Daily Brief

Mitel Networks issued patches for a critical authentication bypass vulnerability in its MiVoice MX-ONE platform. The vulnerability exists within the Provisioning Manager component of MX-ONE, impacting SIP-based communication systems. The flaw allows unauthenticated attackers to exploit low-complexity attacks to gain unauthorized administrator access. Affected versions range from 7.3 (7.3.0.0.50) to 7.8 SP1 (7.8.1.0.14), with patches available for versions 7.8 and 7.8 SP1. Mitel advises against exposing MX-ONE services directly to the public internet and recommends deploying systems within trusted networks. Additionally, Mitel disclosed a high-severity SQL injection vulnerability in its MiCollab platform. Despite the severity of these issues, there are no reports of these vulnerabilities being exploited in the wild. Mitel's clientele spans over 60,000 customers across various sectors including government, healthcare, and financial services.

Cybersecurity firm PRODAFT reports the emergence of CastleLoader, a malware loader distributing various malicious payloads like information stealers and RATs. Utilizes sophisticated techniques such as dead code injection to complicate analysis, connecting with a C2 server post-unpacking for further malicious activities. Attacks involve Cloudflare-themed ClickFix phishing schemes and malicious GitHub repositories impersonating legitimate applications. Victims are lured to fake error pages via manipulated Google search results, prompting them to execute PowerShell commands that initiate the malware infection. Over 1,634 infection attempts were observed since May 2025, with a successful infection rate of approximately 28.7%, affecting 469 devices. CastleLoader's network infrastructure and the web-based control panel indicate its capabilities as a malware-as-a-service (MaaS), hinting at experienced operators behind its deployment. The overlapping nature of the campaigns, with tools like DeerStealer also delivering other loaders, showcases the interconnectedness of modern cybercriminal activities.

The official Amazon Q extension for Visual Studio Code was compromised with a script designed to delete user files and AWS resources. The compromised extension was available on the marketplace for two days before being detected and reverted. The actor behind the attack claimed the script was intended as a defective wiper to highlight AWS security shortcomings, not to cause harm. This incident followed a security breach wherein an unrelated account gained admin credentials to AWS's repository and submitted the malicious code. AWS acknowledged the security lapse and updated the extension to remove the unauthorized code, revoking outdated credentials. AWS's response focused on addressing the code modification but did not elaborate on preventing future incidents. The situation raises concerns about AWS's reliance on automated AI security checks over thorough human oversight. Post-incident discussions suggest corporate pressures on developers could compromise security measures at AWS.

Sophos and SonicWall disclosed critical security vulnerabilities in their firewall and SMA 100 Series devices that could lead to remote code execution. Both companies have deployed patches to address these vulnerabilities, which impact a limited percentage of devices: approximately 0.05% to 0.73% of Sophos Firewalls. The exposure includes a high-severity command injection flaw within the WebAdmin component of Sophos, which could permit pre-authenticated code execution. SonicWall identified a critical threat in the SMA 100 Series’ web management interface, allowing file uploads by attackers with admin rights. The UK's National Cyber Security Centre discovered and reported additional flaws in SonicWall products, leading to prompt remediation actions by the company. SonicWall emphasizes reviewing appliance logs and connection history and recommends extensive protective measures for users of SMA 500v, including backing up and reinstalling critical files. No evidence of active exploitation of these vulnerabilities was stated in the public disclosures, though potential risks remain in light of recent findings by Google Threat Intelligence Group about similar devices being used for harmful purposes.

Hackers compromised Toptal's GitHub account, publishing ten malicious npm packages. The malicious code in the npm packages targeted GitHub authentication tokens and then wiped victims' systems. Toptal, a marketplace for freelance talent such as software developers, uses GitHub and npm for distributing internal tools and systems. The attack occurred on July 20, with immediate publication of 73 Toptal repositories, exposing private code and projects. Reported downloads of these malicious packages reached approximately 5,000 before detection. The attack strategy included inserting data-stealing and system-wiping scripts into npm 'package.json' files. Toptal retracted the harmful packages by July 23, reverting to previous safe versions, though initially did not issue a public warning. The breach's exact entry point remains uncertain, with theories suggesting insider threats or phishing scams targeting Toptal developers.

