Latest Cybersecurity News: July 2025

Active Exploitation of Microsoft SharePoint Zero-Day Vulnerabilities

Overview of the Threat

Microsoft SharePoint servers have come under active attack due to a critical set of zero-day vulnerabilities, specifically CVE-2025-49704 and CVE-2025-49706. These flaws, which allow for spoofing and remote code execution (RCE), have been exploited in the wild since at least July 7, 2025. Security researchers have traced the origins of the exploitation activity to state-sponsored groups, most notably Chinese threat actors known as Linen Typhoon and Violet Typhoon.

Technical Details

The dual vulnerabilities—one exploiting a spoofing mechanism and the other enabling remote code execution via a specially crafted payload—comprise a chained attack commonly referred to as “ToolShell” by the security community. Malicious actors gain unauthorized access to on-premises SharePoint servers by leveraging these flaws, giving them the potential to deploy web shells, escalate privileges, and persist within targeted environments undetected.

Forensic analysis revealed multiple attack attempts targeting a diverse range of sectors, including government, telecommunications, and enterprise software across North America and Western Europe. IP addresses involved in these campaigns have previously been linked to advanced persistent threats exploiting Ivanti EPMM appliances, suggesting coordinated efforts and tool reuse among threat groups.

Incident Response and Mitigation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive on July 22, 2025, requiring all Federal Civilian Executive Branch agencies to remediate these SharePoint vulnerabilities by July 23, 2025. Microsoft has provided updated guidance for organizations, recommending immediate patching, increased monitoring, and enhanced network segmentation for on-prem SharePoint deployments.

The active exploitation of these vulnerabilities highlights the dangers posed by delayed or insufficient patching protocols in critical infrastructure and government environments. Security teams are strongly advised to follow vendor advisories, conduct compromise assessments, and review Internet-facing SharePoint instances for unauthorized code or suspicious activity.

Arrests in Retail Cyberattack Spree Linked to Scattered Spider Group

Breakthrough in Cross-Agency Investigation

British authorities have arrested four individuals in connection with a string of cyberattacks targeting major retail organizations. This represents a significant development in the ongoing investigation into the Scattered Spider cybercrime group, a highly disruptive collective known for social engineering and ransomware operations.

Tactics, Techniques, and Procedures (TTPs)

The Scattered Spider group is notorious for blended attacks that combine phishing, vishing (voice phishing), SIM swapping, and direct exploitation of supply chain partners. Recent incidents attributed to the group include credential harvesting through fraudulent mobile authentication prompts, privileged access abuse using hijacked accounts, and deployment of ransomware.

The latest crime wave demonstrates an evolution in attack sophistication, with explicit targeting of retail supply chains and executive impersonation to facilitate payment fraud and data exfiltration. Investigators have collaborated with multiple international agencies to trace financial flows and infrastructure used by the perpetrators.

Industry Impact and Legal Response

The breakthrough underscores growing law enforcement capabilities to respond to coordinated cybercrime. Retail firms are urged to enhance employee cybersecurity awareness, strictly enforce multi-factor authentication, and remain vigilant for social engineering attempts that bypass technical defenses.

Ransomware Disrupts Ingram Micro’s Global Operations

Incident Summary

Ingram Micro, a global leader in IT distribution and supply chain services, experienced a significant network disruption following a ransomware attack orchestrated by the SafePay hacker group. The incident caused widespread operational delays, affecting logistics, procurement, and client-facing services.

Technical Aspects of the Attack

The attackers reportedly used phishing to gain initial access, followed by lateral movement and the deployment of ransomware payloads that encrypted systems across multiple sites. Digital forensics indicates the ransomware group leveraged exploit kits customized to evade signature-based security products, with delayed detonation to maximize the impact window before detection.

While Ingram Micro has now largely restored global operations, forensic teams are still evaluating the scope of data compromise, with particular concern regarding potential exposure of customer and partner information.

Ongoing Targeted Cyberattacks by Iran-Linked Threat Actors

Targeted Sectors and Attack Motives

State-aligned Iranian threat groups have recently intensified cyber-espionage and disruption campaigns targeting U.S. transportation and manufacturing firms. The attacks are believed to be a response to recent geopolitical escalations, utilizing both custom malware and living-off-the-land techniques.

Technical Profile of Threats

These campaigns typically involve spear-phishing, credential theft, and lateral exploitation of compromised accounts. Notable TTPs include the use of post-exploitation tooling for data exfiltration and the strategic deployment of wipers to degrade operational capabilities or punish targeted sectors.

U.S. federal agencies continue to issue advisories warning of heightened risk, urging critical infrastructure firms to upgrade detection systems, review incident response plans, and bolster multi-layered perimeter defenses.

Citrix Netscaler Flaw: Repeat of CitrixBleed Crisis Looms

Vulnerability Details

A new, critical vulnerability in Citrix Netscaler appliances has surfaced, enabling remote code execution by unauthenticated attackers. Security researchers and government agencies have sounded alarms about the potential for mass exploitation, drawing parallels to the infamous 2023 CitrixBleed crisis that resulted in global outages and data theft.

Mitigation and Guidance

Experts have criticized Citrix for delays in updating public guidance as exploitation attempts increase. Administrators are strongly advised to disable vulnerable services, update appliances to patched versions, and closely monitor for indicators of compromise such as unexpected web shell deployment or unrecognized network traffic.

Mobile Phishing Scams Surge Amid Executive Impersonation

Trends and Findings

The latest industry survey reports that nearly 60% of organizations have suffered incidents resulting from voice or text-based phishing (vishing and smishing), particularly those involving executive impersonation. Attackers have increasingly circumvented email-based security controls by targeting employees directly on mobile devices, often using believable pretexts and real-time social engineering.

Industry Recommendations

Security experts urge companies to enhance mobile threat defense, conduct regular training to help staff recognize phishing, and implement robust verification processes for financial or sensitive requests purportedly from executives.

M&S Chairman Advocates for Mandatory Cyberattack Disclosure

Background and Testimony

Following a major social-engineering attack on the Marks & Spencer (M&S) department store chain, the chairman testified before UK lawmakers in favor of legislation mandating disclosure of all material cyber incidents. The call reflects a shift towards transparency as organizations grapple with reputational and legal risks from underreported breaches.

Potential Implications

Such legislative changes would drive greater accountability among companies and foster faster, industry-wide response to emerging cyber threats, but could also expose firms to increased regulatory scrutiny and financial liabilities.