Daily Brief

StackSocial presents an exclusive deal on Babbel, offering a lifetime subscription for $159, reduced from $599. Babbel provides access to language learning in 14 different languages, facilitating practical learning focused on conversational skills. The program structures its lessons around real-world applications such as navigating cities, ordering food, and other social interactions. Each lesson is designed to be short and flexible, approximately 10 to 15 minutes long, easily fitting into daily routines. Babbel enhances learning with an AI conversation partner and speech recognition for real-time practice and feedback. Additional personalized review sessions help reinforce learning and assist in continuous language skill improvement. The deal is available through a partnership between StackCommerce and BleepingComputer.com, requiring account registration at StackCommerce’s store. Special promotional code "LEARN" must be used by July 24 to take advantage of the offer.

Dell confirmed that the World Leaks extortion group breached its Customer Solution Centers platform, which shows product demos. This breach involved mainly synthetic or publicly available data used for product demonstrations — including fabricated sample medical and financial records. World Leaks, formerly known as Hunters International, shifted from ransomware to data extortion, focusing on stealing rather than encrypting data. The only legitimate data extracted was an old contact list; the platform is isolated from Dell’s main customer and partner systems. Dell has not disclosed details on how the breach occurred and remained tight-lipped about the ransom demands due to ongoing investigations. The World Leaks group claims to have attacked over 280 organizations globally since its inception; however, Dell’s data has not been publicly disclosed by the group. The breach reflects an ongoing trend where cybercriminals move away from ransomware toward direct data extortion.

Alaska Airlines has temporarily grounded its entire fleet due to an IT outage. The airline has not specified the cause, raising suspicions of potential cybercrime involvement. A notable ransomware gang, known for recent attacks on airlines, may be implicated. Only 11 of Alaska's 325 aircraft were operational, primarily due to the timing of the incident late at night. The airline is actively working to resolve the IT system issues and has advised passengers to check flight statuses. Recent similar incidents at other airlines have heightened cybersecurity concerns in the aviation sector. This ongoing situation continues to evolve with developments expected.

Threat actors named PoisonSeed have devised a method to bypass FIDO key security using QR phishing and cross-device sign-in abuse. A phishing campaign targets users by mimicking company login portals, specifically exploiting the cross-device sign-in feature available with FIDO keys. The attack involves luring victims to a fake Okta portal through a phishing email, where credentials entered are used to facilitate unauthorized access. The phishing site prompts the legitimate login page to generate a QR code, which is then captured and relayed to the victim to scan, granting attackers access. This method does not exploit FIDO keys directly; instead, it abuses legitimate features to downgrade the authentication process, effectively breaking the security link. The attackers also demonstrated the ability to enroll their own FIDO key after compromising an account, highlighting the need for phishing-resistant authentication methods across all account activities. Researchers emphasize the ongoing battle between cybersecurity defenders and attackers in securing user accounts against sophisticated phishing tactics.

Japan's National Astronomical Observatory discovered a new celestial body, 2023 KQ14, with an orbit beyond Pluto using the Subaru Telescope. The object's unique orbit offers new insights and challenges the existing "Planet 9" theory, suggesting a potential reshaping of our understanding of the solar system's structure. Scientists now consider the possibility that an ancient planet may have been ejected from the solar system, giving rise to the observed unusual orbits of certain celestial bodies. Further observations and data analysis will be required to fully understand the implications of this discovery on the broader theories of planetary and solar system formation. The Australian political party Trumpet of Patriots suffered a significant data breach but chose not to notify affected individuals, raising concerns about data security and privacy. Indian mobile carrier Bharti Airtel's partnership with Perplexity AI grants 360 million customers access to advanced AI research tools, marking a significant expansion in user access to AI technology. Developments in infrastructure with NEC announcing construction of a new subsea cable linking Japan and Singapore to enhance connectivity and support high-bandwidth applications.