"Navigating Customer Identity in the AI Era" webinar scheduled for July 28, 2025, will explore the Auth0 2025 Customer Identity Trends Report. The event targets IT and security leaders, along with professionals in product development, marketing, and customer experience. Focus areas include improving customer experiences, enhancing security, and driving digital innovation through AI. Attendees will receive practical solutions for current problems in managing logins, data privacy, user onboarding, and digital trust. The webinar aims to provide strategies to align AI technologies with customer expectations, ensuring better identity management and compliance. Auth0 by Okta, a recognized leader in secure identity solutions, will provide expert insights during the session. Registration is free but spaces are limited, aiming to help organizations future-proof their identity management strategies.

SonicWall has issued a critical patch for the SMA 100 series appliances due to a severe authenticated arbitrary file upload vulnerability, tracked as CVE-2025-40599. The vulnerability stems from an unrestricted file upload flaw in the web management interface, potentially allowing remote attackers with administrative access to execute arbitrary code on the system. SMA 100 series models affected include SMA 210, 410, and 500v; however, SMA1000 series products are not impacted by this vulnerability. SonicWall warns that although there is no current active exploitation, SMA 100 appliances have been targeted using compromised credentials in separate incidents. An unidentified threat group, known as UNC6148, has been actively deploying OVERSTEP rootkit malware on fully patched SMA 100 units, leading to possible data theft and extortion, including the deployment of Abyss ransomware. SonicWall recommends administrators to urgently upgrade their appliances to the latest secure version, check for signs of compromise, and implement security best practices such as limiting remote access, enforcing MFA, and enabling Web Application Firewall (WAF). Administrators are advised to reset all passwords, reinitiate OTP bindings, and contact SonicWall Support immediately if evidence of compromise is detected.

Dior has started issuing data breach notices after hackers accessed its customer database. The luxury brand confirmed that US client data had been compromised during a cyberattack identified on May 7, with intrusion tracing back to January 26. Exposed customer information includes names, addresses, contact details, dates of birth, and passport or government ID numbers for some, excluding bank or payment details. Incident filings with state attorneys in Texas and Washington indicate at least 20,594 US customers are affected, hinting at a potentially larger global impact. The data breach has been linked to criminal group ShinyHunters, known for high-profile digital thefts, including a recent breach at Louis Vuitton, another LVMH entity. Dior claims the breach has been contained with no evidence of ongoing unauthorized access, though the entry method used by attackers remains unknown. Enhanced security measures were implemented post-breach, and law enforcement has been notified; Dior advises customers to monitor for suspicious activities in their communications.

China-nexus cyber espionage groups targeted the Tibetan community through malware campaigns named Operation GhostChat and Operation PhantomPrayers. Attackers used a compromised legitimate website to redirect users and install Gh0st RAT or PhantomNet backdoors on their systems. The campaigns involved watering hole attacks, aiming to gather sensitive information from the Tibetan diaspora. Malicious software disguised as a secure chat application and a global check-in app was used to exfiltrate data and spy on users. These malicious apps collected a range of data including IP addresses, user-agent details, and could perform actions like screen capture and audio recording. The malware leveraged advanced techniques including DLL side-loading and AES-encrypted communications with C2 servers, showing sophisticated operational capabilities. This espionage effort intensified around the Dalai Lama's 90th birthday, exploiting significant cultural events for strategic advantage.

Annual penetration testing falls short in rapidly evolving tech environments, offering only a snapshot of security. Building an Offensive Security Operations Center (SOC) elevates penetration testing by enabling continuous validation. Continuous validation allows organizations to mimic and counteract ongoing adversarial tactics and evolve beyond static defenses. Offensive SOCs focus on persistent discovery, real-world attack simulation, exploit chain testing, and security drift detection. Tools like Breach and Attack Simulation (BAS) and Automated Pentesting are critical to simulate and understand real-world threats safely. This approach identifies weaknesses before they can be exploited, transforming theoretical defenses into tested, active safeguards. Picus provides a platform that helps security teams operationalize continuous validation, boosting security posture tangibly. Continuous validation is a practice, not a one-off report, urging a shift from reactive to proactive security measures.

