Tag: Cyber Security

Jul 21, 2025Ravie LakshmananThreat Intelligence / Authentication

Cybersecurity researchers have disclosed a novel attack technique that allows threat actors to bypass Fast IDentity Online (FIDO) key protections by deceiving users into approving authentication requests from spoofed company login portals.

The activity, observed by Expel as part of a phishing campaign in the wild, has been attributed to a threat actor named PoisonSeed, which was recently flagged as leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases and drain victims’ digital wallets.

“The attacker does this by taking advantage of cross-device sign-in features available with FIDO keys,” researchers Ben Nahorney and Brandon Overstreet said. “However, the bad actors in this case are using this feature in adversary-in-the-middle (AitM) attacks.”

Cross-device sign-in allows users to sign-in on a device that does not have a passkey using a second device that does hold the cryptographic key, such as a mobile phone.

The attack chain documented by Expel commences with a phishing email that lures recipients to log into a fake sign-in page mimicking the enterprise’s Okta portal. Once the victims enter their credentials, the sign-in information is stealthily relayed by the bogus site to the real login page.

The phishing site then instructs the legitimate login page to use the hybrid transport method for authentication, which causes the page to serve a QR code that’s subsequently sent back to the phishing site and presented to the victim.

Should the user scan the QR code with the authenticator app on their mobile device, it allows the attackers to gain unauthorized access to the victim’s account.

“In the case of this attack, the bad actors have entered the correct username and password and requested cross-device sign-in,” Expel said.

“The login portal displays a QR code, which the phishing site immediately captures and relays back to the user on the fake site. The user scans it with their MFA authenticator, the login portal and the MFA authenticator communicate, and the attackers are in.”

What makes the attack noteworthy is that it bypasses protections offered by FIDO keys and enables threat actors to obtain access to users’ accounts. The compromise method does not exploit any flaw in the FIDO implementation. Rather, it abuses a legitimate feature to downgrade the authentication process.

While FIDO2 is designed to resist phishing, its cross-device login flow—known as hybrid transport—can be misused if proximity verification like Bluetooth is not enforced. In this flow, users can log in on a desktop by scanning a QR code with a mobile device that holds their passkey.

However, attackers can intercept and relay that QR code in real time via a phishing site, tricking users into approving the authentication on a spoofed domain. This turns a secure feature into a phishing loophole—not due to a protocol flaw, but due to its flexible implementation.

Expel also said it observed a separate incident where a threat actor enrolled their own FIDO key after compromising an account through a phishing email and resetting the user’s password.

If anything, the findings underscore the need for adopting phishing-resistant authentication at all steps in an account lifecycle, including during recovery phases, as using an authentication method that’s susceptible to phishing can undermine the entire identity infrastructure.

“AitM attacks against FIDO keys and attacker-controlled FIDO keys are just the latest in a long line of examples where bad actors and defenders up the ante in the fight to compromise/protect user accounts,” the researchers added.

Jul 21, 2025Ravie LakshmananWeb Security / Cryptocurrency

A new attack campaign has compromised more than 3,500 websites worldwide with JavaScript cryptocurrency miners, marking the return of browser-based cryptojacking attacks once popularized by the likes of CoinHive.

Although the service has since shuttered after browser makers took steps to ban miner-related apps and add-ons, researchers from the c/side said they found evidence of a stealthy miner packed within obfuscated JavaScript that assesses the computational power of a device and spawns background Web Workers to execute mining tasks in parallel without raising any alarm.

More importantly, the activity has been found to leverage WebSockets to fetch mining tasks from an external server, so as to dynamically adjust the mining intensity based on the device capabilities and accordingly throttle resource consumption to maintain stealth.

“This was a stealth miner, designed to avoid detection by staying below the radar of both users and security tools,” security researcher Himanshu Anand said.

The net result of this approach is that users would unknowingly mine cryptocurrency while browsing the compromised website, turning their computers into covert crypto generation machines without their knowledge or consent. Exactly how the websites are breached to facilitate in-browser mining is currently not known.

Further dissection has determined that over 3,500 websites have been ensnared in the sprawling illicit crypto mining effort, with the domain hosting the JavaScript miner also linked to Magecart credit card skimmers in the past, indicating attempts on the part of the attackers to diversify their payloads and revenue streams.

