Cybersecurity News: July 18-25, 2025
Key Highlights
- A critical vulnerability in Mitel MiVoice MX-ONE systems allows authentication bypass, with patches available for versions 7.3–7.8 SP1.
- Threat actors like Fire Ant and Storm-2603 exploited VMware and SharePoint vulnerabilities, impacting virtual environments and government systems.
- Europol arrested the administrator of the XSS.is cybercrime forum, disrupting a platform with over 50,000 users.
- Malware was injected into popular NPM packages via compromised developer accounts, highlighting supply chain risks.
- United Natural Foods reported up to $400 million in lost sales due to a cyberattack, demonstrating the financial impact on businesses.
- Concerns are growing about AI-generated voice clones and the trustworthiness of AI systems in cybersecurity, with experts calling for new verification methods.
Introduction
This post provides an overview of cybersecurity news from July 18 to 25, 2025. We will cover key incidents, law enforcement actions, supply chain risks, financial impacts, and trends related to AI. The information is structured for easy understanding, with links to sources for further exploration.
Key Incidents
Over the past week, several significant incidents were reported. For example, a vulnerability in Mitel MiVoice MX-ONE systems (CVE-2025-6704) allows authentication bypass, and patches are available (Source: The Hacker News). Additionally, threats like Fire Ant exploited VMware vulnerabilities, while Storm-2603 targeted SharePoint to deploy ransomware, affecting over 400 servers, including government systems (Source: The Hacker News).
Law Enforcement Actions
Europol arrested the administrator of the XSS.is cybercrime forum on July 22, 2025, disrupting a platform with over 50,000 users used for trading cybercrime tools (Source: The Hacker News).
Financial Impact
A cyberattack on United Natural Foods resulted in up to $400 million in lost sales, highlighting the economic risks to businesses (Source: CyberScoop).
Detailed Overview
This section provides a detailed analysis of cybersecurity news from July 18 to 25, 2025, based on information from trusted sources such as The Hacker News, SecurityWeek, and CyberScoop. The report covers incidents, law enforcement actions, supply chain risks, financial impacts, and AI-related trends, offering a comprehensive view of the current landscape.
Methodology and Scope
The analysis period is July 18–25, 2025, aligning with the user's request. Sources were selected for their timeliness and expertise in cybersecurity, including real-time updates, threat intelligence, and expert analysis. The report aims to cover a broad range of topics, from technical vulnerabilities to broader industry trends, for a holistic overview.
Detailed Incident Analysis
Critical Vulnerability in Mitel Systems
One of the most significant disclosures this week was a critical vulnerability in Mitel MiVoice MX-ONE systems, identified as CVE-2025-6704, with a CVSS score of 9.4. This flaw allows authentication bypass, potentially granting full access to affected systems. It impacts versions 7.3–7.8 SP1, and Mitel has released patches in updates MXO-15711_78SP0 and MXO-15711_78SP1. Organizations are urged to apply these patches promptly due to the severity and potential for exploitation (Source: The Hacker News).
Threat Actor Activities: Fire Ant and VMware Exploits
The threat actor Fire Ant has been actively targeting VMware environments, exploiting vulnerabilities in ESXi hosts and vCenter systems. This campaign, linked to the UNC3886 group, involves sophisticated multilayered attack chains, posing significant risks to virtualized infrastructure. The attacks highlight the ongoing challenge of securing virtual environments critical to many organizations (Source: The Hacker News).
Storm-2603 and SharePoint Exploits
Another major incident involved the China-based threat actor Storm-2603 exploiting SharePoint vulnerabilities, specifically CVE-2025-49706 and CVE-2025-49704, to deploy Warlock ransomware. This campaign affected over 400 servers, including US government entities. The attacks involved deploying a web shell, spinstall0.aspx, and are linked to other ransomware groups like LockBit, underscoring the sophistication and state-sponsored nature of these threats (Source: The Hacker News).
