Weekly Report: New Hacking Techniques and Critical CVEs July 14-21, 2025

The week of July 14-21, 2025, witnessed an unprecedented escalation in cybersecurity threats with multiple critical zero-day vulnerabilities under active exploitation, sophisticated state-sponsored attacks, and a major international law enforcement operation against Russian cybercriminals. The period was characterized by maximum-severity vulnerabilities achieving immediate weaponization, advanced persistent threat campaigns deploying next-generation malware, and coordinated international cybercrime disruption efforts.

Critical developments include three actively exploited zero-day vulnerabilities with CVSS scores ranging from 9.0-10.0, the deployment of AI-enhanced ransomware operations, and the successful dismantling of a pro-Russian cybercrime network responsible for thousands of attacks across NATO countries. Organizations faced an accelerated threat landscape requiring immediate emergency response protocols and comprehensive security posture reassessment.

>>Outpace Attackers With AI-Based Automated Penetration Testing

New Hacking Techniques Identified

1. ToolShell – SharePoint Cryptographic Key Harvesting

Date First Observed: July 18, 2025

Technical Innovation: The ToolShell attack represents a paradigm shift in SharePoint exploitation, combining deserialization vulnerabilities with cryptographic key harvesting for persistent access.

Attack Vector: Attackers exploit CVE-2025-53770 to extract SharePoint ASP.NET machine keys, enabling the creation of forged ViewState payloads that maintain access even after patching. This technique bypasses traditional authentication mechanisms including multi-factor authentication.

Advanced Persistent Mechanism: Once machine keys are harvested, attackers can craft valid ViewState parameters indefinitely, providing stealth persistence that survives system reboots, patches, and authentication changes.

2. AI-Enhanced Ransomware Negotiation Panels

Date First Observed: July 15, 2025

Technical Innovation: Multiple ransomware groups including GLOBAL GROUP RaaS have implemented artificial intelligence-driven negotiation systems that automatically adjust ransom demands based on victim analysis.

Behavioral Analysis: The AI systems analyze victim financial capacity, business criticality, and historical payment patterns to optimize ransom amounts, achieving higher success rates than traditional static demands.

3. Lua Code Injection via Null-Byte Exploitation

Date First Observed: July 1, 2025 (Wing FTP Server)

Technical Innovation: CVE-2025-47812 demonstrates advanced null-byte injection leading to arbitrary Lua code execution. Attackers manipulate username parameters with null bytes to disrupt session file processing, enabling root-level code execution.

Exploitation Chain: The attack leverages improper null-byte handling in authentication processes, allowing injection of malicious Lua scripts into session files that execute with elevated privileges.

Critical Attack Techniques and CVEs

CVE-2025-53770 – Microsoft SharePoint ToolShell (CVSS 9.8)

Discovery Date: July 18, 2025
Exploitation Status: Actively exploited in the wild

Overview

CVE-2025-53770 represents a critical deserialization vulnerability in on-premises Microsoft SharePoint Server that enables unauthenticated remote code execution. The vulnerability is a variant of previously patched CVE-2025-49706, demonstrating sophisticated attacker adaptation to security mitigations.

Deep Technical Analysis

The vulnerability stems from improper deserialization of untrusted data in SharePoint’s request processing mechanism. Attackers craft malicious serialized objects that, when processed by vulnerable SharePoint servers, execute arbitrary code with SYSTEM privileges.

Attack Methodology:

1. Initial Exploitation: Unauthenticated HTTP requests containing malicious serialized payloads
2. Code Execution: Deserialization triggers arbitrary code execution in SharePoint context
3. Key Harvesting: Attackers extract ASP.NET machine keys from SharePoint configuration
4. Persistence: Forged ViewState payloads enable ongoing access independent of initial vulnerability

Impact Assessment

• Scope: Global exploitation affecting dozens of organizations across government, education, and enterprise sectors
• Sectors Affected: U.S. federal agencies, state governments, universities, and energy companies
• Geographic Distribution: United States, Australia, Canada with expanding global reach
• Timeline: Large-scale exploitation observed July 18-19, 2025

Takeaway for CISO

Immediate Actions Required: Deploy emergency patches for SharePoint Subscription Edition and 2019. Enable AMSI integration and deploy Defender AV on all SharePoint servers. Critical: Rotate ASP.NET machine keys and restart IIS services – patching alone is insufficient due to key harvesting.

CVE-2025-54309 – CrushFTP Authentication Bypass (CVSS 9.0)

Discovery Date: July 18, 2025
Exploitation Status: Zero-day actively exploited

Overview

CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23 contain a critical authentication bypass vulnerability that allows remote attackers to gain administrative access via HTTPS when DMZ proxy features are disabled.

Technical Analysis

The vulnerability originates from improper AS2 validation handling, enabling attackers to bypass authentication mechanisms through specially crafted HTTPS requests. Exploitation grants full administrative control over CrushFTP servers.

