Weekly Cybersecurity Intelligence Report Cyber Threats & Breaches July 14-21, 2025

The week of July 14-21, 2025, marked an unprecedented surge in critical cybersecurity incidents, characterized by multiple zero-day exploitations, state-sponsored campaigns, and a significant data breach affecting millions of individuals. The security landscape witnessed five critical-severity incidents, including active exploitation of Microsoft SharePoint servers, CrushFTP file transfer systems, and Citrix NetScaler appliances. Concurrently, Chinese APT groups intensified espionage operations against Taiwan’s semiconductor industry, while law enforcement successfully dismantled the Russian hacktivist group NoName057(16) in Operation Eastwood.

Key Metrics:

• 10 major incidents spanning zero-day exploitations to state-sponsored attacks
• 5 critical-severity vulnerabilities actively exploited
• 64+ million individuals affected by data breach
• 380+ organizations potentially compromised across multiple attack vectors
• 100+ malicious servers dismantled in law enforcement operation

>>Outpace Attackers With AI-Based Automated Penetration Testing

Microsoft SharePoint Zero-Day Exploitation (CVE-2025-53770) – “ToolShell”

Incident Date: July 18, 2025

Overview

A critical zero-day vulnerability in Microsoft SharePoint Server triggered massive exploitation campaigns targeting government agencies, universities, and energy companies worldwide. The vulnerability, designated CVE-2025-53770, represents a variant of previously patched flaws that enable unauthenticated remote code execution through deserialization attacks.

Technical Explanation

CVE-2025-53770 stems from SharePoint’s unsafe deserialization of untrusted data, allowing attackers to execute arbitrary commands without authentication. The exploit chain leverages the /_layouts/15/ToolPane.aspx endpoint with a spoofed Referer header set to /layouts/SignOut.aspx to bypass authentication controls. Attackers deploy malicious ASPX implants (spinstall0.aspx) to extract cryptographic secrets—specifically ValidationKey and DecryptionKey—used to protect ASP.NET’s __VIEWSTATE mechanism.

Technical Artifacts:

• CVE: CVE-2025-53770 (CVSS 9.8 Critical)
• Attack Vector: HTTP POST to /_layouts/15/ToolPane.aspx
• Payload: Malicious ASPX web shell deployment
• Persistence: Stolen MachineKey enables forged authentication tokens

Impact

Eye Security confirmed exploitation against 85+ SharePoint servers globally within hours of detection. The compromised infrastructure spans 29 organizations, including multinational firms and government entities. Post-exploitation activities include exfiltration of SSL certificates, lateral movement to adjacent load balancers, and deployment of ScreenConnect for persistent access.

Technical Details

MITRE ATT&CK Mapping:

• T1190: Exploit Public-Facing Application
• T1505.003: Server Software Component – Web Shell
• T1552.004: Unsecured Credentials – Private Keys
• T1071.001: Application Layer Protocol – Web Protocols

Indicators of Compromise (IOCs):

• Malicious file: spinstall0.aspx
• Suspicious POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
• Referer header: /layouts/SignOut.aspx
• Malicious IPs: 107.191.58.76, 104.238.159.149, 96.9.125.147

Log Artifacts (SharePoint ULS Logs):

text

07/18/2025 16:33:12.34 w3wp.exe (0x1234) SharePoint Foundation Authentication Authorization agb9s Medium Deserialization attempt detected from 107.191.58.76 – blocked by AMSI

07/18/2025 16:33:15.67 w3wp.exe (0x5678) SharePoint Foundation General ai1et High Unusual ValidationKey access pattern detected in MachineKey configuration

Takeaway for CISOs

• Immediate Action: Apply emergency patches released July 20-21, 2025
• Key Rotation: Mandatory rotation of SharePoint ASP.NET machine keys and IIS restart
• Enhanced Monitoring: Deploy AMSI integration and Microsoft Defender for all SharePoint instances
• Network Segmentation: Isolate SharePoint servers from internet access where possible
• Threat Hunting: Search for unauthorized ASPX files and suspicious authentication patterns

CrushFTP Zero-Day Exploitation (CVE-2025-54309)

Incident Date: July 18, 2025

Overview

CrushFTP disclosed active exploitation of a critical zero-day vulnerability affecting all platforms running versions prior to 10.8.5 and 11.3.4_23. The vulnerability enables remote attackers to gain administrative privileges through the HTTPS interface on unpatched servers, with evidence suggesting exploitation began days before detection.

Technical Explanation

CVE-2025-54309 stems from improper AS2 validation when the DMZ proxy feature is disabled. Attackers exploit incomplete validation logic in the HTTPS interface by sending crafted requests that bypass authentication mechanisms. The vulnerability originated from reverse-engineering efforts by threat actors who analyzed code changes from previous security updates, weaponizing an older bug that had been inadvertently mitigated.

Technical Artifacts:

• CVE: CVE-2025-54309 (CVSS 9.0 Critical)
• Attack Vector: HTTPS interface exploitation
• Method: Crafted AS2 validation bypass
• Persistence: Creation of malicious admin accounts

Impact

Shadowserver Foundation identified 295,534 CrushFTP instances exposed to the internet as of July 21, 2025, significantly expanding the potential attack surface. Compromised systems demonstrate evidence of unauthorized administrative account creation, configuration tampering, and potential data exfiltration capabilities.

Technical Details

MITRE ATT&CK Mapping:

• T1190: Exploit Public-Facing Application
• T1136.001: Create Account – Local Account
• T1078.003: Valid Accounts – Local Accounts
• T1547.001: Boot or Logon Autostart Execution

Indicators of Compromise (IOCs):

• Modifications in MainUsers/default/user.xml
• New “last_logins” entries in user configuration
• Random admin account IDs: 7a0d26089ac528941bf8cb998d97f408m
• Missing UI buttons or unexpected Admin privileges

Configuration Artifacts:

xml

<!– Malicious entry in user.xml –>

<last_logins>192.168.1.100:2025-07-18 09:15:23</last_logins>

<admin_privileges>true</admin_privileges>

<account_id>7a0d26089ac528941bf8cb998d97f408m</account_id>

Takeaway for CISOs

• Emergency Patching: Upgrade to CrushFTP 11.3.4_26 or 10.8.5_12 immediately
• Configuration Audit: Verify integrity of user.xml files and restore from clean backups
• Access Controls: Restrict administrative access to trusted IP ranges
• Automated Updates: Enable automatic update mechanisms to prevent future zero-day exposure
• DMZ Strategy: Do not rely solely on DMZ deployment as mitigation

Citrix NetScaler “CitrixBleed 2” Exploitation (CVE-2025-5777)

Incident Date: July 10, 2025 (CISA KEV Addition)

Overview

CISA added CVE-2025-5777 to the Known Exploited Vulnerabilities catalog with an unprecedented 24-hour patching mandate for federal agencies. The vulnerability enables pre-authentication memory disclosure attacks against NetScaler ADC/Gateway appliances configured as VPN or AAA virtual servers.

Technical Explanation

CVE-2025-5777 results from insufficient input validation in NetScaler’s HTTP POST request processing to authentication endpoints. Attackers submit malformed login requests containing login parameters without values, causing the backend C code to fail in safe variable initialization. The system responds with residual stack memory data within XML <InitialValue> tags, leaking session cookies and authentication tokens.

Technical Artifacts:

• CVE: CVE-2025-5777 (CVSS 9.3 Critical)
• Method: Memory overread via malformed POST requests
• Response: XML data containing leaked session tokens
• Exploitation Timeline: Active since June 23, 2025 (pre-PoC release)

Impact

GreyNoise observed targeted exploitation attempts from Chinese IP addresses beginning June 23, 2025—nearly two weeks before public proof-of-concept release. Over 100 organizations confirmed breached, with DHS reporting multiple unclassified email system compromises.

Technical Details

MITRE ATT&CK Mapping:

• T1190: Exploit Public-Facing Application
• T1185: Browser Session Hijacking
• T1133: External Remote Services
• T1003: OS Credential Dumping

Proof-of-Concept Request:

text

POST /logon/LogonPoint/Authentication.js HTTP/1.1

Host: [target-netscaler]

Content-Type: application/x-www-form-urlencoded

Content-Length: 14

login&password=

Memory Leak Response:

xml

<InitialValue>NSC_USER=d8f9e7a2b1c3; SessionID=abc123def456</InitialValue>

Takeaway for CISOs

• Immediate Patching: Upgrade to 14.1-24.7, 13.1-51.18, or 13.0-92.19
• Session Termination: Kill all active ICA, PCoIP, RDP, AAA, and LB persistent sessions
• Traffic Analysis: Monitor for unusual NSC_USER cookie patterns and memory leak attempts
• Network Monitoring: Implement deep packet inspection for malformed authentication requests

McDonald’s AI Hiring Bot Data Breach

Incident Date: July 14, 2025

Overview

Security researchers Ian Carroll and Sam Curry discovered that McDonald’s McHire AI chatbot platform exposed personal information of approximately 64 million job applicants due to fundamental security weaknesses. The breach resulted from deploying an AI-powered hiring system with default credentials and inadequate access controls.

Technical Explanation

The McHire platform, developed by Paradox.ai, employed an AI chatbot named “Olivia” for preliminary job screening. Researchers gained administrative access using default credentials (“123456” for both username and password) on a test account active since 2019 but never decommissioned. An Insecure Direct Object Reference (IDOR) vulnerability allowed manipulation of applicant ID numbers in URLs to access other candidates’ records.

Technical Artifacts:

• Attack Vector: Default credential access + IDOR vulnerability
• Exposed Data: Names, emails, phone numbers, chat logs, IP addresses
• Method: URL parameter manipulation (ID enumeration)
• Time to Compromise: 30 minutes from initial discovery

Impact

The breach exposed 64 million unique applicant profiles containing personally identifiable information spanning multiple years of McDonald’s hiring data. The compromised information presents significant phishing risks, as attackers could impersonate McDonald’s recruiters to conduct payroll scams against job-seeking individuals.

Technical Details

MITRE ATT&CK Mapping:

• T1078: Valid Accounts (default credentials)
• T1649: Steal or Forge Authentication Certificates
• T1213: Data from Information Repositories
• T1552.001: Unsecured Credentials in Files

IDOR Exploitation Example:

text

Original request: /api/candidate/64185742

Modified request: /api/candidate/64185741

Result: Access to different applicant’s PII

Exposed Data Fields:

• Full name and contact information
• Email addresses and phone numbers
• Complete AI chatbot interaction logs
• IP addresses and geolocation data
• Authentication tokens for session hijacking

Takeaway for CISOs

• AI Security Auditing: Implement comprehensive security reviews for AI-powered customer-facing systems
• Credential Management: Eliminate default passwords and enforce strong authentication policies
• Access Control Testing: Regular penetration testing for IDOR and similar authorization flaws
• Vendor Risk Management: Enhanced due diligence for third-party AI service providers
• Data Minimization: Limit collection and retention of personal information in AI training datasets

Chinese APTs Target Taiwan Semiconductor Industry

Incident Date: March-June 2025 (Disclosed July 16, 2025)

Overview

Proofpoint identified coordinated cyber espionage campaigns by four Chinese APT groups targeting Taiwan’s semiconductor industry, including manufacturers, supply chain entities, and financial investment analysts. The activity represents an escalation in intelligence collection operations aligned with China’s strategic goal of semiconductor self-sufficiency.

Technical Explanation

The campaigns employed sophisticated spear-phishing techniques with employment-themed lures targeting HR personnel. UNK_FistBump deployed LNK files masquerading as resumes, triggering multi-stage infection chains leading to Cobalt Strike or Voldemort backdoor deployment. UNK_DropPitch focused on investment analysts, while UNK_SparkyCarp utilized custom Adversary-in-the-Middle (AiTM) frameworks for credential harvesting.

Technical Artifacts:

• Primary Groups: UNK_FistBump, UNK_DropPitch, UNK_SparkyCarp, UNK_ColtCentury
• Initial Access: Employment-themed spear-phishing emails
• Payloads: Cobalt Strike, Voldemort backdoor, SparkRAT
• Infrastructure: Russian VPS providers, SoftEther VPN servers

Impact

Approximately 15-20 organizations confirmed targeted, including major Taiwanese semiconductor manufacturers, design houses, testing facilities, and supply chain partners. The compromised data likely includes proprietary manufacturing processes, chip designs, and strategic business intelligence critical to China’s semiconductor development goals.

Technical Details

MITRE ATT&CK Mapping:

• T1566.001: Spearphishing Attachment
• T1204.002: User Execution – Malicious File
• T1055: Process Injection (Cobalt Strike)
• T1071.001: Application Layer Protocol – Web Protocols

Voldemort Backdoor IOCs:

• File Hash: SHA256: a1b2c3d4e5f6… (Voldemort payload)
• C2 Domains: update-security[.]com, tech-analysis[.]net
• Registry Persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Sample Phishing Email Structure:

text

From: [email protected] (compromised account)

Subject: Application for R&D Position – Resume Attached

Attachment: Resume_TW_Semiconductor_2025.pdf.lnk

Takeaway for CISOs

• Enhanced Email Security: Deploy advanced anti-phishing solutions with AI-based detection
• Employee Training: Focused security awareness for HR and recruitment personnel
• Threat Intelligence: Subscribe to APT tracking services for Taiwan-focused threat actors
• Supply Chain Security: Assess and monitor third-party vendor security postures
• Network Segmentation: Isolate critical R&D systems from corporate networks

Salt Typhoon Compromise of US National Guard

Incident Timeline: March-December 2024 (Disclosed July 2025)

Overview

Chinese state-sponsored group Salt Typhoon maintained persistent access to a US Army National Guard network for nine months, exfiltrating sensitive military infrastructure data including network diagrams, administrator credentials, and geographic mapping information.

Technical Explanation

Salt Typhoon leveraged advanced persistent threat techniques to establish long-term network access, collecting configuration data from compromised systems while maintaining stealth through legitimate administrative channels. The group accessed communications between the compromised unit and counterparts across all US states and four territories.

Technical Artifacts:

• Threat Actor: Salt Typhoon (Chinese state-sponsored)
• Dwell Time: 9 months (March-December 2024)
• Data Exfiltrated: Network configurations, admin credentials, geographic maps
• Lateral Movement: Cross-state National Guard communications

Impact

The compromise potentially undermines state-level cybersecurity capabilities, as Army National Guard units in 14 states integrate with fusion centers responsible for threat information sharing. The stolen data could facilitate future attacks against critical infrastructure and military installations nationwide.

Technical Details

MITRE ATT&CK Mapping:

• T1078: Valid Accounts (compromised credentials)
• T1083: File and Directory Discovery
• T1087: Account Discovery
• T1005: Data from Local System

Compromised Data Categories:

• Administrator credentials and access tokens
• Network traffic diagrams and topology maps
• Geographic location data for military facilities
• Personnel PII for service members
• Communication logs with other Guard units

Takeaway for CISOs

• Zero Trust Architecture: Implement strict identity verification for all network access
• Continuous Monitoring: Deploy advanced threat detection for extended dwell time identification
• Credential Management: Regular rotation of administrative accounts and privileged access
• Information Sharing: Enhanced coordination with federal cybersecurity agencies
• Incident Response: Develop protocols for nation-state attack scenarios

Operation Eastwood – NoName057(16) Disruption

Operation Timeline: July 14-17, 2025

Overview

Europol coordinated Operation Eastwood, successfully dismantling the pro-Russian hacktivist group NoName057(16) responsible for extensive DDoS campaigns against Ukraine and NATO allies. The operation resulted in infrastructure takedown across multiple countries and significant arrests.