The use of the same domains to deliver both miner and credit/debit card exfiltration scripts indicates the ability of the threat actors to weaponize JavaScript and stage opportunistic attacks aimed at unsuspecting site visitors.

“Attackers now prioritize stealth over brute-force resource theft, using obfuscation, WebSockets, and infrastructure reuse to stay hidden,” c/side said. “The goal isn’t to drain devices instantly, it is to persistently siphon resources over time, like a digital vampire.”

The findings coincide with a Magecart skimming campaign targeting East Asian e-commerce websites using the OpenCart content management system (CMS) to inject a fake payment form during checkout and collect financial information, including bank details, from victims. The captured information is then exfiltrated to the attacker’s server.

In recent weeks, client-side and website-oriented attacks have been found to take different forms –

• Utilizing JavaScript embeds that abuse the callback parameter associated with a legitimate Google OAuth endpoint (“accounts.google[.]com/o/oauth2/revoke”) to redirect to an obfuscated JavaScript payload that creates a malicious WebSocket connection to an attacker-controlled domain
• Using Google Tag Manager (GTM) script directly injected into the WordPress database (i.e., wp_options and wp_posts tables) in order to load remote JavaScript that redirects visitors to over 200 sites to spam domains
• Compromising a WordPress site’s wp-settings.php file to include a malicious PHP script directly from a ZIP archive that connects to a command-and-control (C2) server and ultimately leverages the site’s search engine rankings to inject spammy content and boost their sketchy sites in search results
• Injecting malicious code into a WordPress site theme’s footer PHP script to server browser redirects
• Using a fake WordPress plugin named after the infected domain to evade detection and spring into action only when search engine crawlers are detected in order to serve spam content designed to manipulate search engine results
• Distributing backdoored versions of the WordPress plugin Gravity Forms (affecting only versions 2.9.11.1 and 2.9.12) through the official download page in a supply chain attack that contacts an external server to fetch additional payloads and adds an admin account that gives the attacker complete control of the website

“If installed, the malicious code modifications will block attempts to update the package and attempt to reach an external server to download additional payload,” RocketGenius, the team behind Gravity Forms, said.

“If it succeeds in executing this payload, it will then attempt to add an administrative account. That opens a back door to a range of other possible malicious actions, such as expanding remote access, additional unauthorized arbitrary code injections, manipulation of existing admin accounts, and access to stored WordPress data.”

Microsoft on Sunday released security patches for an actively exploited security flaw in SharePoint and also released details of another vulnerability that it said has been addressed with “more robust protections.”

The tech giant acknowledged it’s “aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”

CVE-2025-53770 (CVSS score: 9.8), as the exploited Vulnerability is tracked, concerns a case of remote code execution that arises due to the deserialization of untrusted data in on-premise versions of Microsoft SharePoint Server.

The newly disclosed shortcoming is a spoofing flaw in SharePoint (CVE-2025-53771, CVSS score: 6.3). An anonymous researcher has been credited with discovering and reporting the bug.

“Improper limitation of a pathname to a restricted directory (‘path traversal’) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network,” Microsoft said in an advisory released on July 20, 2025.

Microsoft also noted that CVE-2025-53770 and CVE-2025-53771 are related to two other SharePoint vulnerabilities documented by CVE-2025-49704 and CVE-2025-49706, which could be chained to achieve remote code execution. The exploit chain, referred to as ToolShell, was patched as part of the company’s July 2025 Patch Tuesday update.

“The update for CVE-2025-53770 includes more robust protections than the update for CVE-2025-49704,” the Windows maker said. “The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.”

It’s worth noting that Microsoft previously characterized CVE-2025-53770 as a variant of CVE-2025-49706. When reached for comment about this discrepancy, a Microsoft spokesperson told The Hacker News that “it is prioritizing getting updates out to customers while also correcting any content inaccuracies as necessary.”

The company also said that the current published content is correct and that the previous inconsistency does not impact the company’s guidance for customers.

