenable has released updates for Nessus on Windows platforms to patch multiple critical vulnerabilities affecting both its core functionality and bundled third-party libraries. These include a high-risk local privilege escalation and issues within libxml2 and libxslt that could lead to denial of service or code execution.

Key Vulnerabilities:

• CVE-2025-36630 – Local Privilege Escalation
  • Impact: Allows non-admin users to overwrite system files using SYSTEM-level privileges via Nessus logs.
  • CVSS v3.1: 8.4 (High)
  • Affected: Nessus 10.8.4 and earlier
  • Fix: Nessus 10.8.5 or 10.9.0
• CVE-2025-6021 – libxml2 Denial of Service
  • Impact: Malformed XML input can crash the parser.
  • Fixed in: libxml2 v2.13.8 (bundled in Nessus 10.8.5)
  • CVSS v3.1: 6.5 (Medium)
• CVE-2025-24855 – libxslt Code Execution Risk
  • Impact: Improper XSLT handling may lead to code execution or privilege escalation.
  • Fixed in: libxslt v1.1.43
  • CVSS v3.1: 7.8 (High)

Recommendations:

• Immediately upgrade Nessus to version 10.8.5 or 10.9.0 to mitigate these risks.
• Monitor systems for unusual privilege escalation behavior or crashes related to XML processing.

Reference:

• Tenable Security Advisory TNS-2025-13

14. Redis – High-Severity Denial-of-Service (DoS) Vulnerability

A high-severity DoS flaw (CVE-2025-48367) was discovered in Redis, impacting all versions prior to the recently released patches. Exploitation requires no authentication and no user interaction: malformed or unauthenticated client connections trigger IP protocol errors, overconsume server resources, and result in client starvation and service disruption.

Details

• CVE: CVE-2025-48367
• Component: redis-server
• CVSS Score: 7.5 (High)
• Weakness: CWE-770 – Allocating Resources Without Limits
• Affected Versions: All Redis versions prior to patched releases in the 6.2.x, 7.2.x, 7.4.x, and 8.0.x branches
• Impact: Unauthenticated DoS via malformed connections, resulting in resource exhaustion

Mitigation

• Upgrade to Redis 6.2.x, 7.2.x, 7.4.x, or 8.0.x (latest patched release)
• Avoid exposing Redis directly to untrusted or public networks
• Implement authentication (e.g., ACLs, password protection)
• Apply Redis security best practices

Reference
https://github.com/redis/redis/security/advisories/GHSA-4q32-c38c-pwgq

15. HPE – Critical Security Updates for Networking and Storage Products

Multiple critical vulnerabilities have been disclosed across HPE Networking Instant On Access Points and Brocade SAN systems. These flaws, including hard-coded credentials and component vulnerabilities (OpenSSL, Docker, glibc), can lead to unauthorized access or service disruption.

Key CVEs and Impact

• CVE-2025-37103: Hard-coded credentials in HPE Instant On Access Points – CVSS 9.8 (Critical)
• CVE-2025-4662: OpenSSL RCE flaw in SANnav 2.4.0a – CVSS 8.1
• CVE-2025-6392: Docker-related privilege escalation – CVSS 7.8
• CVE-2025-0395: Glibc memory corruption in Fabric OS – CVSS 7.5

Affected Products

• Brocade SAN switches (SN3600B to SN8700B) running v9.1.0 to v9.2.2
• HPE SANnav base OS deployments prior to v2.4.0a
• HPE Instant On Access Points with firmware 3.2.0.1 and below

Fixed Versions

• SANnav: 2.4.0a or later
• Fabric OS: 9.2.2a or later
• Instant On: 3.2.1.0 and above

Recommendations

• Upgrade affected systems to the latest patched versions immediately
• Review official advisories for version-specific patching steps

References

• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04894en_us&docLocale=en_US 
• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04890en_us&docLocale=en_US  

16. High Severity Data Inference Vulnerability in ServiceNow Now Platform

A high-severity vulnerability, CVE-2025-3648 (dubbed Count(er) Strike), has been identified in the ServiceNow Now Platform. The flaw allows low-privileged or self-registered users to infer and exfiltrate sensitive information, such as PII, credentials, and business data, by exploiting misconfigured Access Control Lists (ACLs) and abusing record count features and query filters.

Key Details

• CVE ID: CVE-2025-3648
• Severity: CVSS-B 8.2 (High)
• Discovered by: Varonis Threat Labs
• Attack Vector: Abuse of ACL logic and query operators (e.g., STARTSWITH, CONTAINS)
• Impact: Unauthorized data enumeration and exposure
• Affected Users: Any user with minimal or default access

Mitigation Steps

• Apply latest security updates (May 2025 patch and ServiceNow versions Xanadu or Yokohama and later)
• Review and harden ACLs to restrict overly permissive access
• Monitor for abnormal query activity, especially repeated range-based record access

References

• https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2139567
• https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2256712
• https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2046494

17. BERT Ransomware Campaign

A new ransomware group called BERT (tracked by Trend Micro as Water Pombero) has launched cross-platform attacks targeting global healthcare and IT services sectors. The group employs simple yet effective techniques, including PowerShell-based payloads, privilege escalation, and high-speed encryption, impacting both Windows and Linux systems, including VMware ESXi hosts.

Key Observations

• Tactics: Defense evasion, privilege escalation, and impact operations.
• Windows Variant: Uses start.ps1 PowerShell loader, disables Defender and firewalls, elevates privileges, and encrypts data.
• Linux Variant: Leverages esxcli to enumerate VMs and targets VM snapshots.
• Infrastructure: Uses Russian-registered servers; shares code similarities with REvil and Babuk ransomware.

