mastodon.world is one of the many independent Mastodon servers you can use to participate in the fediverse.
Generic Mastodon server for anyone to use.

Server stats:

8.2K
active users

#cyberattack

71 posts37 participants0 posts today

Hey everyone! It's been a pretty packed 24 hours in the cyber world, with critical zero-day exploits, major breaches, new malware tactics, and some significant policy shifts from the UK government. Let's dive in:

SharePoint Zero-Days Under Active Exploitation by China-Linked APTs ⚠️
- Microsoft SharePoint on-premise servers are under active attack via a chain of zero-day vulnerabilities (CVE-2025-53770, CVE-2025-53771), allowing unauthenticated Remote Code Execution (RCE) and spoofing.
- Microsoft attributes exploitation to China-linked nation-state groups Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm-2603, who are deploying web shells and stealing MachineKeys for persistence.
- Emergency patches have been released for SharePoint Server Subscription Edition, 2019, and 2016, but organisations with internet-exposed on-premise servers should assume compromise and rotate ASP.NET machine keys and restart IIS.

🤖 Bleeping Computer | bleepingcomputer.com/news/micr
🤖 Bleeping Computer | bleepingcomputer.com/news/micr
🤫 CyberScoop | cyberscoop.com/microsoft-share
🕵🏼 The Register | go.theregister.com/feed/www.th

Cisco ISE RCE Flaws Actively Exploited 🛡️
- Cisco warns of active exploitation of three maximum-severity (CVSS 10.0) unauthenticated Remote Code Execution (RCE) vulnerabilities in Cisco Identity Services Engine (ISE): CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337.
- These flaws allow attackers to execute arbitrary commands as root or upload and execute malicious files without authentication.
- Immediate patching to ISE 3.3 Patch 7 or ISE 3.4 Patch 2 is critical, as there are no workarounds.

🤖 Bleeping Computer | bleepingcomputer.com/news/secu

Recent Cyber Attacks and Breaches 🚨
- Dell confirmed a breach of its "Solution Center" demo environment, stating that the exfiltrated 1.3 TB of data by WorldLeaks (Hunters International rebrand) was "primarily synthetic (fake) data" or non-sensitive.
- Hungarian police arrested a 23-year-old suspect, "Hano," for a prolonged series of DDoS attacks against independent media outlets in Hungary and the Vienna-based International Press Institute (IPI) since April 2023.
- AMEOS Group, a major Central European healthcare network, disclosed a security breach where external actors gained unauthorised access to IT systems, potentially exposing patient, employee, and partner data, leading to a full IT system shutdown.
- A Silicon Valley engineer, Chenguang Gong, pleaded guilty to stealing thousands of trade secrets, including sensitive US missile technology and radiation-hardened camera designs, from his employers, with links to Chinese "talent programs."

🕵🏼 The Register | go.theregister.com/feed/www.th
🗞️ The Record | therecord.media/hungary-arrest
🕵🏼 The Register | go.theregister.com/feed/www.th
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

New Malware and Ransomware Tactics 👾
- CISA and FBI issued a joint warning about escalating Interlock ransomware activity, which targets businesses and critical infrastructure, particularly healthcare, using unusual initial access methods like drive-by downloads from compromised sites and fake browser updates.
- Russian cybersecurity researchers disrupted NyashTeam, a Russian-speaking group operating a malware-as-a-service scheme (DCRat, WebRat) since 2022, by dismantling over 110 domains and removing associated Telegram channels and instructional videos.
- A new variant of the Coyote banking trojan is abusing Microsoft's UI Automation (UIA) framework to identify banking and cryptocurrency exchange sites, a technique that evades Endpoint Detection and Response (EDR) and marks the first real-world case of UIA abuse for data theft.
- Arch Linux removed three malicious packages ("librewolf-fix-bin", "firefox-patch-bin", "zen-browser-patched-bin") from its Arch User Repository (AUR) that were installing the CHAOS Remote Access Trojan (RAT), highlighting the risks of community-maintained repositories.

