Cybersecurity News – July 21, 2025
Table of Contents
- Microsoft SharePoint Servers Under Active Attack: Critical Vulnerability Exploited Worldwide
- China-Linked Hackers Conduct Espionage Campaign Across Africa’s IT Infrastructure
- AI-Powered LameHug Malware Targets Ukraine’s Defense Sector: APT28 Implicated
- Major Ransomware Attack Shuts Down Over 2,000 Russian WineLab Locations
- Co-op Data Breach Exposes 6.5 Million UK Members’ Information
- British MOD Afghan Data Leak Surfaces: Thousands at Risk
Microsoft SharePoint Servers Under Active Attack: Critical Vulnerability Exploited Worldwide
Discovery of the Flaw and Attack Timeline
A rapidly escalating wave of cyberattacks has been impacting on-premises Microsoft SharePoint servers since at least July 16, 2025. The attacks exploit a combination of vulnerabilities identified as CVE-2025-49706 and CVE-2025-49704, first publicly demonstrated by Code White GmbH security researchers earlier this month.
Scope and Impact of the Intrusions
Over 1,100 vulnerable servers have been identified, spanning U.S. federal and state agencies, European governmental bodies, a major U.S. energy company, and numerous educational institutions. Shadowserver has detected at least 9,300 exposed SharePoint IPs, many of which have been actively targeted by threat actors.
Attack Techniques and Objectives
The adversaries employ advanced exploitation techniques to gain persistence and exfiltrate data. Google’s Threat Intelligence Group has observed the installation of web shells and the theft of cryptographic secrets from compromised systems, raising concerns about credential security and lateral movement. Attackers have demonstrated the ability to adapt tooling to target various SharePoint configurations and evade traditional security defenses.
Response and Mitigation Efforts
The Multi-State Information Sharing and Analysis Center has alerted over 150 government and educational organizations. Incident response teams are prioritizing rapid patch deployment, network segmentation, and credential resets for exposed systems.
Technical Implications for Organizations
The widespread nature of the attack underscores the necessity for proper segmentation of on-premises servers, strict access controls, continuous software patching, and ongoing threat monitoring for exploit attempts on SharePoint installations.
China-Linked Hackers Conduct Espionage Campaign Across Africa’s IT Infrastructure
Campaign Origins and Attribution
Security researchers have identified a sophisticated cyber espionage campaign believed to be orchestrated by China-linked Advanced Persistent Threat actors targeting African IT infrastructure. The adversaries have displayed a broad array of techniques for persistence, defense evasion, and exfiltration.
Attack Toolset and Methodology
Both purpose-built and widely available red teaming frameworks are central to the operation. Attackers leverage Cobalt Strike for advanced post-exploitation, Mimikatz for credential harvesting, Impacket for lateral movement, and a suite of custom implants tailored for each victim environment. The rapid adaptation of malicious payloads enables resistance to traditional signature-based detection.
Challenges for Defenders
The deliberate use of public and offensive security frameworks blurs the line between red team simulation and genuine adversarial activity, complicating efforts by detection and response teams. Internal communication channels within compromised environments facilitate stealthy command-and-control traffic and robust data exfiltration routes.
Potential Implications
Organizations operating in Africa’s public and private IT sectors, particularly those handling sensitive strategic or economic data, face heightened risk. The campaign exemplifies the increasing technical prowess and adaptability attributed to state-sponsored cyber espionage actors operating against global targets.
AI-Powered LameHug Malware Targets Ukraine’s Defense Sector: APT28 Implicated
Campaign Attribution and Discovery
CERT-UA has detected a novel series of cyberattacks targeting Ukraine’s defense sector, linking the activity to Russian-backed APT28. The standout technical development in this campaign is the use of LameHug malware, an AI-powered tool integrating large language models to automate parts of its attack chain.
Malware Delivery and Infection Vector
The initial infection occurs through phishing emails containing ZIP archives with disguised payloads. Inside the archive, a .pif executable—constructed via Python’s PyInstaller utility—deploys the LameHug malware on execution.
Technical Features of LameHug
LameHug, powered by a large language model, dynamically generates system commands based on the attacker’s descriptive instructions. After infiltration, the malware harvests basic system information, including hardware details, active processes, service states, and network connections. The AI-driven element allows more flexible, adaptive command execution and could accelerate the attacker’s ability to react to unique systems or countermeasures.
Implications for Cyber Defense
The case highlights a significant advancement in the weaponization of AI for cyber operations. The need for enhanced behavioral analytics and AI-assisted defensive tools becomes more acute as adversaries integrate such advanced automation technology into offensive toolkits.
Major Ransomware Attack Shuts Down Over 2,000 Russian WineLab Locations
Attack Overview
On July 14, 2025, the Russian alcohol retailer WineLab, a component of Novabev Group, suffered a devastating ransomware attack that forced the closure of over 2,000 stores across Russia. The attack crippled IT infrastructure, including in-store POS systems, mobile applications, and online shopping platforms.
Operational and Financial Impact
The ransomware event caused immediate, large-scale service outages, resulting in estimated revenue losses ranging from $2.6 to $3.8 million per day. The attacker, whose origin remains unconfirmed, demanded a ransom, but Novabev refused negotiation.
Unusual Aspects of the Attack
This incident is notable because most Russia-based ransomware groups typically avoid targeting domestic organizations, raising questions about the motivation or origin of the actors involved. There is, so far, no evidence that customer data was accessed or leaked. However, the investigation and forensic analysis are ongoing.
Remediation and Recovery Efforts
Novabev’s in-house IT teams, supplemented by external cybersecurity experts, are working continuously to restore affected systems and reinforce perimeter and endpoint security mechanisms in the wake of the attack.
Co-op Data Breach Exposes 6.5 Million UK Members’ Information
Attack Details and Scale of Exposure
In April 2025, UK retailer Co-op experienced a significant cyberattack that resulted in sensitive data from 6.5 million customer accounts being compromised. The breach has led to widespread concern about personal and financial data security for millions of UK residents.
Nature of Stolen Data
Preliminary assessments indicate that data types exposed may include customer names, contact information, loyalty card details, and possibly transactional records. Investigative teams are working to clarify if payment information or further sensitive attributes were included in the stolen dataset.
Immediate Response and Investigation
Co-op responded by notifying affected members, involving data privacy regulators, and launching a comprehensive internal inquiry. The breach underscores the perennial risks facing organizations managing vast repositories of consumer information.
Ongoing Risks and Guidance
As attackers may attempt to leverage stolen data for social engineering, phishing, or fraud attempts, affected customers are advised to maintain vigilance and apply recommended personal security protocols.
British MOD Afghan Data Leak Surfaces: Thousands at Risk
Nature and Timeline of the Breach
A sensitive data leak involving the British Ministry of Defence has come to light, revealing personal information of nearly 19,000 Afghan nationals associated with the UK’s Afghan relocation scheme. While the breach dated back to February 2022, it was kept from public knowledge under a superinjunction until July 2025.
Details of Exposed Information
The leak included applicants’ names, contact details, and family data. This exposure has placed thousands at risk, particularly given the sensitive nature of the population involved post-Taliban takeover.
Government Response and Remediation
The UK’s response has been to establish a covert Afghan Relocation Route, which has so far relocated 4,500 individuals and their families, with thousands more awaiting transfer. The Ministry of Defence issued an apology but has decided not to pursue a criminal probe.
Ongoing Concerns
The situation has raised ongoing debates regarding data stewardship, government transparency, the safety of affected individuals, and whether affected Afghans will receive compensation or further assistance.