Both the identified flaws apply to on-premises SharePoint Servers only, and do not impact SharePoint Online in Microsoft 365. The issues have been addressed in the versions below (for now) –

To mitigate potential attacks, customers are recommended to –

• Use supported versions of on-premises SharePoint Server (SharePoint Server 2016, 2019, and SharePoint Subscription Edition)
• Apply the latest security updates
• Ensure the Antimalware Scan Interface (AMSI) is turned on and enable Full Mode for optimal protection, along with an appropriate antivirus solution such as Defender Antivirus
• Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
• Rotate SharePoint Server ASP.NET machine keys

“After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers,” Microsoft said. “If you cannot enable AMSI, you will need to rotate your keys after you install the new security update.”

The development comes as Eye Security told The Hacker News that at least 54 organizations have been compromised, including banks, universities, and government entities. Active exploitation is said to have commenced around July 18, according to the company.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), for its part, added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 21, 2025.

Palo Alto Networks Unit 42, which is also tracking what it described as a “high-impact, ongoing threat campaign,” said government, schools, healthcare, including hospitals, and large enterprise companies—are at immediate risk.

“Attackers are bypassing identity controls, including MFA and SSO, to gain privileged access,” Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, told The Hacker News. “Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold.

“If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat. What makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform, including their services like Office, Teams, OneDrive and Outlook, which have all the information valuable to an attacker. A compromise doesn’t stay contained—it opens the door to the entire network.”

The cybersecurity vendor has also classified it as a high-severity, high-urgency threat, urging organizations running on-premises Microsoft SharePoint servers to apply the necessary patches with immediate effect, rotate all cryptographic material, and engage in incident response efforts.

“An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,” Sikorski added. “A false sense of security could result in prolonged exposure and widespread compromise.”

(This is a developing story. Please check back for more details.)

Jul 21, 2025Ravie LakshmananNetwork Security / Vulnerability

Hewlett-Packard Enterprise (HPE) has released security updates to address a critical security flaw affecting Instant On Access Points that could allow an attacker to bypass authentication and gain administrative access to susceptible systems.

The vulnerability, tracked as CVE-2025-37103, carries a CVSS score of 9.8 out of a maximum of 10.0.

“Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication,” the company said in an advisory.

“Successful exploitation could allow a remote attacker to gain administrative access to the system.”

Also patched by HPE is an authenticated command injection flaw in the command-line interface of the HPE Networking Instant On Access Points (CVE-2025-37102, CVSS score: 7.2) that a remote attacker could exploit with elevated permissions to run arbitrary commands on the underlying operating system as a privileged user.

This also means that an attacker could fashion CVE-2025-37103 and CVE-2025-37102 into an exploit chain, allowing them to obtain administrative access and inject malicious commands into the command-line interface for follow-on activity.

The company credited ZZ from Ubisectech Sirius Team for discovering and reporting the two issues. Both vulnerabilities have been resolved in HPE Networking Instant On software version 3.2.1.0 and above.

HPE also noted in its advisory that other devices, such as HPE Networking Instant On Switches, are not affected.

While there is no evidence that either of the flaws has come under active exploitation, users are advised to apply the updates as soon as possible to mitigate potential threats.

Jul 20, 2025Ravie LakshmananAI Security / Infostealers

The financially motivated threat actor known as EncryptHub (aka LARVA-208 and Water Gamayun) has been attributed to a new campaign that’s targeting Web3 developers to infect them with information stealer malware.

“LARVA-208 has evolved its tactics, using fake AI platforms (e.g., Norlax AI, mimicking Teampilot) to lure victims with job offers or portfolio review requests,” Swiss cybersecurity company PRODAFT said in a statement shared with The Hacker News.

While the group has a history of deploying ransomware, the latest findings demonstrate an evolution of its tactics and a diversification of its monetization methods by using stealer malware to harvest data from cryptocurrency wallets.

EncryptHub’s focus on Web3 developers isn’t random—these individuals often manage crypto wallets, access to smart contract repositories, or sensitive test environments. Many operate as freelancers or work across multiple decentralized projects, making them harder to protect with traditional enterprise security controls. This decentralized, high-value developer community presents an ideal target for attackers looking to monetize quickly without triggering centralized defenses.

The attack chains entail directing prospective targets to deceptive artificial intelligence (AI) platforms and tricking them into clicking on purported meeting links within these sites.

Meeting links to these sites are sent to developers who follow Web3 and Blockchain-related content via platforms like X and Telegram under the pretext of a job interview or portfolio discussion. The threat actors have also been found sending the meeting links to people who applied for positions posted by them on a Web3 job board called Remote3.

What’s interesting is the approach used by the attackers to sidestep security warnings issued by Remote3 on their site. Given that the service explicitly warns job seekers against downloading unfamiliar video conferencing software, the attackers conduct an initial conversation via Google Meet, during which they instruct the applicant to resume the interview on Norlax AI.

Regardless of the method used, once the victim clicks on the meeting link, they are asked to enter their email address and invitation code, following which they are served a fake error message about outdated or missing audio drivers.

Clicking the message leads to the download of malicious software disguised as a genuine Realtek HD Audio Driver, which executes PowerShell commands to retrieve and deploy the Fickle Stealer. The information gathered by the stealer malware is transmitted to an external server codenamed SilentPrism.

“The threat actors distribute infostealers like Fickle through fake AI applications, successfully harvesting cryptocurrency wallets, development credentials, and sensitive project data,” PRODAFT said.

“This latest operation suggests a shift toward alternative monetization strategies, including the exfiltration of valuable data and credentials for potential resale or exploitation in illicit markets.”

The development comes as Trustwave SpiderLabs detailed a new ransomware called KAWA4096 that “follows the style of the Akira ransomware group, and a ransom note format similar to Qilin’s, likely an attempt to further enrich their visibility and credibility.”

KAWA4096, which first emerged in June 2025, is said to have targeted 11 companies, with the most number of targets located in the United States and Japan. The initial access vector used in the attacks is not known.

A notable feature of KAWA4096 is its ability to encrypt files on shared network drives and the use of multithreading to increase operational efficiency and speed up the scanning and encryption process.

“After identifying valid files, the ransomware adds them to a shared queue,” security researchers Nathaniel Morales and John Basmayor said. “This queue is processed by a pool of worker threads, each responsible for retrieving file paths and passing it on to the encryption routine. A semaphore is used for synchronization among threads, ensuring efficient processing of the file queue.”

Another new entrant to the ransomware landscape is Crux, which claims to be part of the BlackByte group and has been deployed in the wild in three incidents detected on July 4 and 13, 2025, per Huntress.

In one of the incidents, the threat actors have been found to leverage valid credentials via RDP to obtain a foothold in the target network. Common to all the attacks is the use of legitimate Windows tools like svchost.exe and bcdedit.exe to conceal malicious commands and modify boot configuration so as to inhibit system recovery.

“The threat actor also clearly has a preference for legitimate processes like bcdedit.exe and svchost.exe, so continual monitoring for suspicious behavior using these processes via endpoint detection and response (EDR) can help suss out threat actors in your environment,” Huntress said.

Jul 20, 2025Ravie LakshmananDevOps / Threat Intelligence

Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers’ npm tokens.

The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories.

The list of affected packages and their rogue versions, according to Socket, is listed below –

• eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7)
• eslint-plugin-prettier (versions 4.2.2 and 4.2.3)
• synckit (version 0.11.9)
• @pkgr/core (version 0.2.8)
• napi-postinstall (version 0.3.1)

“The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution,” the software supply chain security firm said.

The development comes in the aftermath of a phishing campaign that has been found to send email messages impersonating npm in order to trick project maintainers into clicking on a typosquatted link (“npnjs[.]com,” as opposed to “npmjs[.]com”) that harvested their credentials.

The digital missives, with the subject line “Please verify your email address,” spoofed a legitimate email address associated with npm (“support@npmjs[.]org”), urging recipients to validate their email address by clicking on the embedded link.

The bogus landing page to which the victims are redirected to, per Socket, is a clone of the legitimate npm login page that’s designed to capture their login information.

Developers who use the affected packages are advised to cross-check the versions installed and rollback to a safe version. Project maintainers are recommended to turn on two-factor authentication to secure their accounts, and use scoped tokens instead of passwords for publishing packages.

“This incident shows how quickly phishing attacks on maintainers can escalate into ecosystem-wide threats,” Socket said.

The findings coincide with an unrelated campaign that has flooded npm with 28 packages containing protestware functionality that can disable mouse-based interaction on websites with a Russian or Belarusian domain. They are also engineered to play the Ukrainian national anthem on a loop.

However, the attack only works when the site visitor has their browser language settings set to Russian and, in some cases, the same website is visited a second time, thereby ensuring that only repeat visitors are targeted. The activity marks an expansion of a campaign that was first flagged last month.

“This protestware underscores that actions taken by developers can propagate unnoticed in nested dependencies and may take days or weeks to manifest,” security researcher Olivia Brown said.

Arch Linux Removes 3 AUR Packages that Installed Chaos RAT Malware

It also comes as the Arch Linux team said it has pulled three malicious AUR packages that were uploaded to the Arch User Repository (AUR) and harbored hidden functionality to install a remote access trojan called Chaos RAT from a now-removed GitHub repository.

The affected packages are: “librewolf-fix-bin,” “firefox-patch-bin,” and “zen-browser-patched-bin.” They were published by a user named “danikpapas” on July 16, 2025.

“These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT),” the maintainers said. “We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.”

Jul 20, 2025Ravie LakshmananZero-Day / Vulnerability

A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an “active, large-scale” exploitation campaign.

The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates.

“Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network,” Microsoft said in an advisory released on July 19, 2025.

The Windows maker further noted that it’s preparing and fully testing a comprehensive update to resolve the issue. It credited Viettel Cyber Security for discovering and reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI).

In a separate alert issued Saturday, Redmond said it’s aware of active attacks targeting on-premises SharePoint Server customers, but emphasized that SharePoint Online in Microsoft 365 is not impacted.

In the absence of an official patch, Microsoft is urging customers to configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender AV on all SharePoint servers.

It’s worth noting that AMSI integration is enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.

For those who cannot enable AMSI, it’s advised that the SharePoint Server is disconnected from the internet until a security update is available. For added protection, users are recommended to deploy Defender for Endpoint to detect and block post-exploit activity.

The disclosure comes as Eye Security and Palo Alto Networks Unit 42 warned of attacks chaining CVE-2025-49706 and CVE-2025-49704 (CVSS score: 8.8), a code injection flaw in SharePoint, to facilitate arbitrary command execution on susceptible instances. The exploit chain has been codenamed ToolShell.

But given that CVE-2025-53770 is a “variant” of CVE-2025-49706, it’s suspected that these attacks are related.

Eye Security said the wide-scale attacks it identified leverage CVE-2025-49706 to POST a remote code execution payload exploiting CVE-2025-49704. “We believe that the finding that adding “_layouts/SignOut.aspx” as HTTP referer, makes CVE-2025-49706 into CVE-2025-53770,” it said.

It’s worth mentioning here that the ZDI has characterized CVE-2025-49706 as an authentication bypass vulnerability that stems from how the application handles HTTP Referer header provided to the ToolPane endpoint (“/_layouts/15/ToolPane.aspx”).

The malicious activity essentially involves delivering ASPX payloads via PowerShell, which is then used to steal the SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey, to maintain persistent access.

The Dutch cybersecurity company said these keys are crucial for generating valid __VIEWSTATE payloads, and that gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity.

“We are still identifying mass exploit waves,” Eye Security CTO Piet Kerkhofs told The Hacker News in a statement. “This will have a huge impact as adversaries are laterally moving using this remote code execution with speed.”

More than 85 SharePoint servers globally have been identified as compromised with the malicious web shell as of writing. These hacked servers belong to 29 organizations, including multinational firms and government entities.

It’s worth noting that Microsoft has yet to update its advisories for CVE-2025-49706 and CVE-2025-49704 to reflect active exploitation. We have also reached out to the company for further clarification, and we will update the story if we hear back.

(The story is developing. Please check back for more details.)

Jul 20, 2025Ravie LakshmananDevOps / Threat Intelligence

Cybersecurity researchers have alerted to a supply chain attack that has targeted popular npm packages via a phishing campaign designed to steal the project maintainers’ npm tokens.

The captured tokens were then used to publish malicious versions of the packages directly to the registry without any source code commits or pull requests on their respective GitHub repositories.

The list of affected packages and their rogue versions, according to Socket, is listed below –

• eslint-config-prettier (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7)
• eslint-plugin-prettier (versions 4.2.2 and 4.2.3)
• synckit (version 0.11.9)
• @pkgr/core (version 0.2.8)
• napi-postinstall (version 0.3.1)

“The injected code attempted to execute a DLL on Windows machines, potentially allowing remote code execution,” the software supply chain security firm said.

The development comes in the aftermath of a phishing campaign that has been found to send email messages impersonating npm in order to trick project maintainers into clicking on a typosquatted link (“npnjs[.]com,” as opposed to “npmjs[.]com”) that harvested their credentials.

The digital missives, with the subject line “Please verify your email address,” spoofed a legitimate email address associated with npm (“support@npmjs[.]org”), urging recipients to validate their email address by clicking on the embedded link.

The bogus landing page to which the victims are redirected to, per Socket, is a clone of the legitimate npm login page that’s designed to capture their login information.

Developers who use the affected packages are advised to cross-check the versions installed and rollback to a safe version. Project maintainers are recommended to turn on two-factor authentication to secure their accounts, and use scoped tokens instead of passwords for publishing packages.

“This incident shows how quickly phishing attacks on maintainers can escalate into ecosystem-wide threats,” Socket said.

The findings coincide with an unrelated campaign that has flooded npm with 28 packages containing protestware functionality that can disable mouse-based interaction on websites with a Russian or Belarusian domain. They are also engineered to play the Ukrainian national anthem on a loop.

However, the attack only works when the site visitor has their browser language settings set to Russian and, in some cases, the same website is visited a second time, thereby ensuring that only repeat visitors are targeted. The activity marks an expansion of a campaign that was first flagged last month.

“This protestware underscores that actions taken by developers can propagate unnoticed in nested dependencies and may take days or weeks to manifest,” security researcher Olivia Brown said.

Arch Linux Removes 3 AUR Packages that Installed Chaos RAT Malware

It also comes as the Arch Linux team said it has pulled three malicious AUR packages that were uploaded to the Arch User Repository (AUR) and harbored hidden functionality to install a remote access trojan called Chaos RAT from a now-removed GitHub repository.

The affected packages are: “librewolf-fix-bin,” “firefox-patch-bin,” and “zen-browser-patched-bin.” They were published by a user named “danikpapas” on July 16, 2025.

“These packages were installing a script coming from the same GitHub repository that was identified as a Remote Access Trojan (RAT),” the maintainers said. “We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised.”

Jul 20, 2025Ravie LakshmananZero-Day / Vulnerability

A critical security vulnerability in Microsoft SharePoint Server has been weaponized as part of an “active, large-scale” exploitation campaign.

The zero-day flaw, tracked as CVE-2025-53770 (CVSS score: 9.8), has been described as a variant of CVE-2025-49706 (CVSS score: 6.3), a spoofing bug in Microsoft SharePoint Server that was addressed by the tech giant as part of its July 2025 Patch Tuesday updates.

“Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network,” Microsoft said in an advisory released on July 19, 2025.

The Windows maker further noted that it’s preparing and fully testing a comprehensive update to resolve the issue. It credited Viettel Cyber Security for discovering and reporting the flaw through Trend Micro’s Zero Day Initiative (ZDI).

In a separate alert issued Saturday, Redmond said it’s aware of active attacks targeting on-premises SharePoint Server customers, but emphasized that SharePoint Online in Microsoft 365 is not impacted.

In the absence of an official patch, Microsoft is urging customers to configure Antimalware Scan Interface (AMSI) integration in SharePoint and deploy Defender AV on all SharePoint servers.

It’s worth noting that AMSI integration is enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.

For those who cannot enable AMSI, it’s advised that the SharePoint Server is disconnected from the internet until a security update is available. For added protection, users are recommended to deploy Defender for Endpoint to detect and block post-exploit activity.

The disclosure comes as Eye Security and Palo Alto Networks Unit 42 warned of attacks chaining CVE-2025-49706 and CVE-2025-49704 (CVSS score: 8.8), a code injection flaw in SharePoint, to facilitate arbitrary command execution on susceptible instances. The exploit chain has been codenamed ToolShell.

But given that CVE-2025-53770 is a “variant” of CVE-2025-49706, it’s suspected that these attacks are related.

The malicious activity essentially involves delivering ASPX payloads via PowerShell, which is then used to steal the SharePoint server’s MachineKey configuration, including the ValidationKey and DecryptionKey, to maintain persistent access.

The Dutch cybersecurity company said these keys are crucial for generating valid __VIEWSTATE payloads, and that gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity.

“We are still identifying mass exploit waves,” Eye Security CTO Piet Kerkhofs told The Hacker News in a statement. “This will have a huge impact as adversaries are laterally moving using this remote code execution with speed.”

“We notified almost 75 organisations that got breached, as we identified the malicious web shell on their SharePoint servers. In this group are big companies and large government bodies across the world.”

It’s worth noting that Microsoft has yet to update its advisories for CVE-2025-49706 and CVE-2025-49704 to reflect active exploitation. We have also reached out to the company for further clarification, and we will update the story if we hear back.

(The story is developing. Please check back for more details.)

Jul 20, 2025Ravie LakshmananVulnerability / Threat Intelligence

A newly disclosed critical security flaw in CrushFTP has come under active exploitation in the wild. Assigned the CVE identifier CVE-2025-54309, the vulnerability carries a CVSS score of 9.0.

“CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS,” according to a description of the vulnerability in the NIST’s National Vulnerability Database (NVD).

CrushFTP, in an advisory, said it first detected the zero-day exploitation of the vulnerability in the wild on July 18, 2025, 9 a.m. CST, although it acknowledged that it may have been weaponized much earlier.

“The attack vector was HTTP(S) for how they could exploit the server,” the company said. “We had fixed a different issue related to AS2 in HTTP(S) not realizing that a prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.”

CrushFTP is widely used in government, healthcare, and enterprise environments to manage sensitive file transfers—making administrative access especially dangerous. A compromised instance can allow attackers to exfiltrate data, inject backdoors, or pivot into internal systems that rely on the server for trusted exchange. Without DMZ isolation, the exposed instance becomes a single point of failure.

The company said the unknown threat actors behind the malicious activity managed to reverse engineer its source code and discovered the new flaw to target devices that are yet to be updated to the latest versions. It’s believed that CVE-2025-54309 was present in CrushFTP builds prior to July 1.

CrushFTP has also released the following indicators of compromise (IoCs) –

• Default user has admin access
• Long random user IDs created (e.g., 7a0d26089ac528941bf8cb998d97f408m)
• Other new usernames created with admin access
• The file “MainUsers/default/user.xml” was recently modified and has a “last_logins” value in it
• Buttons from the end user web interface disappeared, and users previously identified as regular users now have an Admin button

Security teams investigating possible compromise should review user.xml modification times, correlate admin login events with public IPs, and audit permission changes on high-value folders. Look for suspicious patterns in access logs tied to newly created users or unexplained admin role escalations—typical signs of post-exploitation behavior in real-world breach scenarios.

As mitigations, the company recommends that users restore a prior default user from the backup folder, as well as review upload/download reports for any signs of suspicious transfers. Other steps include –

• Limit the IP addresses used for administrative actions
• Allowlist IPs that can connect to the CrushFTP server
• Switch to DMZ CrushFTP instance for enterprise use
• Ensure automatic updates are enabled

At this stage, the exact nature of the attacks exploiting the flaw is not known. Earlier this April, another security defect in the same solution (CVE-2025-31161, CVSS score: 9.8) was weaponized to deliver the MeshCentral agent and other malware.

Last year, it also emerged that a second critical vulnerability impacting CrushFTP (CVE-2024-4040, CVSS score: 9.8) was leveraged by threat actors to target multiple U.S. entities.

With multiple high-severity CVEs exploited over the past year, CrushFTP has emerged as a recurring target in advanced threat campaigns. Organizations should consider this pattern as part of broader threat exposure assessments, alongside patch cadence, third-party file transfer risks, and zero-day detection workflows involving remote access tools and credential compromise.