Microsoft released emergency patches for two zero-day vulnerabilities in SharePoint, identified as CVE-2025-53770 and CVE-2025-53771. These security flaws were exploited in the global "ToolShell" attacks, impacting at least 54 organizations. The vulnerabilities allowed attackers to bypass earlier patches released by Microsoft, posing serious threats to affected systems. Emergency security updates have been issued for Microsoft SharePoint Subscription Edition and SharePoint 2019. Microsoft is also working on patches for SharePoint 2016, which are currently not available. SharePoint administrators are advised to immediately install the updates and rotate the machine keys to mitigate any potential risks. Microsoft has provided a specific Microsoft 365 Defender query to help administrators check for signs of the exploit on their servers.

Researchers have identified a sophisticated cryptojacking campaign affecting more than 3,500 websites globally, using stealth JavaScript. Stealth miners deployed assess device computational power and use Web Workers to mine cryptocurrencies covertly to remain undetected. The cryptojacking script leverages WebSockets to dynamically receive mining tasks adjusted to device capabilities, optimizing stealth. Users of affected websites inadvertently mine cryptocurrency due to covert mining scripts, without their consent or awareness. The domains hosting these JavaScript miners have previously been associated with Magecart credit card skimming operations. This diversification of attack vectors includes both cryptocurrency mining and financial theft from unsuspecting website visitors. The tactics focus on staying hidden and slowly draining resources, described as a "digital vampire" approach by researchers. Coinciding Magecart campaigns have targeted East Asian e-commerce platforms to steal bank details using fake payment forms.

Hewlett-Packard Enterprise (HPE) has issued security updates for critical vulnerabilities in their Instant On Access Points. The main vulnerability, identified as CVE-2025-37103 with a CVSS score of 9.8, involved hard-coded credentials that could allow unauthorized administrative access. Another issue, CVE-2025-37102, is a command injection flaw rated with a CVSS score of 7.2, permitting command execution with elevated privileges. Both vulnerabilities could potentially be linked to create a chain exploiting the system’s administration controls and executing arbitrary commands. These security flaws were discovered and reported by the Ubisectech Sirius Team. The vulnerabilities have been addressed in the latest software update, version 3.2.1.0, for HPE Networking Instant On Access Points. HPE confirms that other devices, including Instant On Switches, are not impacted by these vulnerabilities. Users are urged to update their systems promptly to prevent possible exploitations, though there has been no active exploitation reported so far.

Microsoft released critical patches for a severe Remote Code Execution (RCE) flaw in SharePoint after identifying active exploitation of the vulnerability. The security flaw, tracked as CVE-2025-53770 with a CVSS score of 9.8, allows attackers to execute arbitrary code by deserializing untrusted data in on-premise SharePoint Servers. An associated spoofing flaw, tracked as CVE-2025-53771 (CVSS score: 6.3), also received robust protection updates. Both vulnerabilities impact only on-premises versions of SharePoint Server, with no current implications for SharePoint Online in Microsoft 365. A related exploit chain, ToolShell, identified in previously addressed vulnerabilities (CVE-2025-49704 and CVE-2025-49706), has been patched as well. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed CVE-2025-53770 in its Known Exploited Vulnerabilities catalog, urging immediate patch application. Reports from Eye Security and Palo Alto Networks indicate that the exploitation has affected sectors including banks, universities, government entities, schools, healthcare, and large enterprises. Recommendations include immediate patch installation, cryptographic key rotation, and continued vigilance for additional incident response and security enhancement.

Microsoft has disclosed ongoing attacks exploiting a zero-day vulnerability in on-prem SharePoint Servers, which was inadequately addressed in earlier patches. The critical flaw, rated 9.8/10 on the CVSS scale, allows unauthorized code execution and is a variant of another less severe bug Microsoft attempted to patch recently. While patches for SharePoint Server Subscription Edition are available, versions 2016 and 2019 remain vulnerable, with recommendations to enable the Windows Antimalware Scan Interface and use antivirus tools effectively. CISA has issued alerts to monitor specific IPs and suspicious activities related to this vulnerability. The Electronic Frontier Foundation criticizes Amazon’s Ring for backtracking on its privacy stance by allowing police access to live CCTV feeds from homes without warrants. In China, new surveillance measures enable the government to install tracking malware on smartphones at border entries, risking privacy and data security for international visitors. Microsoft halts the involvement of Chinese engineers in projects for the US Department of Defense following a report highlighting potential security risks. These cybersecurity incidents highlight significant concerns in both corporate settings and international privacy and surveillance practices.