Microsoft has detected Storm-2603 exploiting SharePoint vulnerabilities to deploy Warlock ransomware. Two critical flaws, CVE-2025-49706 and CVE-2025-49704, enable spoofing and remote code execution on unpatched SharePoint servers. The attackers use techniques such as dropping web shells, disabling Microsoft Defender, and credential harvesting through Mimikatz. Persistent access is maintained by modifying Internet Information Services and setting up .NET assemblies and scheduled tasks. The attackers also conduct lateral movements using tools like PsExec and the Impacket toolkit, followed by distributing ransomware through modified GPOs. Microsoft urged users to patch the exploited vulnerabilities as the attacks already impacted at least 400 systems. The attacks have been attributed to a China-based financially motivated threat group suspected of previous ransomware attacks. China's Foreign Ministry denies state involvement, stressing cooperation in addressing global cybersecurity challenges.

A phishing scam led to popular npm packages being infected with malware, targeting both Windows and cross-platform environments. The npm package "is" was compromised with malware that captures environment variables and offers the attacker a remote shell, affecting roughly 2.7 million downloads weekly. Infected packages include a malware loader in version 3.3.1 of "is" and a Windows DLL in packages associated with the prettier code formatter. The issue was triggered by maintainers being deceived by typosquatted domain emails, leading to account hijackings and unauthorized malicious releases. Malicious software was capable of self-persistence by modifying the index.js files, complicating the removal process. The malware targets included credential theft, browser configuration attacks, and potentially a broader compromise of developer environments. Google’s OSS rebuild initiative is highlighted as a proactive measure against such vulnerabilities, automatically verifying package integrity. This event underscores the ongoing risk of malware in software dependencies, especially in widely trusted repositories like npm.

Microsoft has identified that Storm-2603, a Chinese hacking group, is targeting Microsoft SharePoint servers using the ToolShell zero-day exploit chain to deploy Warlock ransomware. The attacks exploit recently patched vulnerabilities in SharePoint, and the threat actor uses tools like Mimikatz, PsExec, and Impacket to move laterally and escalate privileges. Since July 18, 2025, Storm-2603 has been active in exploiting these vulnerabilities to breach networks and distribute ransomware across compromised systems. The US Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2025-53770, a vulnerability part of the ToolShell exploit chain, in its catalog of actively exploited vulnerabilities. Notable breaches have occurred within US federal agencies and governments in Europe and Middle East, although no evidence was found of sensitive information being compromised. Microsoft advises immediate application of security updates for on-premises SharePoint servers and offers detailed mitigation guidance. Researchers have linked other Chinese state-backed hacking groups, including Linen Typhoon and Violet Typhoon, with similar cyberattacks exploiting SharePoint vulnerabilities.

Europol, with aid from French Police, Ukrainian authorities, and Paris Prosecutor's Office, has arrested the administrator of XSS.is, a major Russian-speaking cybercrime forum. The arrest occurred in Kyiv on July 22, 2025, following an extensive investigation initiated by French Police in July 2021. XSS.is has been operating since 2013 as a central point for cybercriminal activity, providing tools for data theft, hacking, and ransomware services. The platform facilitated secure communication among cybercriminals through an encrypted Jabber server and incorporated an escrow system to ensure transaction security. The seizure of XSS.is also included taking over its clearnet domain, which now displays a law enforcement seizure notice. Prior to this arrest, Europol had disrupted operations of a pro-Russian hacktivist group, showcasing a concentrated effort to curtail cybercrime affecting European countries. The XSS forum's admin, who also ran a private messaging service for criminals, generated an estimated €7 million in profits through advertising and facilitation fees. The forum boasted over 50,000 members and was a key marketplace for illicit cyber services, especially targeting non-Russian-speaking countries.

Cybersecurity experts have discovered a hidden backdoor in WordPress mu-plugins that enables ongoing unauthorized admin access. Mu-plugins are automatically activated across WordPress sites and are hidden from the default plugin list, making it an ideal target for attackers. The discovered malware within the "wp-index.php" in the mu-plugins directory fetches and executes additional malicious payloads from an obfuscated remote URL. The malware generates a concealed file manager, installs a malicious plugin, and changes passwords for common administrator accounts. It also creates a new administrator account named "officialwp" to maintain control and ensure re-infection if initially purged. Threat actors leveraging this backdoor can execute PHP code, steal data, inject malicious content, and redirect visitors to harmful sites. Recommended mitigation includes regular updates to WordPress, themes, plugins, employing two-factor authentication, and comprehensive audits of site components.