🗞️ The Record | therecord.media/russia-hacker-
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🕵🏼 The Register | go.theregister.com/feed/www.th
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🗞️ The Record | therecord.media/fbi-vigilance-

UK Government's Ransomware Policy Shift 🇬🇧
- The UK government is proposing a ban on ransomware payments by public sector organisations and critical national infrastructure (CNI) to disrupt the criminal business model and make these entities less attractive targets.
- New measures, part of the Cyber Resilience Bill, will also mandate reporting of all ransomware incidents to law enforcement and require private businesses to notify the government before making any ransom payments.
- While aiming to improve visibility and resilience, concerns remain about the effectiveness of a payment ban on opportunistic attackers and whether law enforcement will have sufficient resources to utilise the increased intelligence.

🕵🏼 The Register | go.theregister.com/feed/www.th
🗞️ The Record | therecord.media/mandatory-repo
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🤫 CyberScoop | cyberscoop.com/uk-ransomware-p

New Wi-Fi Tracking Raises Privacy Concerns 🔒
- Researchers in Italy have developed "WhoFi," a technique that creates a unique biometric identifier for individuals based on how their bodies interfere with Wi-Fi signals (Channel State Information - CSI).
- This method allows for re-identification and tracking of people across different Wi-Fi networks with high accuracy (up to 95.5%), even if they are not carrying a device.
- The research raises significant privacy concerns, as it enables pervasive surveillance without traditional visual or device-based tracking.

🕵🏼 The Register | go.theregister.com/feed/www.th

CISA CyberSentry Program Funding Lapses 📉
- Funding for CISA's CyberSentry Program, a critical public-private partnership that monitors US critical infrastructure (IT/OT) for nation-state threats, expired on Sunday.
- This lapse has forced Lawrence Livermore National Laboratory to stop monitoring networks, creating a significant gap in visibility into potential cyberattacks on essential services.
- The incident highlights ongoing instability and funding challenges within CISA and the broader federal government, impacting vital cybersecurity initiatives.

🕵🏼 The Register | go.theregister.com/feed/www.th

Open Source Security: Eyeballs and Trust 👀
- An opinion piece highlights that while open source software benefits from "many eyes" for security, this doesn't come for free; trust is built through clear communication and defensive coding.
- Automated scanners can misidentify benign, low-level system utilities as malware, as demonstrated by John Hammond's analysis of the "Talon" Windows de-bloater.
- Developers of open source tools that perform system-wide modifications should provide thorough documentation and and comments to clarify their intent and avoid triggering suspicion.

🕵🏼 The Register | go.theregister.com/feed/www.th

Windows Server Update Issues ⚙️
- Microsoft has acknowledged a known issue where the July 8th Windows Server 2019 security update (KB5062557) causes the Cluster service to repeatedly stop and restart.
- This bug can prevent nodes from rejoining clusters, lead to virtual machine restarts, and trigger Event ID 7031 errors, especially on systems with BitLocker enabled on Cluster Shared Volumes (CSV) drives.
- While a mitigation is available, Microsoft has not yet rolled it out publicly and is advising affected organisations to contact business support for assistance.

🤖 Bleeping Computer | bleepingcomputer.com/news/micr

DATE: July 22, 2025 at 05:36PM
SOURCE: HEALTHCARE INFO SECURITY

Direct article link at end of text block below.

Another Medical Practice Closes Its Doors After #Cyberattack t.co/APEpf1Tde4 #Ascension #AlphaMedical #AlphaWellness #RansomHub

Here are any URLs found in the article text:

t.co/APEpf1Tde4

Articles can be found by scrolling down the page at healthcareinfosecurity.com/ under the title "Latest"

-------------------------------------------------

Private, vetted email list for mental health professionals: clinicians-exchange.org

Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.