EncryptHub, formerly known as LARVA-208 and Water Gamayun, launches a new malware campaign targeting Web3 developers. Attackers use fake AI platforms offering job opportunities or portfolio reviews to attract victims and deploy Fickle Stealer malware. The focus on Web3 developers, commonly managing crypto wallets and sensitive project data, allows EncryptHub to monetize via data exfiltration. Initial contact is made through legitimate channels like Google Meet, then victims are directed to malicious platforms like Norlax AI under the pretext of technical issues. Once lured, victims inadvertently download malware disguised as a genuine audio driver, which gathers and transmits data to the attackers' server. The stolen information includes cryptocurrency wallet credentials, development credentials, and sensitive project data suitable for illicit markets. PRODAFT’s report hints at a significant shift in EncryptHub’s tactics from ransomware to information stealers, emphasizing data theft over system lockdown.

A critical zero-day vulnerability in Microsoft SharePoint, identified as CVE-2025-53770, is currently being exploited, with no available patch. Originally demonstrated via the "ToolShell" attack at Pwn2Own 2025, this flaw is a variant of another vulnerability patched in July. Over 85 SharePoint servers globally have been confirmed as compromised due to this exploit. Microsoft advises customers to enable AMSI integration and deploy Defender AV to prevent attacks. The vulnerability specifically affects on-premises SharePoint servers, not impacting Microsoft 365 users. Attackers have utilized stolen cryptographic keys to craft authentic SharePoint tokens for remote code execution. Administrators should check specific system files and logs for indicators of compromise to confirm if their systems are affected. Microsoft is actively working on a security update, while affected systems should be disconnected from the internet until then.

HPE has identified a critical vulnerability (CVE-2025-37103) in Aruba Instant On Access Points affecting firmware version 3.2.0.1 and below, rated 9.8 on the CVSS v3.1 scale. The vulnerability is due to hardcoded administrative credentials that let attackers bypass authentication and access device controls. Attackers exploiting this flaw can change settings, capture traffic, and potentially enable further network breaches. A second, related high-severity issue (CVE-2025-37102) involves command injection in the device's CLI, reachable only through administrative access enabled by the first flaw. Both vulnerabilities can be mitigated by upgrading to firmware version 3.2.1.0 or newer; HPE has not provided any workarounds. There have been no reported exploits yet, but immediate firmware updates are strongly advised to prevent potential security breaches. The exposure highlights the importance of regular device maintenance and the need for robust cybersecurity practices in network management.

The UK has attributed the novel "Authentic Antics" malware to Russia's GRU, targeting Microsoft Outlook to harvest email credentials. This malware revelation coincided with UK sanctions against three GRU units and various individuals for long-standing cyber espionage. Authentic Antics malware operates by mimicking a login screen within Outlook, stealing user credentials and OAuth tokens when entered. The stolen OAuth tokens allow unauthorized access to multiple Microsoft services such as Exchange Online, SharePoint, and OneDrive. In addition to credential theft, the malware exfiltrates data by sending emails from compromised accounts to a controlled address, without leaving traces in the "sent" folder. This cybersecurity threat is part of a broader spectrum of GRU activities, including espionage and physical attacks linked directly to conflicts like the invasion of Ukraine. Global responses include condemnations and coordinated warnings from entities like the EU, NATO, and US security agencies regarding GRU's malicious cyber operations.

A severe zero-day vulnerability in Microsoft SharePoint Server, CVE-2025-53770, is actively exploited and affecting over 75 global organizations. The flaw, with a high severity rating of 9.8, facilitates unauthorized remote code execution by deserializing untrusted data. Microsoft has acknowledged the vulnerability and is working on a security update; in the meantime, SharePoint Online users are not impacted. Interim protective measures recommended by Microsoft include enabling AMSI integration and deploying Defender AV on all SharePoint servers. The exploit named ToolShell, involves delivering malicious ASPX payloads via PowerShell to steal sensitive server configuration keys for persistent access. The stolen keys allow attackers to convert authenticated SharePoint requests into remote code execution opportunities. Large enterprises and government bodies worldwide have been confirmed as compromised. Microsoft, cybersecurity firms, and researchers continue to monitor and address the escalating impacts of these attacks.