In today’s cybersecurity news…
Hewlett Packard warns of hardcoded passwords in Aruba access points
This warning refers to hardcoded credentials in Aruba Instant On Access Points, which are “compact, plug-and-play Wi-Fi devices, designed primarily for small to medium-sized businesses, offering enterprise-grade features (guest networks, traffic segmentation) with cloud/mobile app management.” The existence of hardcoded access points means that attackers can bypass normal device authentication and access the web interface. This issue has a CVE number (CVE-2025-37103) as well as a “critical” CVSS score of 9.8.
SharePoint zero-day exploited via RCE, no patch available
This critical zero-day vulnerability, which also has a CVE number (CVE-2025-53770), has been actively exploited since at least July 18th. At least 85 servers have already been compromised worldwide, In May, researchers from Viettel Cyber Security researchers demonstrated this vulnerability at Pwn2Own Berlin in which two other Microsoft SharePoint flaws were chained in a ToolShell attack to achieve remote code execution. Microsoft did patch the ToolShell flaws as part of the July Patch Tuesday, however they say this new variant is being actively exploited in the wild. The company adds the flaw does not impact Microsoft 365. They also say they are working on a security update, which will be released as soon as possible.
EncryptHub uses fake AI platforms to target Web3 developers
The threat actor EncryptHub (aka LARVA-208 or Water Gamayun) is targeting Web3 developers in a new campaign using information stealer malware. According to Swiss firm PRODAFT, the group lures victims through fake AI platforms like “Norlax AI,” posing as job recruiters or portfolio reviewers. While previously known for ransomware, EncryptHub now focuses on harvesting data from crypto wallets and development environments. Freelance developers working in decentralized ecosystems are particularly vulnerable due to limited security controls. The attackers spread malicious meeting links via platforms like X, Telegram, and job boards such as Remote3, disguising them as legitimate interview invitations.
Russian vodka producer suffers ransomware attack
The Russian producer and distributor of the Beluga and Belenkaya vodka brands, the Novabev Group, has announced what it calls “technical issues,” involving an unnamed organization that happens to be demanding a ransom. It has closed more than 2,000 of its liquor stores across Russia as it deals with this issue, one that experts calculate is costing it up to the equivalent of $3.8 million per day. Its website and mobile app are also down. No ransomware group has yet claimed responsibility for this attack.
Huge thanks to our sponsor, Nudge Security
CISA adds Fortinet FortiWeb flaw to Known Exploited Vulnerabilities catalog
This flaw is an SQL injection vulnerability with a CVSS score of 9.6, which allows unauthenticated attackers to execute unauthorized SQL commands via crafted HTTP/HTTPS requests. Exploitation began on July 11, the same day a proof-of-concept was released, resulting in dozens of compromised systems. Fortinet has issued patches. The vulnerability was disclosed by Kentaro Kawane of GMO Cybersecurity. Organizations using affected FortiWeb versions are urged to update immediately. (CVE-2025-25257)
Japanese police release decryptor for Phobos ransomware following arrests
Following up on a story we covered last February, Japan’s National Police Agency has now released a free decryption tool and a guide published in English “for organizations impacted by attacks from the Phobos and 8Base groups, which collected more than $16 million from about 1,000 victims worldwide dating back to 2019.” The decryption tool was “shared by the European Cybercrime Centre and the FBI,” who pointed out that it was the FBI Baltimore office that led an investigation that brought charges against Phobos affiliates earlier this year.
UK Government warns of OAuth malware attributed to Russian actors
The UK government has issued a warning that Russian group APT28, also known as Fancy Bear and Forest Blizzard, “has been deploying previously unknown malware to harvest Microsoft email credentials and steal access to compromised accounts.” This malware, nicknamed Authentic Antics by the UK government refers to malware that targets the Windows operating system and which runs within Microsoft Outlook, prompting users to enter their credentials, which then steals the credential data, along with OAuth authentication tokens, which allow access to Microsoft services, including Exchange Online, SharePoint, and OneDrive. The malware also sends the exfiltrated data to an actor-controlled email address without the email showing in the “sent” folder.
Virginia radiology practice suffers cyberattack
Radiology Associates of Richmond has been in practice for more than a century, having opened its doors in 1905. It provides imaging services, to several hospitals and outpatient facilities in the Richmond area. It is now dealing with an infiltration that occurred between April 2 and 6, 2024, and confirmed a year later on May 2 of this year. The personal and health information of over 1.4 million individuals has been affected. No known ransomware group has claimed responsibility for the attack.