-------------------------------------------------

#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering

Alright team, it's been a pretty eventful 24 hours in the cyber world! We've got critical zero-days under active exploitation, several significant breaches, new spyware, and a big debate on national cyber strategy. Let's dive in:

Microsoft SharePoint Zero-Day Under Active Exploitation ⚠️
- A critical remote code execution (RCE) zero-day, CVE-2025-53770 (CVSS 9.8), is being actively exploited in on-premises Microsoft SharePoint servers globally. This flaw is a bypass of a patch for a previous vulnerability (CVE-2025-49706) released in July's Patch Tuesday.
- Attackers, suspected to be nation-state actors, are using an exploit dubbed "ToolShell" to gain unauthenticated access, exfiltrate sensitive data, deploy backdoors, and steal cryptographic machine keys, allowing persistent access even after patching.
- Microsoft has released emergency patches for SharePoint Server 2019 and Subscription Edition, but SharePoint Server 2016 remains unpatched. Organisations with public-facing on-prem SharePoint should assume compromise, investigate for malicious files (e.g., spinstall0.aspx), rotate machine keys, and consider disconnecting servers if immediate patching isn't possible.
🗞️ The Record | therecord.media/microsoft-shar
🤖 Bleeping Computer | bleepingcomputer.com/news/micr
🕵🏼 The Register | go.theregister.com/feed/www.th
🤫 CyberScoop | cyberscoop.com/microsoft-share
🕵🏼 The Register | go.theregister.com/feed/www.th

CrushFTP Zero-Day Under Active Exploitation 🛡️
- CrushFTP is warning customers about CVE-2025-54309, a critical zero-day actively exploited since at least July 18th, allowing attackers to gain administrative access to the web interface due to mishandled AS2 validation.
- The vulnerability affects all CrushFTP versions below 10.8.5 and 11.3.4_23. Over 1,000 unpatched instances are exposed online, with some attackers manipulating exploited versions to appear up-to-date.
- Admins should immediately update to the latest versions, review upload/download logs for unusual activity, enable automatic updates, and consider IP whitelisting or using a DMZ instance to mitigate exploitation.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🗞️ The Record | therecord.media/file-transfer-

Poland Investigates Air Traffic Control Disruption 🚨
- Poland's internal security agency is investigating a temporary outage in the country's air traffic control system that caused widespread flight delays on Saturday, with potential sabotage being scrutinised.
- The outage was attributed to an unspecified technical malfunction, not a cyberattack, but national security services are looking for signs of sabotage given Poland's heightened alert over suspected Russian-linked acts.
- This incident follows previous accusations by Poland against Moscow for "air terror" operations and involvement in a 2023 shopping centre fire, highlighting ongoing hybrid threats in the region.
🗞️ The Record | therecord.media/poland-investi

Alaska Airlines Grounds Fleet Due to IT Issue ✈️
- Alaska Airlines temporarily grounded its fleet due to an unspecified IT issue, causing significant operational disruption.
- While the nature of the incident is unconfirmed, the Scattered Spider ransomware gang, known for targeting airlines, is an obvious suspect, especially given recent incidents affecting Hawaiian Airlines (owned by Alaska), Qantas, and Air Serbia.
- The airline has apologised for the inconvenience and is working to resolve the issues, advising customers to check flight status before heading to the airport.
🕵🏼 The Register | go.theregister.com/feed/www.th

Indian Crypto Exchange CoinDCX Suffers $44M Theft 💰
- Indian cryptocurrency exchange CoinDCX confirmed a theft of over $44 million worth of USDC and USDT from one of its internal operational accounts over the weekend.
- User funds were not impacted as operational accounts are segregated from customer wallets, and CoinDCX is absorbing the losses from its own treasury reserves.
- The company is investigating, patching vulnerabilities, and tracing the stolen funds, offering a bug bounty program and up to 25% of recovered funds for assistance.
🗞️ The Record | therecord.media/indian-crypto-

Dell Product Demo Platform Breached 💻
- Dell confirmed a breach of its "Solution Center" product demonstration platform by a threat actor, but stated that no sensitive customer or partner information was involved.
- The platform is intentionally separated from Dell's main networks and customer systems, and the data contained is primarily synthetic or publicly available test data.
- The WorldLeaks ransomware gang (a revamp of Hunters International) has claimed responsibility for the incident, which Dell says had limited impact.
🗞️ The Record | therecord.media/hackers-hit-de

