Cybersecurity Weekly News for July 20 to July 27, 2025
Share
ToolShell Zero Day Under Heavy Attack (SharePoint)
Microsoft and Check Point Research confirmed active exploitation of the "ToolShell" vulnerabilities (CVE 2025 53770 & CVE 2025 53771) against on-prem SharePoint Server environments. The attacks began on July 7, targeting U.S. federal agencies, universities, energy companies, and an Asian telecoms operator. Patch updates were issued for SharePoint Server 2019 and Subscription Edition, but Enterprise Server 2016 remained unpatched at the time of writing. In response organizations have been urged to roll MachineKey, enable AMSI, remove public exposure, and quarantine infected hosts. The future impact of this Worldwide attack compromising tens of thousands of on-prem servers highlights the need for patch management and rapid detection.
Source: (Windows Central).
Chinese State Cyberattack of U.S. Nuclear Agency
Microsoft said Chinese-affiliated threat actors (Linen Typhoon, Violet Typhoon, Storm 2603) exploited a zero-day SharePoint vulnerability to breach the US National Nuclear Security Administration (NNSA) and approximately 400 other overseas government agencies. The attackers obtained authentication keys and could impersonate services. There is no data theft reported. In response, incident analysis continues, and forensic containment is underway. Future Impacts show Spyware-driven incidents highlight the significance of zero-day resistance and supply chain vigilance for essential infrastructure.
Source: (New York Post).
UK Moves to Ban Ransom Payments by Government Bodies
The UK government announced legislation banning public sector entities like NHS, schools, and councils from paying ransomware attackers. Private companies must notify authorities beforehand. The move aims to make a break in the ransomware industry by eliminating economic incentives. As a reaction, government IT agencies are re-evaluating procedures, and corporate enterprises are developing decision templates with a view to contingencies. Future Implication: A policy shift in strategy for reducing the number of ransomware attacks and normalizing resistance to pay.
Source: (The Guardian).
Europol Arrests Notorious XSS Forum Admin
Europol, partnering with French and Ukrainian authorities, arrested the suspected admin of the Russian-speaking cybercrime marketplace XSS. based in Kyiv. The dismantling of this long-running forum may disrupt credential-leak services heavily utilized in SMB attacks. Removing this decade-long forum would be debilitating credential-leak services that are regularly used in SMB attacks. SMBs can retaliate by shoring up credential hygiene and monitoring leaked credentials by using dark-web watchdog tools. Future Impact: Disruption of illegal markets by police might reduce phishing and account takeover threat but broader attribution issues remain.
Source: (boltwork.ai)
SMB Risk Environment & Trends
SMBs continue to realign their security posture. In mid-2025, 57% list cybersecurity as their top business priority and 83% report AI/GenAI threat increasing exposure but only 51% have formal policies in place. Nearly half are willing to switch MSP providers based on unsatisfactory defence performance. The implication of budgetary increases are needed but need to be accompanied by strategic planning and AI-aware policy alignment.
Source: (ConnectWise)
Critical SMB Vulnerabilities: CVE 2025 33073
A privilege escalation bug in Windows SMB client (CVE 2025 33073) known as the "Reflective Kerberos Relay Attack" allows authenticated users to elevate their privilege to SYSTEM level when SMB signing is not enabled. Microsoft resolved this on June 10, but systems that are not patched are still an issue. To counteract, IT personnel must enable SMB signing, turn off SMBv1, and apply the most recent Windows updates. Future Impact: Legacy misconfigurations within SMB are highly susceptible to lateral movement within SMB networks.
Source: (Windows Forum)
|
Incident |
Date |
Scope |
SMB Impact |
|
ToolShell SharePoint breach |
July 18‑21 |
U.S. & global entities |
On‑prem servers used by SMBs at risk |
|
Chinese SharePoint cyberespionage |
Started July 7 |
~400 agencies globally |
SMB supply-chain and partner risk |
|
XSS Forum admin arrest |
July 22 |
Global forum network |
Potential disruption in credential-leak markets |
|
SMB Prot. Privilege Escalation |
June 10 patch |
Enterprise/SMB |
Most SMBs must patch and harden SMB setups |
Conclusion & Recommendations
The events of the week illustrate how sophisticated threat actors and systematic weaknesses disproportionately weigh on SMBs: Zero-day attacks, especially via SharePoint and SMB, pose critical nationwide threats. Regulatory changes, like the UK ransom ban, signal rising public-sector expectations. Underground forum takedowns while indirectly beneficial illustrate the interconnectedness of SMBs within cybercrime markets. For SMBs: emphasis should be placed on patch hygiene, credential integrity, MSP reliability, and AI-related threat readiness.
By Cyber Padlocking.