Daily Brief

Critical Microsoft SharePoint vulnerabilities were exploited as of July 7, 2025, targeting sectors including government and telecom across North America and Western Europe. Attackers used sophisticated techniques to leverage newly discovered SharePoint Server vulnerabilities for initial access and privilege escalation. Exploited SharePoint flaws allowed for unauthenticated remote code execution and sensitive cryptographic keys theft, establishing persistent unauthorized access. Detected exploitation efforts originated from three distinct IP addresses, with one tied to previous security flaw weaponizations. Analysis detected extensive and selective targeting of organizations with strategic value, involving early reconnaissance and exploitation. Notable security firms like Check Point, Bitdefender, Palo Alto Networks, and SentinelOne have conducted detailed analyses, underscoring the urgency and complexity of the campaign. The activity is tentatively attributed to a China-aligned hacking group, emphasizing a significant nation-state threat and global security impact. Immediate remedial actions recommended include applying SharePoint patches, key rotation, and vigilance for potential exploitation signs even post-patch.

Dell confirmed a breach in its IT environment where data was stolen, but asserts the stolen content was predominantly synthetic or "fake" data. WorldLeaks, succeeding the Hunters International group, claimed to have stolen 1.3 TB of data from Dell to extort a payment. According to Dell, the compromised files included 416,103 files, primarily used within a controlled environment for product demonstration and testing. The targeted environment was Dell's Solution Center, intentionally isolated from critical customer, partner, and operational systems. Dell did not disclose the quantity of stolen data or the ransom amount demanded by the criminals. Dell reassured that no sensitive, customer, or partner data was affected and emphasized their commitment to combating online criminal threats. The incident is contrasted with a serious breach last year where 49 million customer records were compromised.

Intel has announced the termination of its Clear Linux OS project, ending its 10-year run in the open-source ecosystem. Clear Linux, known for its optimizations for Intel hardware and fast performance, will no longer receive updates or maintenance. Users of Clear Linux OS are urged to migrate to other actively maintained distributions to ensure ongoing security and system stability. The closure is attributed to possible low adoption rates and the high resource demand for maintaining a unique distribution not forked from others. Intel will continue to support the Linux community and provide optimizations for other distributions despite the shutdown of Clear Linux OS. The ending of this project is part of Intel's broader strategy to streamline operations and cut down on niche projects with limited strategic value. The Clear Linux OS GitHub repository will be archived in read-only mode, halting any further contributions or updates to the codebase.

Government-backed hackers have exploited a critical zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, following Microsoft's partial resolution attempt in a prior security update. The vulnerability allows attackers to seize control of SharePoint Servers to steal sensitive data, deploy backdoors, and exfiltrate cryptographic keys. US Cybersecurity and Infrastructure Security Agency (CISA) and UK's National Cyber Security Centre have reported that attacks are underway, affecting sectors such as government, telecommunications, and education globally. Over 205,000 potentially vulnerable instances are identified, with initial attacks targeting a "major Western government." Despite patches and security advisories, attacks continue, highlighting the strategic importance of compromising widely used platforms like Microsoft's products. Security professionals advocate rapid implementation of mitigations and thorough investigations even post-patch application, emphasizing that patching alone is insufficient due to potential pre-patch system compromises. Experts stress this series of breaches likely represents a sophisticated espionage effort by nation-state actors, with widespread implications for global security architecture.

On May 28th, many Ring users observed unauthorized devices logging into their accounts from various global locations. Ring attributed the suspicious activity to a backend update bug, stating it caused inaccurate display of logins dated May 28, 2025. Customers expressed skepticism about Ring's explanation, citing specific instances of devices and locations never used or visited by them. User complaints included seeing devices named after unknown persons and logins from foreign countries, inconsistent with their own travel history. Some users also reported live view activity during unaccessed periods and a lack of security alerts or multi-factor authentication for new devices. Despite Ring's reassurance of no unauthorized access, users are advised to review their account's authorized devices and update security settings, including passwords and two-factor authentication. BleepingComputer has reached out to Ring for further clarification in response to persistent user concerns and anomalies.

Lookout security researchers uncovered Android spyware linked to the Iranian Ministry of Intelligence and Security (MOIS), disguised as VPN apps. The malware, named DCHSpy, was first seen in July 2024 and is attributed to the Iranian nation-state group MuddyWater. DCHSpy is capable of collecting extensive user data including WhatsApp conversations, SMS, call logs, location, and can record audio and take photos. The spyware targets dissidents, activists, and journalists, particularly those opposing the Iranian regime, by mimicking apps like Earth VPN, Comodo VPN, and Hide VPN. Its distribution has been strategically timed to align with recent Middle-Eastern conflicts, suggesting an ongoing cyber-espionage campaign. DCHSpy uses similar tactics and infrastructure as another Android malware, SandStrike, also known as targeting Persian speakers via deceptive VPN apps. The discovery highlights an increase in cyber threats in the Middle East, with various malware, including AridSpy and SpyNote, focusing on mobile surveillance. The spyware's operational use of lures linked to Starlink, following its recent activation and subsequent ban in Iran, underscores the geopolitical aspect of this cyber threat.

APT41, a Chinese cyber espionage group, has launched a new espionage campaign against government IT infrastructures in Africa. Researchers uncovered the campaign after detecting suspicious activities on multiple workstations of an affected IT infrastructure. The attackers used malicious techniques, such as hardcoded service names, IP addresses, and proxies within malware to maintain communication with their control servers. Key tools used in the campaign include Cobalt Strike and custom C# trojans, revealing a sophisticated level of attack execution tailored to non-East Asian systems. The campaign employed hacked SharePoint servers for control commands and Cobalt Strike for command-and-control communication via DLL side-loading. APT41 utilized credential harvesting and lateral movement within the networks to gain higher privileges and access sensitive areas. Impersonation of legitimate domains, like a GitHub-like URL, aided in avoiding detection while facilitating the deployment of additional payloads. This shift marks the first significant targeting of African nations by this group, suggesting a strategic expansion of their operations.

ExpressVPN has resolved a flaw in its Windows client where Remote Desktop Protocol (RDP) traffic leaked users' real IP addresses, bypassing the VPN tunnel. The issue, identified by a security researcher on April 25, 2025, was attributed to debug code accidentally left in production builds from version 12.97 to 12.101.0.2-beta. This vulnerability did not affect the encryption of the tunnels but could expose that a user was connected to specific remote servers via RDP. The problem was patched in the release of ExpressVPN version 12.101.0.45 on June 18, 2025. ExpressVPN advises users to update to this version for optimal security. ExpressVPN noted that this bug generally impacted a smaller segment of their user base since RDP is less frequently used by individual consumers. This issue reflects the ongoing challenges even top-rated privacy firms face in ensuring total security and anonymity online. ExpressVPN plans to enhance its internal build checks to prevent similar errors in future releases, including automatic advancements in development testing.

Dior has begun issuing data breach notifications to its U.S. customers following a cybersecurity incident that occurred on January 26, 2025. Personal information stored in a Dior database was accessed by an unauthorized party, but no payment details were compromised. The breach was detected on May 7, 2025, prompting internal investigations and immediate containment measures. Dior, a major French luxury fashion brand within the LVMH conglomerate, confirmed the breach after similar incidents affected other LVMH brands. Affected customers are being offered 24 months of free credit monitoring and identity theft protection. Customers are advised to stay vigilant for potential scams and phishing attempts following the breach. This data breach is linked to other LVMH brand breaches, potentially orchestrated by the ShinyHunters group via a third-party vendor.

Iranian Ministry of Intelligence and Security (MOIS) allegedly behind four new Android spyware samples found by Lookout security researchers. Malware disguised as VPN apps called Earth VPN and Comodo VPN, targeting WhatsApp data, and audio and video recordings. Discovered shortly after Israel launched missiles at Iranian nuclear sites, with one sample including "Starlink" in its name, potentially using it as a lure. Lookout attributes the malware to MuddyWater, an espionage group sanctioned by the US in 2022 for cyber activities against the US and allies. The campaign likely targets Iranian dissidents, activists, and journalists both within and outside Iran. New DCHSpy capabilities include enhanced data collection from WhatsApp, sensitive file searches, and exfiltration. Information collected via spyware is encrypted and uploaded to an attacker-controlled SFTP server.

Microsoft has patched two critical vulnerabilities (CVE-2025-53770, CVE-2025-53771) in SharePoint Server, previously exploited in the wild. The vulnerabilities were linked to earlier flaws (CVE-2025-49704, CVE-2025-49706) and are instrumental in a remote code execution exploit chain named ToolShell. Numerous organizations worldwide reported breaches, prompting a swift security advisory and patch release by Microsoft. The threat landscape includes several high-risk vulnerabilities across different platforms, including HPE, Cisco, Google Chrome, and NVIDIA. LLMs (Large Language Models) are increasing in corporate environments, raising new security risk concerns not fully addressed by existing security protocols. Unknown attackers are utilizing obscure techniques and monitoring gaps to infiltrate systems, often leveraging legitimate yet vulnerable system tools. Essential practices recommended include reviewing CVE updates promptly and deploying patches to protect against potential exploitations. Continuous surveillance and advanced registry check techniques are advised to detect and mitigate hidden malicious tasks within system infrastructures.

Over 1,000 online CrushFTP instances are susceptible to hijack attacks exploiting a critical security flaw identified as CVE-2025-54309. The vulnerability allows unauthorized admin access via mishandled AS2 validation, affecting all CrushFTP versions prior to 10.8.5 and 11.3.4_23. The issue, marked as actively exploited since July 19th, affects unpatched servers, although some started noticing it as early as July 18th. CrushFTP recommends regular patching, monitoring of logs for unusual activities, enabling automatic updates, and IP whitelisting to mitigate risks. According to Shadowserver scans, around 1,040 CrushFTP servers remain unpatched and exposed to potential data theft. The nature of the ongoing attacks remains unclear; however, high-value targets like CrushFTP have previously been targets for ransomware and data theft groups. CrushFTP's history includes patching a similar zero-day vulnerability targeted for espionage against U.S. organizations in April 2024.

By 2025, Zero Trust has transitioned from theory to a fundamental security requirement for organizations. AI greatly enhances Zero Trust by automating adaptive trust and continuous risk evaluations, managing large data volumes generated. Predictive AI models, like machine learning and deep learning, help detect threats early by analyzing historical data for patterns and anomalies. Generative AI and agentic AI assist in streamlining security operations, offering query generation, scripting, and automating complex tasks. Human-machine teaming remains crucial; AI supports but does not replace human decision-making in Zero Trust environments. AI risks, including model poisoning and inference tampering, highlight the necessity for human oversight. SANS SEC530 course emphasizes human-machine collaboration in implementing Zero Trust to secure hybrid enterprises effectively. SANS live training event in Fall 2025 will explore practical applications of AI in Zero Trust, enhancing hands-on security skills.

StackSocial presents an exclusive deal on Babbel, offering a lifetime subscription for $159, reduced from $599. Babbel provides access to language learning in 14 different languages, facilitating practical learning focused on conversational skills. The program structures its lessons around real-world applications such as navigating cities, ordering food, and other social interactions. Each lesson is designed to be short and flexible, approximately 10 to 15 minutes long, easily fitting into daily routines. Babbel enhances learning with an AI conversation partner and speech recognition for real-time practice and feedback. Additional personalized review sessions help reinforce learning and assist in continuous language skill improvement. The deal is available through a partnership between StackCommerce and BleepingComputer.com, requiring account registration at StackCommerce’s store. Special promotional code "LEARN" must be used by July 24 to take advantage of the offer.

Dell confirmed that the World Leaks extortion group breached its Customer Solution Centers platform, which shows product demos. This breach involved mainly synthetic or publicly available data used for product demonstrations — including fabricated sample medical and financial records. World Leaks, formerly known as Hunters International, shifted from ransomware to data extortion, focusing on stealing rather than encrypting data. The only legitimate data extracted was an old contact list; the platform is isolated from Dell’s main customer and partner systems. Dell has not disclosed details on how the breach occurred and remained tight-lipped about the ransom demands due to ongoing investigations. The World Leaks group claims to have attacked over 280 organizations globally since its inception; however, Dell’s data has not been publicly disclosed by the group. The breach reflects an ongoing trend where cybercriminals move away from ransomware toward direct data extortion.