Law Enforcement Actions
Arrest of XSS.is Forum Administrator
On July 22, 2025, Europol, in collaboration with French authorities and the SBU Cyber Department in Ukraine, arrested the alleged administrator of the XSS.is cybercrime forum. This forum, operational for 12 years, had over 50,000 users and served as a marketplace for cybercrime tools and services. The arrest and seizure of the forum represent a significant law enforcement success, disrupting a key hub for cybercriminals (Source: The Hacker News).
Supply Chain and Software Security Risks
Malware in NPM Packages
A concerning development this week was the compromise of developer accounts, leading to the injection of malware into popular NPM packages. The malware, including DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader, was distributed via fake GitHub repositories and ClickFix phishing campaigns. This incident, affecting 469 devices, highlights vulnerabilities in software supply chains and the need for enhanced security measures, such as multi-factor authentication and monitoring for compromised accounts (Source: The Hacker News).
Additional Software Exploits
Other threats included the threat actor Mimo targeting Magento and Docker to deploy crypto miners and proxyware, exploiting vulnerabilities like CVE-2025-32432 in Craft CMS. Additionally, hackers deployed stealth backdoors in WordPress mu-plugins using PHP scripts like "wp-index.php" to maintain admin access, which cannot be disabled via the Plugins page. These incidents further illustrate the breadth of software supply chain risks (Sources: The Hacker News, The Hacker News).
Financial and Operational Impacts
Cyberattack on United Natural Foods
United Natural Foods reported a significant financial impact from a cyberattack, with up to $400 million in lost sales. This incident disrupted operations and underscores the broader economic consequences of cyberattacks on businesses, particularly in the food and beverage sector. The attack highlights the need for robust cybersecurity measures to protect critical infrastructure and minimize financial losses (Source: CyberScoop).
Other Financial Impacts
Additional incidents, such as the compromise of a Dell demo environment with synthetic data, led to information leakage by hackers. While the financial impact was not quantified, it adds to the growing list of breaches affecting major corporations (Source: SecurityWeek).
Emerging Trends: AI and Cybersecurity
AI Voice Clones and Verification Challenges
Concerns are mounting over AI-generated voice clones, which are becoming increasingly indistinguishable from reality. Sam Altman and other experts have called for new verification methods to combat this threat, as deepfake audio could be used for fraud, disinformation, and other malicious purposes. This trend reflects the evolving intersection of AI and cybersecurity, requiring innovative solutions to maintain trust in digital communications (Source: SecurityWeek).
Trust in Agentic AI Systems
Experts have also warned about the risks of trusting agentic AI systems, citing fallibility, hype, and lack of transparency. These concerns are particularly relevant in cybersecurity, where AI is increasingly used for threat detection and response. The debate centers on balancing the potential benefits of AI with the need for rigorous validation and oversight to ensure reliability (Source: SecurityWeek).
Regulatory and Investment Developments
While not directly part of the incident analysis, related developments are noteworthy. HeroDevs raised $125 million to secure deprecated open-source software (OSS), and Vanta, a governance, risk, and compliance (GRC) firm, raised $150 million, reflecting continued investment in cybersecurity solutions. New York is also seeking public opinion on cyber regulations for water systems, indicating a push for stronger regulatory frameworks (Sources: SecurityWeek, SecurityWeek).
Summary Table of Key Incidents
| Date | Incident | Details | Impact | Source |
|---|---|---|---|---|
| July 24, 2025 | Mitel Vulnerability (CVE-2025-6704) | Authentication bypass in MiVoice MX-ONE, CVSS 9.4 | Potential full system access | The Hacker News |
| July 24, 2025 | Fire Ant Exploits VMware | Targets ESXi and vCenter, linked to UNC3886 | Risks to virtual environments | The Hacker News |
| July 24, 2025 | Storm-2603 Exploits SharePoint | Deploys Warlock ransomware, affects 400+ servers, including US government | Widespread ransomware deployment | The Hacker News |
| July 22, 2025 | Arrest of XSS.is Forum Admin | Forum with 50,000+ users seized by Europol and French authorities | Disruption of cybercrime marketplace | The Hacker News |
| July 24, 2025 | Malware in NPM Packages | Compromised accounts distribute DeerStealer and others, affects 469 devices | Supply chain security risks | The Hacker News |
| Past Week | United Natural Foods Cyberattack | Up to $400M in lost sales due to operational disruption | Significant financial impact | CyberScoop |
Conclusion
The past week has showcased a mix of technical vulnerabilities, state-sponsored attacks, law enforcement actions, and emerging trends in AI and cybersecurity. The incidents highlight ongoing challenges in securing critical infrastructure, software supply chains, and digital communications, as well as efforts to disrupt cybercrime and innovate in response to new threats. Organizations and individuals are encouraged to stay informed and implement best practices to mitigate these risks.
Weekly Cyber Incident Review (June 10–16, 2025)
Ransomware Attack on South Korean Platform Yes24
Date: June 16, 2025
A severe ransomware attack disrupted Yes24, a major South Korean ticketing and online book platform. The attack began early on Monday, causing widespread service outages and impacting user access [[4]].
Source: Cyware Social
Cyber Attack on Pennsylvania Insurance Company
Date: June 7, 2025
An insurance company in Pennsylvania, USA, fell victim to a cyber attack, leading to operational disruptions. Specific details about the attack vector or threat actor remain undisclosed [[6]].
Source: KonBriefing.com
Canadian Airline WestJet Cybersecurity Incident
Date: Recent (No exact date provided)
WestJet, a Canadian airline, experienced a cybersecurity incident that caused interruptions in accessing its systems. Further details about the breach are pending [[2]].
Source: SecurityWeek
Cybersecurity News Roundup: May 24-30, 2025
Key Highlights
- Research indicates several major cyberattacks over the past week, including an attack on ConnectWise, potentially by a state actor.
- It seems likely that over 100,000 WordPress sites are at risk due to a critical vulnerability.
- Evidence suggests Chinese hackers are exploiting vulnerabilities in SAP and SQL Server.
- Phishing attacks targeting payroll portals via Google appear to be growing more sophisticated.
- Cybercriminals are likely targeting AI users, distributing malware.
- The U.S. has likely imposed sanctions on a Philippine digital infrastructure provider for cryptocurrency fraud.
Cybersecurity News Overview
Over the past week, from May 24 to May 30, 2025, the cybersecurity world faced several significant events, including cyberattacks, discovered vulnerabilities, and new phishing tactics. Here’s a detailed overview of key incidents, written in simple language for a broad audience.
Cyberattacks and Breaches
One of the notable events was ConnectWise’s report of a cyberattack on May 28, 2025, with suspicions of state actor involvement. The attack targeted the ScreenConnect product, and while the number of affected clients is small, it highlights the threat posed by advanced hackers. All affected clients were notified, and the investigation was conducted with Google Mandiant’s assistance.
Other examples include an Adidas data breach due to a compromised service provider and an incident with Victoria’s Secret, where their website was temporarily disabled due to a security issue. These events demonstrate how hackers can exploit third parties to access data.
Discovered Vulnerabilities
A critical vulnerability (CVE-2025-47577, CVSS 10.0) was found in the TI WooCommerce Wishlist plugin for WordPress, installed on over 100,000 sites. This vulnerability allows unauthenticated attackers to upload files, potentially leading to remote code execution (RCE). No patch is currently available, and users are advised to disable the plugin.
Additionally, a flaw in Microsoft OneDrive was identified, where a file selection error grants web applications full access to cloud storage, even when uploading a single file. This underscores the importance of reviewing app permissions.
Malware Attacks
Chinese hackers, known as Earth Lamia, are actively exploiting vulnerabilities in SAP NetWeaver (CVE-2025-31324) and other systems like SQL Server. These attacks target organizations in Brazil, India, and Southeast Asia, including the financial sector and universities. The hackers use sophisticated techniques like SQL injections and tools such as Cobalt Strike, making these attacks particularly dangerous.
Moreover, 251 IP addresses hosted on Amazon were used to scan for vulnerabilities in ColdFusion, Struts, and Elasticsearch, indicating large-scale exploitation attempts.
Phishing and Social Engineering
Phishing attacks are becoming more sophisticated. For instance, in May 2025, ReliaQuest identified a campaign where employees searching for payroll portals via Google were redirected to fake login pages mimicking Microsoft. Hosted on WordPress, these pages used compromised routers and mobile devices to steal credentials. This is not an isolated case, emphasizing the need for employee training.
Additionally, warnings were issued about fake Docusign emails leading to phishing sites and reports of counterfeit AI applications spreading ransomware, such as CyberLock, demanding 50,000 Monero.
Regulatory Actions and Industry News
On May 29, 2025, the U.S. imposed sanctions on Funnull Technology Inc. and Liu Lizhi for providing infrastructure for cryptocurrency fraud known as "pig butchering." This is part of global efforts to combat cybercrime, particularly in the virtual currency space.
Furthermore, Cerby raised $40 million to enhance identity security, and EY reported that cybersecurity adds $36 million in value per project, highlighting the growing importance of this field.
Detailed Report: Cybersecurity News Analysis for May 24-30, 2025
This section provides a comprehensive overview of cybersecurity news for the specified period, based on analysis from sources like The Hacker News, DieSec, Dev.to, Medium, and Infosecurity Magazine. The report includes all details that led to the conclusions in the previous section, aimed at professionals and readers seeking deeper insights.
Analysis Methodology
The analysis was conducted by searching for news from May 24 to May 30, 2025, using keywords such as "cybersecurity," "breaches," "vulnerabilities," and other relevant terms. Sources were selected based on their reputation in the cybersecurity field, and the information was structured into categories for clarity.
Cyberattacks and Breaches
One of the most significant events was ConnectWise’s disclosure of a cyberattack on May 28, 2025. Details include:
- Product: ScreenConnect.
- Suspected Actor: State actor, investigated by Google Mandiant.
- Affected Clients: Very small number, exact figure undisclosed.
- Notification: All clients notified.
- Related Vulnerability: CVE-2025-3935 (CVSS 8.1), patched in version 25.2.4, affects versions 25.2.3 and earlier.
- Historical Context: In early 2024, vulnerabilities CVE-2024-1708 and CVE-2024-1709 were exploited by actors from China, North Korea, and Russia.
- Current Status: Enhanced monitoring implemented, no suspicious activity observed.
- Additional: Microsoft reported active exploitation of similar techniques in February 2025 (The Hacker News).
Other incidents include:
- Adidas: Data breach due to a compromised service provider, affecting contact details but not payment data (DieSec).
- Victoria’s Secret: Website disabled due to a security issue, limiting in-store services, third-party experts involved (DieSec).
- Ivanti: Vulnerability exploited, affecting NHS data in the UK (Medium).
- Amalgamated Sugar: Leak of personal data, including Social Security numbers (Medium).
Discovered Vulnerabilities
A critical vulnerability in the TI WooCommerce Wishlist plugin for WordPress was identified on May 29, 2025:
- CVE: CVE-2025-47577, CVSS 10.0.
- Installations: Over 100,000 active.
- Type: Arbitrary file upload, potential RCE.
- Condition: Requires installed and activated WC Fields Factory plugin with integration enabled.
- Patch: None available, users advised to deactivate the plugin (The Hacker News).
- Recommendations: Developers should avoid setting 'test_type' => false when using wp_handle_upload().
Other vulnerabilities:
- Microsoft OneDrive: File selection flaw grants web apps full cloud access (The Hacker News, Dev.to, Medium).
- Craft CMS: Exploitation of CVE-2025-32432 to deploy cryptominer and proxyware (The Hacker News).
- GitLab AI: Researchers tricked AI assistant into turning secure code into malicious code, highlighting AI risks in development (Dev.to).
Malware Attacks
Chinese hackers Earth Lamia are actively exploiting vulnerabilities:
- Main Vulnerability: CVE-2025-31324 in SAP NetWeaver, critical, allows unauthenticated file uploads.
- Others: Eight vulnerabilities targeting publicly accessible servers.
- Regions: Brazil, India, Southeast Asia (since 2023).
- Sectors: Finance, logistics, online retail, IT, universities, government.
- Techniques: SQL injections, Microsoft SQL Server exploitation, use of Cobalt Strike, Supershell, Rakshasa, Stowaway, GodPotato, JuicyPotato, Fscan, Kscan, wevtutil.exe, DLL side-loading for PULSEPACK (upgraded to WebSocket C2 in March 2025).
- Additional: Attempts to deploy Mimic ransomware, unsuccessful in Indian organizations in August 2024 (The Hacker News).
Other cases:
- 251 Amazon-hosted IP addresses used to scan for vulnerabilities in ColdFusion, Struts, Elasticsearch (The Hacker News).
- Campaign with 60 npm packages stealing data, collecting network IDs, IPs, DNS, usernames, project paths (Dev.to).
- Cloned antivirus website distributing Venom RAT, StormKitty stealer, SilentTrinity (Dev.to).
- EDDIESTEALER using fake CAPTCHA to steal data (Medium).
Phishing and Social Engineering
Payroll portal phishing campaign:
- Discovered: By ReliaQuest in May 2025, targeting the manufacturing sector.
- Technique: SEO poisoning, fake login pages mimicking Microsoft, hosted on WordPress.
- Infrastructure: Compromised routers (ASUS, Pakedge), mobile networks, part of proxy botnets.
- Devices: Employee mobile devices, low corporate security visibility.
- Exfiltration: Via Pusher push notifications API.
- Previous Cases: Two similar incidents in late 2024 (DieSec, Dev.to).
Other cases:
- Fake Docusign emails leading to phishing sites, recommendations to update awareness programs (Dev.to).
- Counterfeit AI applications spreading ransomware like CyberLock ($50,000 in Monero), Lucky_Gh0$t, Numero (DieSec, Medium).
Regulatory Actions and Industry News
U.S. sanctions:
- Entity: Funnull Technology Inc., individual: Liu Lizhi (40, China, Shanghai, Ganzhou).
- Reason: Providing infrastructure for "pig butchering" cryptocurrency scams.
- Date: May 29, 2025, announced by the U.S. Treasury Department.
- Context: Billion-dollar industry linked to human trafficking, revenue growth likely due to AI (DieSec, Medium).
Industry news:
- Cerby raised $40 million for identity security (Medium).
- EY: Cybersecurity adds $36 million in value per project (Medium).
Table: Key Events by Category
| Category | Event | Date | Source |
|---|---|---|---|
| Cyberattacks | Attack on ConnectWise, possibly by a state actor | 28.05.2025 | The Hacker News |
| Vulnerabilities | Critical vulnerability in WordPress (CVE-2025-47577) | 29.05.2025 | The Hacker News |
| Malware | Exploitation of SAP and SQL Server by Chinese hackers | 30.05.2025 | The Hacker News |
| Phishing | Attack on payroll portals via SEO poisoning | May 2025 | DieSec |
| AI-Targeted Attacks | Malware distribution via fake AI applications | May 2025 | DieSec |
| Regulatory Actions | Sanctions against Funnull for cryptocurrency fraud | 29.05.2025 | DieSec |
Conclusion
This report covers a wide range of events, emphasizing the need for continuous monitoring, software updates, and employee training. All data is based on analysis of news for the specified period, sourced from leading cybersecurity platforms.
Key Citations
- China-Linked Hackers Exploit SAP and SQL Server Flaws
- Over 100000 WordPress Sites at Risk from Critical Vulnerability
- Microsoft Identifies 3000 Publicly Exposed RDP Endpoints
- Top 5 Cybersecurity News Stories May 30, 2025
- Security news weekly round-up - 30th May 2025
- Cyber Briefing: 2025.05.30
- US Sanctions Philippines Digital Infrastructure Provider