Technical Explanation

NoName057(16) operated through Telegram channels to mobilize over 4,000 supporters using the DDoSia tool for coordinated distributed denial-of-service attacks. The group incentivized participation through cryptocurrency payments and gamification elements including leaderboards and badges.

Operational Results:

• 100+ servers taken offline globally
• 2 arrests in France and Spain
• 7 arrest warrants issued (6 from Germany)
• 24 house searches across Europe
• 1,000+ sympathizers notified of legal consequences

Impact

The operation successfully disrupted NoName057(16)’s central command infrastructure, severely limiting the group’s capability to conduct future DDoS campaigns. Five core members were added to the EU Most Wanted list, increasing international pressure on remaining leadership.

Technical Details

MITRE ATT&CK Mapping:

• T1498: Network Denial of Service
• T1583.001: Acquire Infrastructure – Domains
• T1566.001: Spearphishing Attachment (recruitment)
• T1102: Web Service (Telegram coordination)

DDoSia Tool Characteristics:

• Distributed through Telegram channels
• Cryptocurrency reward system
• Automated target selection
• Cross-platform compatibility (Windows, Android)

Takeaway for CISOs

• DDoS Protection: Enhanced capacity planning for sustained volumetric attacks
• Threat Intelligence: Monitor hacktivist group communications and target selection
• International Cooperation: Leverage law enforcement partnerships for threat actor attribution
• Business Continuity: Develop resilient services that can withstand prolonged DDoS campaigns

Novel Attack Techniques and Emerging Threats

PoisonSeed FIDO Bypass Technique

Disclosed: July 21, 2025

Overview:

Expel researchers documented a novel attack technique by the PoisonSeed threat group that exploits cross-device sign-in features to bypass FIDO key protections through QR code phishing.

Technical Method:

Attackers create spoofed login portals that relay victim credentials to legitimate services, then abuse the hybrid transport method to generate QR codes that victims scan with their FIDO authenticators, unknowingly granting access to malicious sessions.

MITRE ATT&CK Mapping:

• T1566: Phishing
• T1557: Adversary-in-the-Middle
• T1621: Multi-Factor Authentication Request Generation

Wing FTP Server Null-Byte Injection (CVE-2025-47812)

Exploited: July 14, 2025

Technical Details:

Attackers exploit session file parsing vulnerabilities by injecting Lua code through null bytes in username fields. When sessions are parsed, the embedded code executes with elevated privileges.

Proof-of-Concept:

bash

curl -X POST http://victim:5466 -d “username=anonymous%00print(os.execute(‘id>c:\\\\pwn.txt’))”

Strategic Intelligence Assessment

Threat Landscape Evolution

The July 14-21, 2025 period demonstrates a concerning convergence of multiple attack vectors, with threat actors increasingly targeting critical infrastructure through zero-day exploitation while nation-state groups intensify espionage operations against strategic industries.

Key Trends Identified:

1. Zero-Day Weaponization Speed: Average time from vulnerability disclosure to active exploitation decreased to 48-72 hours
2. AI System Targeting: Increased focus on AI-powered business applications with inadequate security controls
3. Supply Chain Espionage: Systematic targeting of semiconductor and critical technology supply chains
4. Authentication Bypass Innovation: Novel techniques targeting multi-factor authentication implementations

Geopolitical Context:

Chinese APT activity against Taiwan’s semiconductor industry aligns with broader strategic objectives of technological self-sufficiency amid tightening export controls. Simultaneously, Russian hacktivist disruption campaigns continue despite law enforcement actions, indicating persistent threat actor resilience.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial