News Week: July 21st to July 27th, 2025

Over 1,000 CrushFTP Servers Exposed to Zero-Day Exploit and Ransomware Threats

More than 1,000 CrushFTP servers remain vulnerable to a critical zero-day flaw, putting them at risk of hijack attempts and data breaches. The issue, tracked as CVE-2025-54309, stems from improper AS2 validation and affects all versions below 10.8.5 and 11.3.4_23. While a fix has already been released, many systems remain unpatched and open to exploitation. Attackers are believed to have reverse-engineered the software, using the vulnerability to gain administrative access to the web interface. Shadowserver reports over 1,040 affected instances still online, potentially exposing sensitive data. Although no concrete evidence links the current attacks to specific threat actors, ransomware gangs such as Clop have historically exploited zero-days in similar file transfer platforms. As CrushFTP urges customers to enable auto-updates and restrict admin access by IP, the situation underscores the growing ransomware risk for organizations relying on outdated or unprotected managed file transfer systems.

Chinese Hackers Exploit Microsoft SharePoint Zero-Day in ToolShell Attacks

Multiple Chinese nation-state actors have been linked to a sophisticated zero-day campaign exploiting vulnerabilities in Microsoft SharePoint servers. The exploit chain, known as “ToolShell,” targets on-premise SharePoint instances and enables unauthenticated remote code execution. Microsoft has attributed the attacks to groups like Linen Typhoon, Violet Typhoon, and Storm-2603, all of which have been actively compromising government, telecom, and enterprise systems across North America and Europe. At least 54 organizations have already been breached. Despite recent emergency patches, a proof-of-concept for CVE-2025-53770 was released on GitHub, raising the risk of widespread abuse by additional threat actors. CISA has since listed the zero-day in its Known Exploited Vulnerabilities catalog, urging immediate patching. With public exploits now available and attackers accessing internal systems via malicious web shells, the threat remains high. The wave of attacks echoes previous ransomware and espionage operations that leveraged zero-day vulnerabilities for initial access.

UK to Ban Ransom Payments in Public Sector After DragonForce Attack

The UK government is moving to outlaw ransom payments by public sector and critical infrastructure entities, targeting the financial incentives that fuel ransomware gangs. The decision follows a series of high-profile attacks, including the recent DragonForce ransomware assault on retailer Marks & Spencer, which disrupted operations across 1,400 stores by encrypting VMware ESXi hosts. Under the proposed law, institutions like the NHS, schools, and councils will be barred from paying ransoms, aiming to make public services less attractive to threat actors. While private companies remain exempt, they must report any intention to pay, particularly if sanctioned ransomware groups—many based in Russia—are involved. Authorities are also implementing a mandatory reporting framework to aid investigations and victim response. With ransomware gangs growing bolder and leveraging zero-day exploits, the UK is signaling a unified stance against cyber extortion, seeking to dismantle the ecosystem that enables groups like DragonForce to thrive.

Cisco ISE RCE Vulnerabilities Now Actively Exploited in Targeted Attacks

Cisco has confirmed that three critical remote code execution (RCE) vulnerabilities in its Identity Services Engine (ISE) are now under active exploitation. The flaws—CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337—allow unauthenticated attackers to gain root-level access via malicious API requests or file uploads. All three carry a maximum CVSS score of 10.0 and pose a severe threat to enterprise network security. Cisco ISE is widely used to enforce access controls and security policies across large organizations, making these RCE bugs especially attractive to threat actors. While the company has not detailed the methods used in the wild, it urges customers to upgrade immediately to patched versions: 3.3 Patch 7 or 3.4 Patch 2. There are no available workarounds, leaving patching as the sole defense. With unauthenticated RCE exploits increasingly used by ransomware gangs and APT groups, these software vulnerabilities represent a critical vector for potential network-wide compromise.

Interlock Ransomware Escalates Double Extortion Attacks, Warn CISA and FBI

The FBI and CISA have issued a joint advisory warning of a surge in Interlock ransomware activity, highlighting the group’s use of aggressive double extortion tactics. Since its emergence in late 2024, Interlock has rapidly expanded its operations, targeting critical infrastructure and healthcare organizations worldwide. The gang not only encrypts victim systems but also exfiltrates sensitive data, leveraging its leak as additional ransom pressure. Recent attacks include major breaches at DaVita and Kettering Health, with over 1.5TB of stolen data. Interlock has also used unique delivery methods like ClickFix and the new FileFix social engineering technique to gain initial access, deploying remote access trojans like NodeSnake. The group’s evolving tactics underscore the urgent need for enhanced cyber defenses. Authorities recommend DNS filtering, strict identity and access controls, and regular patching to mitigate the threat of Interlock ransomware and its increasingly sophisticated double extortion campaigns.

Ukraine Arrests Alleged Admin of XSS Cybercrime Forum Tied to RaaS Operations

Ukrainian authorities, in cooperation with French prosecutors and Europol, have arrested the suspected administrator of the notorious Russian-speaking hacking forum XSS.is. Active since 2013, XSS gained a reputation as a major hub for cybercriminals, hosting over 50,000 users involved in selling malware, offering initial access to compromised systems, and promoting ransomware-as-a-service (RaaS) platforms. Despite a public ban on ransomware discussions in 2021, intercepted messages from the encrypted Jabber server ‘thesecure.biz’ revealed ongoing RaaS-related activities, generating at least $7 million in profits. The investigation, initiated in 2021 by French authorities, culminated in the forum’s takedown and arrest of its suspected admin. Law enforcement agencies now reportedly have access to the forum’s backend, potentially exposing numerous users engaged in ransomware and cyber extortion. The takedown of XSS.is, a central marketplace for RaaS actors, marks a significant blow to the cybercrime ecosystem and could deter further ransomware operations in the near term.

US Nuclear Weapons Agency Breached via SharePoint Zero-Day Exploit Chain

Unknown threat actors exploited a Microsoft SharePoint zero-day vulnerability chain to breach the networks of the U.S. Department of Energy, including the National Nuclear Security Administration (NNSA). The NNSA, responsible for managing the U.S. nuclear arsenal and emergency response to nuclear incidents, confirmed the intrusion last week. Although only a small number of systems were reportedly affected, the breach highlights the critical danger posed by zero-day vulnerabilities in widely used enterprise platforms. The same ToolShell exploit chain has already compromised over 400 servers and 148 organizations globally, including government bodies in Europe, the Middle East, and multiple U.S. state agencies. Microsoft and Google have attributed the attacks to Chinese state-sponsored actors such as Linen Typhoon and Violet Typhoon. CISA has added CVE-2025-53770, part of the ToolShell zero-day chain, to its Known Exploited Vulnerabilities catalog, mandating immediate remediation across federal networks to prevent further intrusions.

Warlock and Lockbit Ransomware Deployed in SharePoint Zero-Day Attacks

Microsoft has confirmed that the China-based hacking group Storm-2603 is exploiting the SharePoint ToolShell zero-day chain to deploy Warlock ransomware across compromised networks. In some cases, Lockbit ransomware has also been observed. These attacks begin with the exploitation of unpatched SharePoint servers, followed by credential theft using Mimikatz to extract plaintext passwords from LSASS memory. Attackers then spread laterally using PsExec, Impacket, and WMI, pushing Warlock ransomware via Group Policy Objects. Over 420 vulnerable SharePoint servers remain exposed online, according to Shadowserver. Microsoft has also linked the Linen Typhoon and Violet Typhoon threat groups to these exploits, originally identified in CVE-2025-49706 and CVE-2025-49704. With at least 400 infected servers and 148 organizations compromised globally—including the U.S. Department of Energy and National Institutes of Health—the ToolShell zero-day chain remains a major vector for ransomware delivery. CISA has mandated urgent patching of CVE-2025-53770 to prevent further infections.

BlackSuit Ransomware Sites Seized in Operation Checkmate Amid Royal Rebrand Links

Law enforcement agencies have taken down the dark web infrastructure of the BlackSuit ransomware gang in a coordinated global effort dubbed Operation Checkmate. U.S. Homeland Security Investigations, alongside international partners, seized BlackSuit’s .onion extortion portals, including data leak and negotiation sites used to pressure victims into ransom payments. BlackSuit has roots tracing back to Quantum ransomware and later rebranded as Royal ransomware, before adopting its current name. Researchers now believe the gang is preparing another rebrand under the Chaos ransomware name. Cisco Talos reports overlapping tactics, encryption methods, and ransom note structure across BlackSuit, Royal, and Quantum operations. Since 2022, the gang has targeted over 350 organizations and demanded more than $500 million in ransom payments. CISA and the FBI previously confirmed the connection between Royal and BlackSuit, highlighting their shared infrastructure and techniques. The takedown marks a significant disruption to one of the most prolific ransomware groups operating under successive identities.

Post SMTP Plugin Vulnerability Puts 200,000 WordPress Sites at Risk

A critical software vulnerability in the popular Post SMTP plugin is exposing over 200,000 WordPress websites to potential admin hijacking. Tracked as CVE-2025-24000, the flaw stems from broken access control in the plugin’s REST API, allowing any logged-in user—regardless of their role—to access sensitive email logs. On affected sites, attackers with subscriber-level access can intercept password reset emails for admin accounts and take full control. Post SMTP, installed on over 400,000 sites, serves as a replacement for WordPress’s default email function. Although a patch was released in version 3.3.0 on June 11, download stats show that less than half of users have applied the update. Alarmingly, nearly 97,000 sites are still running older 2.x versions vulnerable to additional security flaws. Website owners are strongly urged to update immediately to mitigate exploitation of this WordPress plugin vulnerability.

Scattered Spider Targets VMware ESXi in Sophisticated Ransomware Attacks

Scattered Spider, a financially motivated threat group also known as UNC3944 or Octo Tempest, is intensifying its attacks on VMware ESXi hypervisors across U.S. industries. Unlike typical exploits, the group relies on advanced social engineering to gain initial access by impersonating employees and manipulating IT help desks into resetting credentials. Once inside, Scattered Spider identifies high-value targets, including VMware vSphere admins, and escalates privileges to seize control of the virtual environment. Their tactics include enabling SSH on ESXi hosts, resetting root passwords, and executing disk-swap attacks to extract sensitive Active Directory data. With full control, they disable backups and deploy ransomware to encrypt virtual machine files. Despite no software vulnerabilities being exploited, the group achieves complete domination of virtual infrastructure. Google’s Threat Intelligence Group warns that Scattered Spider’s attack chain—from infiltration to ransomware deployment—can unfold within hours, marking a severe threat to under-defended VMware environments.

Conclusion

Scattered Spider’s ability to compromise entire VMware ESXi environments through social engineering alone highlights the urgent need for proactive cybersecurity defenses. With attackers bypassing traditional protections and deploying ransomware within hours, organizations must remain alert and prepared.

As experts in ransomware recovery and cybersecurity, we offer specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and comprehensive training through our Cyber Defense Academy. Strengthen your defenses further with a Cybersecurity Risk Assessment or ensure rapid response capability with our Incident Response Retainer.