Dior Notifies US Customers of Data Breach 🛍️
- The luxury fashion house Dior is sending data breach notifications to US customers following a cybersecurity incident on January 26, 2025, discovered on May 7, 2025.
- Exposed information includes full names, contact details, physical addresses, dates of birth, and in some cases, passport/government ID numbers and Social Security Numbers. No payment details were compromised.
- This incident is believed to be linked to the ShinyHunters extortion group, which previously breached a third-party vendor affecting other LVMH brands like Louis Vuitton.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

Ring Denies Breach Amid Suspicious Login Reports 🏠
- Ring is attributing a surge in suspicious login reports from May 28th to a "backend update bug" that incorrectly displays prior login dates and devices.
- However, many customers are disputing Ring's explanation, reporting unknown devices, strange IP addresses, and countries they've never visited, along with unreceived MFA prompts and live view activity when no one accessed the app.
- Users are advised to review authorized devices in the Control Center, remove unrecognized entries, change passwords, and enable two-factor authentication.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

Arizona Election Website Defaced, CISA Criticised 🗳️
- Arizona election officials reported a hack on a statewide online portal for political candidates, resulting in the defacement of candidate photos with images of the late Iranian Ayatollah Ruhollah Khomeini.
- The attack, which occurred after US bombings of Iranian nuclear sites, involved uploading an image file containing a Base64-encoded PowerShell script to take over the server. Officials believe it was pro-Iranian interests.
- Arizona's Secretary of State criticised CISA, claiming the agency has been "weakened and politicized" under the current administration, leading to a loss of confidence in federal election security support.
🤫 CyberScoop | cyberscoop.com/arizona-secreta

New Iranian Android Spyware Discovered 📱
- Lookout security researchers have discovered four new samples of DCHSpy Android spyware, linked to the Iranian Ministry of Intelligence and Security (MOIS), surfacing shortly after the Iran-Israel conflict began.
- Disguised as VPN apps (Earth VPN, Comodo VPN), the malware collects WhatsApp data, records audio/video, and exfiltrates sensitive files, indicating continued development and usage by the MuddyWater espionage group.
- The distribution via Telegram channels, sometimes using "Starlink" lures, suggests targeting Iranian dissidents, activists, and journalists, highlighting the MOIS's efforts to surveil citizens.
🕵🏼 The Register | go.theregister.com/feed/www.th

ExpressVPN Fixes RDP IP Leak Bug 🔒
- ExpressVPN has patched a flaw in its Windows client (versions 12.97 to 12.101.0.2-beta) that caused Remote Desktop Protocol (RDP) traffic to bypass the VPN tunnel, exposing users' real IP addresses.
- The issue stemmed from debug code mistakenly included in production builds. While encryption wasn't compromised, RDP traffic was visible to observers like ISPs.
- Users are advised to upgrade to version 12.101.0.45 immediately. ExpressVPN states the risk was low for typical consumers as RDP is primarily used by IT admins and enterprises.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

US Cyber Posture Shift: From Defense to Offense 🇺🇸
- The US is reportedly shifting its cyber posture towards more robust offensive operations, backed by a proposed $1 billion cyber initiative under the 2026 National Defense Authorization Act (NDAA).
- This pivot is driven by a changing threat landscape where adversaries like China's Volt Typhoon and Russia's campaigns are actively preparing for conflict and disruption, not just espionage.
- The argument is that a defensive-only approach has emboldened adversaries, and a more muscular cyber posture, integrating offensive capabilities with military and intelligence operations, is necessary for deterrence and to impose costs.
🤫 CyberScoop | cyberscoop.com/us-offensive-cy

therecord.mediaWarnings issued as hackers actively exploit critical zero-day in Microsoft SharePointMicrosoft has issued an urgent patch for most SharePoint servers after cybersecurity researchers found threat actors globally exploiting a zero-day vulnerability in the products.