MSP cybersecurity news digest, July 29, 2025

CISA has urgently added two Microsoft SharePoint flaws, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities catalog after confirming they are being actively exploited.

These vulnerabilities, collectively known as ToolShell, allow spoofing and remote code execution, and federal agencies were ordered to patch them by July 23, 2025. Researchers attributed the exploitation to Chinese state-linked groups Linen Typhoon and Violet Typhoon, who began targeting on-premises SharePoint servers earlier in July. The flaws enable attackers to deploy web shells, steal cryptographic secrets, and bypass protections like AMSI, with renamed malware files used to avoid detection.

CISA is working with federal and SLTT partners to respond to the breaches, which are estimated to have affected over 400 organizations so far.

The FBI, CISA, HHS and MS-ISAC have issued a joint advisory warning about Interlock ransomware, a financially motivated threat actor using double extortion tactics and targeting businesses and critical infrastructure across North America and Europe since September 2024.

Interlock actors gain initial access through uncommon methods like drive-by downloads from compromised websites and deceptive social engineering techniques such as “ClickFix,” which tricks users into executing malicious code. At the same time the BlackSuit’s infrastructure has been taken down as part of Operation Checkmate. A seizure notice from U.S. Homeland Security appeared on their TOR site, indicating coordination between the U.S. Department of Justice and agencies from nine countries, including the U.K., Ukraine and Latvia, as well as Europol.

BlackSuit, believed to be a rebrand of the Royal and Conti ransomware groups, had claimed 184 victims since emerging in May 2023 and had demanded over $500 million in ransoms. Despite the infrastructure takedown, no arrests have been made, and researchers suggest that BlackSuit members may have reemerged under a new name, Chaos, based on overlapping tactics and tools. The international investigation involved 17 agencies, but official confirmations from the NCA and DoJ are still pending.

A new Linux malware named Koske uses benign-looking panda images to deliver malicious code directly into system memory.

According to researchers, the malware appears to leverage automation or large language models (LLMs) to deploy highly adaptive CPU and GPU cryptominers for 18 different coins. The attack begins by exploiting misconfigured JupyterLab instances, then downloading JPEG images from legitimate hosting sites that double as scripts through the use of polyglot files. These images contain valid JPEG headers for users but include appended shell scripts and C code that execute in memory when processed by script interpreters. One payload is a memory-compiled rootkit using LD_PRELOAD to hide malware activity, while the other is a stealthy shell script establishing persistence through custom system services.

Researchers also observed Serbian and Slovak language indicators in the scripts and infrastructure, but attribution remains inconclusive. The malware adapts to system resources to optimize mining and automatically switches to backup pools if needed.

The Patchwork threat actor, suspected to be of Indian origin, has launched a spear-phishing campaign targeting Turkish defense firms using malicious LNK files disguised as invitations to a UAV-focused conference.

As per research, these attacks coincide with growing defense cooperation between Türkiye and Pakistan amid heightened India-Pakistan tensions, suggesting geopolitical motives. The LNK files initiate a five-stage infection chain, starting with PowerShell commands that retrieve payloads from a domain hosting a decoy PDF document. While the user views the fake conference invitation, the malware silently executes in the background, ultimately launching a malicious DLL via scheduled tasks. This leads to shellcode execution that performs host reconnaissance, including screenshot capture and data exfiltration.

Patchwork, also known by several aliases including Dropping Elephant and APT-C-09, has a long history of cyber espionage across South Asia and has recently expanded its targeting. Researchers noted the group's shift from x64 DLLs to x86 PE executables and more sophisticated C2 protocols.

Attackers stole nearly $140 million from six Brazilian banks by bribing João Nazareno Roque, an IT employee at C&M, a company that connects financial institutions to Brazil’s Central Bank.

Roque allegedly sold his access credentials to the attackers for around $920 and received an additional $1,850 for executing specific commands within the company’s systems, guided by the attackers via the Notion platform. The cybercriminals used these credentials to carry out massive fake PIX transactions, which did not affect individual clients but caused significant financial damage to institutions contracting with C&M — one of which alone lost $100 million. Roque attempted to cover his tracks by frequently changing mobile phones but was arrested in São Paulo. The attackers reportedly approached him outside a bar, showing they had carefully researched and identified a vulnerable insider.

This mirrors tactics used in other recent cyberattacks, including one against Coinbase involving bribed support agents. Investigators believe up to $40 million of the stolen funds have already been converted to cryptocurrency through exchanges and OTC markets. C&M stated the breach was due to social engineering, not a system flaw, and credited its internal security tools with helping identify the breach and support police investigations.