Highlights from the cybersecurity world
1. Critical SharePoint 0-day vulnerability actively exploited. Emergency security updates: Act immediately!
**The major news this month! **
An active worldwide 0-day campaign targeting on-premises Microsoft SharePoint servers has attacked over 8000 machines in 400 organisations, including government agencies and private corporations. Threat actors range from resourceful hackers to professional nation-state groups.
The attackers exploit the “ToolShell” vulnerability chain via two critical vulnerabilities, CVE-2025-53770 and CVE-2025-53771, allowing them to gain remote control without authentication and install backdoors by stealing server keys.
Thousands of organisations running SharePoint 2016, 2019 and Subscription Edition are at risk. SharePoint Online in Microsoft 365 is unaffected. Microsoft has released emergency security patches for compromised versions, urging users to apply them immediately.
Key takeaways:
Identified by Eye Security on July 18, 2025, the attack saw a swift transition from proof-of-concept to mass exploitation after a public disclosure on July 15. Eye Security reported ongoing attacks across over 8,000 servers worldwide, clearly indicating a well-coordinated international campaign in multiple waves. Exploitation attempts probably started as early as July 7, 2025.
CVE-2025-53770 combines authentication bypass and remote code execution capabilities, while CVE-2025-53771 addresses security bypass issues related to the previously disclosed CVE-2025-4970 during the Pwn2Own Berlin 2025 event in May.
By 22 July, Microsoft had released emergency security patches for all affected SharePoint versions: KB5002768 for SharePoint Server Subscription Edition, KB5002754 and KB5002753 for SharePoint 2019, and KB5002760 and KB5002759 for SharePoint 2016.
Microsoft is currently investigating a possible leak from its Active Protections Program that allowed Chinese state-sponsored hackers to exploit vulnerabilities before the full deployment of patches.
Those operating on-premises SharePoint servers are strongly urged to assume they may have been compromised and to implement the recommended incident response procedures.
Key Mitigation Steps:
- Use supported SharePoint versions.
- Apply the latest updates.
- Enable Antimalware Scan Interface (AMSI) in full mode and deploy an antivirus solution like Defender Antivirus.
- Rotate ASP.NET machine keys.
- Restart Internet Information Services (IIS).
- Deploy Microsoft Defender for Endpoint protection or equivalent.
- Consider disconnecting unpatched systems from the internet.
The rapid progression from proof-of-concept demonstration to mass exploitation occurring within just 72 hours highlights the evolving cyber threats in the world we live in today. With over 10,000 vulnerable servers globally, organisations must treat this attack as an emergency-priority incident and act urgently to prevent further compromise.
2. New Black Screen of Death and Quick Machine Recovery for Windows 11
We have already informed you about the new Windows 11 black screen of death. Along with this improvement, Microsoft has introduced Quick Machine Recovery (QMR). It addresses issues in the Windows Recovery Environment (Windows RE) and allows Microsoft to deploy fixes directly to the stuck devices without manual intervention.
QMR will become generally available later this summer for all Windows 11 24H2 users. It is enabled by default on Windows 11 Home devices, while IT administrators can manage it on Pro and Enterprise systems. Additional customisation options for IT teams are planned for release later this year.
The improvements are part of the Windows Resiliency Initiative (WRI), aiming to reduce downtime and improve recovery processes during system failures.
3. Chrome urgent security update fixes critical vulnerabilities
Google has rolled out an urgent security update for its Chrome browser to address three critical vulnerabilities. The update affects version 138.0.7204.168/.169 for Windows and Mac, and 138.0.7204.168 for Linux. The major concerns are two high-severity type confusion vulnerabilities in the V8 JavaScript engine, tracked as CVE-2025-8010 and CVE-2025-8011. Users are encouraged to patch immediately.
4. Ransomware payments by the public sector banned in the UK
The UK government has announced a ban on ransom payments by public sector organisations and operators of critical national infrastructure. Private sector businesses must notify the government before making ransomware payments, with strict reporting requirements. Organisations are required to implement robust backup strategies and disaster recovery procedures. The mandatory reporting regime will provide investigators with critical threat intelligence to enhance cyber defence capabilities across sectors.
5. Android malware combines click fraud ads and credential theft
A new wave of malicious Android APK files is combining click-fraud advertising and credential theft, primarily affecting users in Southeast Asia, Latin America, and parts of Europe. These malware apps, disguised as casual games or legitimate applications, encourage users to sideload them, bypassing Google Play's inspection. Distribution often occurs through social media messages or QR codes.
Once installed, the apps request excessive permissions and work in two ways: inflating ad impressions through simulated interactions and stealing user credentials via deceptive forms. This dual function allows operators to monetise the devices while collecting data for future exploitation. Users typically remain unaware of the theft until they notice unusual battery or data usage.
6. A 158-year-old company destroyed because of a single hacked password
A single password led to the downfall of KNP Logistics, a 158-year-old British transport company, in June 2024. The Akira ransomware group gained access to KNP's systems by guessing an employee’s password, encrypting essential data and demanding a £5 million ransom. The attack halted operations and forced the company into administration, affecting 730 employees.
This incident reflects a trend of ransomware attacks on UK businesses, including major retailers like Marks & Spencer and Harrods. The event emphasises the necessity of basic password hygiene and shows that no company is immune to such attacks.
7. QR code phishing campaign evades security and can lead to account takeover
A phishing campaign known as "Scanception" poses a serious threat to enterprise security by utilising QR codes in PDF attachments to evade traditional email security measures and steal user credentials.
The attack starts with phishing emails with attached PDFs that mimic legitimate HR documents. Malicious QR codes are placed on the last pages, bypassing automated security scanners, which usually analyse only the initial pages. When victims scan the codes, they are redirected through trusted services, masking the malicious intent. The most concerning aspect is that multi-factor authentication can be bypassed, allowing attackers to collect additional data such as 2FA tokens and maintain access to compromised Microsoft 365 environments.
8. OpenAI is planning its own AI browser
OpenAI has plans to launch a Chromium-based web browser that incorporates AI agent capabilities for task automation, such as bookings and form-filling. The browser will have native ChatGPT integration, enhancing its functionality beyond traditional browsing. This move aims to challenge Chrome's market dominance amid potential antitrust actions against Google. OpenAI is entering a competitive landscape alongside other companies such as Perplexity to create integrated AI ecosystems.
9. Major ransomware attack on leading company Ingram Micro
Ingram Micro Holding Corporation faced a significant ransomware attack beginning on July 5, 2025, disrupting its internal systems for four days. The attack targeted vital internal systems for order processing, inventory management, and customer relationship management, revealing the malware's intentional focus on business-critical infrastructure.
The malware encrypted files across key operational systems, prompting immediate containment actions to prevent further damage. Ingram Micro took affected systems offline and identified the ransomware's behaviour, noting its use of evasion techniques. The recovery process involved system reimaging, restoring data from backup, and enhanced monitoring to prevent future attacks.
10. Microsoft July 2025 Patch Tuesday
Microsoft's July 2025 Patch Tuesday addresses 130 Microsoft vulnerabilities (CVEs) and 10 non-Microsoft CVEs. Surprisingly, no zero-day vulnerabilities were reported in the patch. The update covers Windows, Microsoft Office, SQL Server, Chromium-based Microsoft Edge, and Visual Studio, among others. Users are urged to update their software immediately.
11. Malicious Chrome extensions affect 1.7 million users in one of the largest browser hijacking operations
A major malware campaign, called "Malicious11," has infected over 1.7 million Chrome users through eleven deceptive browser extensions that appeared legitimate. The attackers effectively exploited all trust signals that consumers rely on, including Google's verification badges, install numbers, highlighted placement in the Chrome Web Store, years of legitimate operation, and positive reviews.
These extensions, which included productivity and entertainment tools (emoji keyboards, weather forecasts, video controllers, VPN proxies, dark themes, and YouTube unblockers), maintained a clean codebase for years before being automatically updated with malicious features. Users are advised to remove the affected extensions, clear browser data, run malware scans, and monitor accounts for unusual activity.
Stay tuned and keep your system safe! If you need help, contact us for expert advice!