MITRE Techniques Observed

• Execution: PowerShell (T1059.001)
• Defense Evasion: Disable Tools (T1562.001), Disable Firewall (T1562.004)
• Privilege Escalation: Bypass UAC (T1548.002)
• Discovery: File & Process Discovery (T1083, T1057), VM Discovery (T1673)
• Impact: Data Encryption (T1486), Data Destruction (T1485), Inhibit System Recovery (T1490)

Sample IOCs

• 1ef6c1a4dfdc39b63bfe650ca81ab895… – DefenderControl tool
• 8478d5f5a33850457abc89a99718fc87… – BERT ransomware (older Windows variant)
• c7efe9b84b8f48b71248d40143e759e6… – Linux variant
• hxxp://185[.]100[.]157[.]74/payload[.]exe – Payload download site

Recommended Actions

• Conduct IOC sweeps and threat hunts
• Restrict PowerShell to admin users and enable full logging
• Enforce strict UAC and minimize local admin privileges
• Isolate and secure ESXi interfaces; restrict management protocol access
• Maintain secure, offline, and tested backups
• Block unauthorized admin tools
• Train staff on phishing and malicious download detection

Reference:
https://www.trendmicro.com/en_se/research/25/g/bert-ransomware-group-targetsasia-and-europe-on-multiple-platforms.html

18. NightEagle Exploits Microsoft Exchange Zero-Day to Target China’s Strategic Sectors

A previously unknown APT group dubbed NightEagle, attributed by QiAnXin’s RedDrip unit to a North America-based actor, has been exploiting a zero-day vulnerability in Microsoft Exchange to conduct espionage on China’s AI, semiconductor, military, and quantum sectors since 2023.

Key Highlights:

• Targeted Sectors: AI, LLMs, semiconductors, quantum tech, and defense.
• TTPs:
  • Zero-day in Microsoft Exchange → used to harvest machineKey.
  • Attackers achieve unauthorized deserialization, allowing .NET loader implantation in IIS.
  • Leads to remote mailbox access and data exfiltration.
• Persistence & Stealth: Named NightEagle for operating primarily at night and using VPS assets and custom payloads.
• Attribution: No definitive actor confirmed, but North American origin suspected.

Exploit Flow:

1. Obtain machineKey via unknown method.
2. Deserialization attack enables remote code execution.
3. Deploy .NET loader via IIS.
4. Access and steal Exchange mailbox data.

Microsoft is still investigating and has not acknowledged any actionable vulnerabilities yet.

https://www.csoonline.com/article/4018080/nighteagle-hackers-exploit-microsoft-exchange-flaw-to-spy-on-chinas-strategic-sectors.html 

19. LogoKit Phishing Kit Used in Global Attacks on Government, Banking & Logistics Sectors

Cyble Research has uncovered a widespread phishing campaign leveraging the LogoKit phishing kit, targeting government, banking, and logistics organizations globally, including the Hungarian government (HunCERT), banks in Papua New Guinea, and logistics firms in Saudi Arabia.

Key Highlights:

• Phishing Kit: LogoKit – enables dynamic generation of fake login pages by embedding the victim’s email in the URL.
• Infrastructure:
  • Hosted on Amazon S3 for evasion.
  • Uses Cloudflare Turnstile for deceptive legitimacy.
  • Real-time branding fetched via Clearbit Logo API and Google S2 Favicon API.
• Campaign Details:
  • Phishing Pages: Prefill user email (e.g., [email protected]) to boost success.
  • Credential Harvesting: Data sent to mettcoint[.]com/js/error-200.php
  • Other Targets: Kina Bank (PNG), US Catholic Church, WeTransfer impersonation, etc.
• Domain Intelligence:
  • mettcoint[.]com active since Oct 2024, still live, 0 detections on VirusTotal.
  • Campaign ongoing with stealth infrastructure and global scope.

Indicators of Compromise (IOCs):

• flyplabtk[.]s3.us-east-2.amazonaws.com/…
• mettcoint[.]com/js/error-200.php

Mitigation & Recommendations:

• Block listed domains and monitor for similar phishing infrastructure.
• Educate users to avoid clicking on unexpected login links, especially with prefilled credentials.
• Implement secure email gateways, MFA, and behavior-based monitoring.
• Conduct internal phishing simulations and awareness training.

https://thecyberexpress.com/logokit-phishing-kit-attacks/ 

20. Iranian APT Surge Targeting U.S. Industrial Sectors

New telemetry from Nozomi Networks indicates a 133% increase in cyberattacks attributed to Iranian APT groups targeting U.S. industries in May and June 2025, up from 12 to 28 confirmed attacks compared to the previous two-month period.

Key Observations:

• Targeted Sectors: Transportation and manufacturing industries.
• Most Active Groups:
  • MuddyWater – Responsible for attacks on at least 5 U.S. firms.
  • APT33 – Targeted 3 or more companies.
  • Other groups involved: OilRig, CyberAv3ngers, FoxKitten, Homeland Justice.
• Attack Nature: Based on anonymized telemetry; specific technical details not disclosed.

Strategic Context:

• Escalation follows tensions between Iran and Israel and alleged U.S. cyber operations targeting Iranian nuclear facilities.
• MuddyWater (active since 2017) and APT33 (since 2013) have historically focused on cyber-espionage in energy, aerospace, and petrochemical domains.
• FoxKitten is now actively recruiting ransomware affiliates, offering 80% profit share, a shift from its traditional espionage role.

National Security Concerns:

• U.S. agencies had previously warned critical infrastructure and defense entities of retaliatory cyber threats from Iran.
• Increasing collaboration between state-backed actors and criminal ransomware groups—notably FoxKitten—highlights Tehran’s hybrid cyber strategy.

Reference:

https://therecord.media/iran-state-backed-hackers-industrial-attacks-spring-2025