Exploitation Indicators:

• MainUsers/default/user.XML contains “last_logins” entries (abnormal behavior)
• Recent modification timestamps on default user.XML files
• Default user accounts granted administrative privileges
• Creation of long random user IDs (e.g., 7a0d26089ac528941bf8cb998d97f408m)

Impact Analysis

• Affected Installations: Over 250,000 CrushFTP instances identified on Shodan
• Attack Vector: HTTP/HTTPS exploitation targeting AS2 validation flaws
• Business Impact: Complete file transfer system compromise, data exfiltration capabilities
• Persistent Access: Attackers create administrative accounts for ongoing access

Takeaway for CISO

Emergency Response: Immediately upgrade to CrushFTP 11.3.4_26 or 10.8.5_12. Implement IP whitelisting for administrative access. Deploy DMZ proxy configurations for enhanced security. Monitor for compromise indicators including suspicious user account creation and modified XML configurations.

CVE-2025-47812 – Wing FTP Server RCE (CVSS 10.0)

Discovery Date: June 30, 2025
Active Exploitation: July 1, 2025

Overview

Wing FTP Server versions prior to 7.4.4 contain a maximum-severity remote code execution vulnerability enabling unauthenticated attackers to execute arbitrary system commands with root/SYSTEM privileges through null-byte and Lua injection.

Technical Deep Dive

The vulnerability exploits improper null-byte handling in the loginok.html authentication endpoint. Attackers inject null bytes into username parameters, disrupting expected Lua file processing and enabling arbitrary Lua code injection into session files.

Exploitation Chain:

1. Initial Access: Anonymous FTP or web interface access
2. Null-Byte Injection: Malformed username parameters with embedded null bytes
3. Lua Code Execution: Injected Lua scripts execute with service privileges
4. System Compromise: Root/SYSTEM level command execution and persistence

Observed Attack Activity:

• Timeline: First exploitation July 1, 2025, escalating through July 14, 2025
• Attack Infrastructure: Multiple threat actor groups conducting reconnaissance and persistence
• Payload Delivery: ScreenConnect remote access tool deployment attempts
• Persistence Mechanisms: New user account creation and malicious file deployment

Impact Assessment

• Global Exposure: 8,103 Wing FTP Server instances publicly accessible, 5,004 exposing web interfaces
• CISA Response: Added to Known Exploited Vulnerabilities catalog with August 4, 2025 remediation deadline
• Threat Actor Activity: Multiple groups conducting active exploitation including reconnaissance and RAT deployment

Takeaway for CISO

Critical Actions: Immediately upgrade to Wing FTP Server 7.4.4. Disable internet-facing HTTP/HTTPS access until patching completed. Monitor session directories for suspicious .lua files. Implement network segmentation to limit FTP server exposure. Conduct forensic analysis for indicators of compromise including unauthorized user accounts and system modifications.

Intelligence Analysis: Underground Forums and Dark Web Activity

Ransomware-as-a-Service Evolution

Intelligence Period: July 14-21, 2025

The dark web ecosystem demonstrated significant evolution during the reporting period, with ransomware groups implementing AI-enhanced operations and adapting to law enforcement pressures through strategic rebranding and infrastructure modifications.

Key Developments:

1. AI-Powered Ransomware Operations

• GLOBAL GROUP RaaS emerged as a BlackLock rebrand featuring AI-driven negotiation panels that automatically adjust ransom demands based on victim analysis
• 85% affiliate revenue sharing model attracting high-skilled operators from disbanded groups
• Seventeen victims claimed across four continents within first operational month

2. Group Consolidation and Rebranding

• Hunters International announced shutdown and rebranding to “World Leaks” following operational pressures
• Black Basta internal communications leaked by insider “ExploitWhispers,” forcing group underground and affiliate migration to Cactus ransomware
• Multiple new groups emerged: Sinobi (suspected Lynx rebrand), Payouts King, D4rk4rmy, and Warlock (Chaos framework-based)

Underground Forum Activity Analysis

Forum Fragmentation Trends:

• Continued displacement from BreachForums shutdown driving users to XSS, LeakBase, and DarkForums platforms
• 9 of top 15 most active threat actors in 2024-2025 were BreachForums-associated, indicating lasting ecosystem impact
• Law enforcement pressure on Cracked.io and Nulled.to through Operation Talent causing domain migrations

Notable Intelligence Indicators:

• Dark web leak sites recorded 93 new claims on July 14 alone, led by NoName057(16) and INC Ransom
• Qilin ransomware group dominated June 2025 with 86 victims, suggesting exploitation of RansomHub infrastructure disruption
• Enhanced anonymity adoption through I2P network usage and encryption-less extortion models

Threat Actor Behavioral Patterns

Advanced Social Engineering:

• Former Black Basta affiliates pivoting to Microsoft Teams phishing with Python-based payloads and cloud platform abuse
• Deepfake technology integration for enhanced social engineering campaigns
• Multi-platform targeting with Go-based RATs and cross-platform capabilities

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial