- Mycomputerspot Security Newsletter
- Posts
- Cybersecurity Threats and Trends - 07/24/2025
Cybersecurity Threats and Trends - 07/24/2025
This week's cybersecurity landscape has been dominated by the exploitation of critical infrastructure vulnerabilities...
J.W. Croley
July 24, 2025
In partnership with
Find out why 1M+ professionals read Superhuman AI daily.
In 2 years you will be working for AI
Or an AI will be working for you
Here's how you can future-proof yourself:
Join the Superhuman AI newsletter – read by 1M+ people at top companies
Master AI tools, tutorials, and news in just 3 minutes a day
Become 10X more productive using AI
Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.
While you were busy arguing whether your password manager is worth the subscription fee, threat actors were busy turning America's nuclear arsenal oversight into their personal intelligence buffet. This week's cybersecurity nightmare fuel comes with a side of supply chain chaos and a generous helping of zero-day exploitation – because apparently, July wasn't hot enough already.
1. US Nuclear Weapons Agency Hacked in Microsoft SharePoint Attacks
Primary Threat: Unknown threat actors have reportedly breached the National Nuclear Security Administration's network using recently patched Microsoft SharePoint vulnerabilities.
Risk: CRITICAL
Security researchers report that the National Nuclear Security Administration (NNSA), the federal agency responsible for maintaining and securing the United States' nuclear weapons stockpile, has fallen victim to a sophisticated cyberattack exploiting Microsoft SharePoint zero-day vulnerabilities. The breach appears to be connected to the widespread exploitation campaign targeting CVE-2025-53770 and CVE-2025-53771, which Microsoft acknowledged has been actively exploited since at least July 7, 2025.
The timing of this breach is particularly concerning given that Microsoft only released emergency patches for these vulnerabilities on July 21, 2025, leaving a two-week window during which critical infrastructure remained vulnerable. The NNSA breach represents one of the most significant national security incidents of 2025, as the agency oversees the safety, security, and effectiveness of the U.S. nuclear weapons stockpile, manages nuclear materials, and conducts nuclear nonproliferation activities worldwide.
Intelligence sources suggest the attackers gained persistent access to internal NNSA networks and may have exfiltrated sensitive information related to nuclear security protocols, though the full extent of the compromise remains under investigation. The attack methodology mirrors the tactics observed in the broader SharePoint exploitation campaign that Microsoft linked to Chinese state-sponsored groups, including the deployment of custom web shells and the use of legitimate administrative tools for lateral movement.
Detection and Remediation Tips:
If your organization uses on-premises SharePoint Server, apply Microsoft's emergency patches immediately and verify installation
Conduct comprehensive security audits of all SharePoint instances, focusing on unusual administrative activity and unauthorized file access
Implement network segmentation to isolate SharePoint servers from critical infrastructure systems
Review and strengthen authentication mechanisms for SharePoint administrative accounts, including mandatory multi-factor authentication
Monitor for indicators of compromise associated with the ToolShell malware family and similar web shell deployments
Establish incident response procedures specifically for supply chain and infrastructure software compromises
2. NPM Package 'is' Compromised in Supply Chain Attack Affecting 2.8M Weekly Downloads
Primary Threat: he popular NPM package 'is' has been compromised with backdoor malware, potentially affecting millions of developers worldwide.
Risk: HIGH
Cybersecurity researchers discovered that the widely-used NPM package 'is', which receives 2.8 million weekly downloads, was compromised in a sophisticated supply chain attack. The malicious code was injected into versions 3.3.1 through 5.0.0, giving attackers full access to compromised development environments. The package's maintainer, John Harband, announced the discovery on July 19, 2025, and the malicious versions were removed approximately six hours after detection.
Detection and Remediation Tips:
Immediately audit your Node.js projects for the compromised 'is' package versions
Update to the latest clean version and scan development environments for signs of compromise
Implement package integrity verification in your CI/CD pipelines
3. CISA Warns of Active SysAid Vulnerability Exploitation
Primary Threat: CISA has added two SysAid IT service management vulnerabilities to its Known Exploited Vulnerabilities catalog following confirmed active attacks.
Risk: HIGH
The U.S. Cybersecurity and Infrastructure Security Agency warns that attackers are actively exploiting security vulnerabilities in SysAid IT service management software to hijack systems and gain unauthorized access. The vulnerabilities allow remote attackers to execute arbitrary code and potentially gain administrative privileges on affected systems.
Detection and Remediation Tips:
Apply SysAid security updates immediately if you use this software
Monitor SysAid instances for unusual administrative activity or unauthorized access attempts
Implement additional access controls and monitoring for IT service management platforms
Did you know...?
The Microsoft SharePoint vulnerabilities exploited in this week's attacks were initially discovered through Microsoft's own threat hunting activities, not external security researchers. This highlights how even software vendors with extensive security resources can miss critical vulnerabilities in their own products until they're actively exploited in the wild. The two-week gap between initial exploitation and patch availability demonstrates the challenge of defending against zero-day attacks, even when the vendor is aware of the threat.
4. Cisco Confirms Active Exploitation of Critical ISE Vulnerabilities
Primary Threat: Cisco has confirmed active exploitation of maximum-severity vulnerabilities in its Identity Services Engine (ISE) platform.
Risk: HIGH
Cisco confirmed that attackers are actively exploiting critical remote code execution vulnerabilities in Cisco ISE, including CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337. These maximum-severity flaws allow unauthenticated attackers to execute arbitrary commands and potentially gain full system control.
Detection and Remediation Tips:
Apply Cisco's security updates for ISE immediately
Monitor ISE deployments for signs of compromise or unusual authentication patterns
Implement network segmentation to limit ISE exposure to untrusted networks
5. CrushFTP Zero-Day Exploited to Hijack Over 1,000 Servers
Primary Threat: A critical zero-day vulnerability in CrushFTP is being actively exploited to hijack file transfer servers worldwide.
Risk: HIGH
Security researchers report that threat actors are exploiting CVE-2025-54309, a critical vulnerability in CrushFTP that allows attackers to gain administrative access to file transfer servers. ShadowServer estimates that over 1,000 CrushFTP servers remain vulnerable to ongoing exploitation attempts.
Detection and Remediation Tips:
Update CrushFTP installations immediately to the latest patched version
Review file transfer logs for signs of unauthorized access or data exfiltration
Implement additional authentication controls for file transfer services
6. CISA and FBI Issue Joint Warning on Escalating Interlock Ransomware
Primary Threat: Federal agencies warn of increased Interlock ransomware activity targeting critical infrastructure organizations.
Risk: HIGH
CISA and the FBI warned of escalating Interlock ransomware attacks targeting businesses and critical infrastructure organizations in double extortion campaigns. The ransomware group has been observed using unusual tactics and applying additional pressure on victims during negotiations.
Detection and Remediation Tips:
Review and test ransomware incident response procedures
Ensure offline backups are current and regularly tested for restoration
Implement network segmentation to limit ransomware spread potential
IN SUMMARY:
The simultaneous exploitation of SharePoint, SysAid, Cisco ISE, and CrushFTP vulnerabilities demonstrates how threat actors are rapidly weaponizing newly disclosed flaws.
The NPM supply chain attack affecting 2.8 million weekly downloads serves as a stark reminder that software dependencies remain a critical attack vector.
Organizations must prioritize rapid patch deployment, supply chain security, and comprehensive monitoring to defend against this escalating threat environment.
🚨 Key Takeaways:
✔️ Critical infrastructure remains highly vulnerable to zero-day exploitation, as demonstrated by the NWA breach.
✔️ Supply chain attacks continue to evolve, with popular development packages becoming prime targets.
✔️ Multiple vendors are experiencing simultaneous active exploitation of critical vulnerabilities.
✔️ Federal agencies are increasing their warning frequency, indicating heightened threat activity.
✔️ The time between vulnerability disclosure and active exploitation continues to shrink.
✔️ Organizations must implement defense-in-depth strategies that assume breach scenarios
🔎 Immediate Actions:
✔️ Apply all available security patches for SharePoint, SysAid, Cisco ISE, and CrushFTP.
✔️ Audit NPM dependencies and remove or update compromised 'is' package versions.
✔️ Implement comprehensive monitoring for web shell deployment and lateral movement activities.
✔️ Review and test incident response procedures for supply chain and infrastructure compromises.
✔️ Establish emergency patching procedures for critical vulnerabilities affecting internet-facing systems.
✔️ Conduct security assessments of all third-party software dependencies and vendor relationships
💡 Stay vigilant out there. The threat actors certainly aren't taking any summer vacation. 💡
J.W.
(P.S. Check out our partners! It goes a long way to support this newsletter!)