Aruba password warning, SharePoint zero day, Russian vodka maker attacked - Cybersecurity Headlines

Summary

Cyber Security Headlines – CISO Series Episode Released on July 21, 2025

Host: Steve Prentiss
Podcast: Cyber Security Headlines
Produced by: CISO Series

In this episode of Cyber Security Headlines, host Steve Prentiss delves into several critical cybersecurity incidents and vulnerabilities impacting various sectors globally. Below is a detailed summary of the key topics discussed, complete with notable quotes and timestamps for reference.

1. Aruba Access Points Vulnerability

[00:00] Steve Prentiss:
“Hewlett Packard warns of hard-coded passwords in Aruba access points.”

Overview: Hewlett Packard has issued a warning regarding hard-coded credentials in Aruba Instant On access points. These devices, designed for small to medium-sized businesses, offer enterprise-grade Wi-Fi features managed via a cloud mobile app.
Implications: The presence of hard-coded passwords allows attackers to bypass standard device authentication, granting unauthorized access to the web interface of these access points.
Severity: The issue has been assigned a CVE number and a critical CVSS score of 9.8, indicating a high-risk vulnerability that requires immediate attention.

2. SharePoint Zero-Day Exploitation

[02:30] Steve Prentiss:
“SharePoint Zero day exploited via remote code execution, no patch available.”

Details: A critical zero-day vulnerability in Microsoft SharePoint has been actively exploited since at least July 18. This vulnerability allows for remote code execution, and as of now, no patch is available.
Impact: At least 85 servers worldwide have been compromised. The vulnerability was initially demonstrated by Vietl Cybersecurity during Pwn2Own Berlin, where it was exploited in conjunction with other Microsoft SharePoint flaws using a tool shell attack.
Microsoft's Response: While Microsoft addressed related tool shell flaws in the July Patch Tuesday updates, the new variant remains unpatched. Microsoft has clarified that Microsoft 365 is not affected and is actively working on a security update to mitigate the issue.

3. Encrypt Hub Targets Web3 Developers

[05:15] Steve Prentiss:
“Encrypt Hub uses fake AI platforms to target Web3 developers.”

Attacker Profile: Encrypt Hub, also known as Larva208, is shifting its focus from ransomware to data harvesting, specifically targeting Web3 developers.
Methodology: The group employs Information Stealer malware and entices victims through counterfeit AI platforms like Norlax AI. They pose as job recruiters or portfolio reviewers to gain the trust of developers.
Exploitation Tactics: Malicious meeting links are distributed via platforms such as X Telegram and job boards like Remote3, masquerading as legitimate interview invitations.
Vulnerability: Freelance developers in decentralized ecosystems are especially at risk due to often limited security measures in place.

4. Ransomware Attack on Russian Vodka Producer

[08:45] Steve Prentiss:
“Russian vodka producer suffers ransomware attack.”

Victim: NovaBev Group, the Russian producer and distributor of Beluga and Belenkaya vodka brands.
Attack Details: NovaBev has reported technical issues caused by an unnamed organization demanding a ransom. In response, the company has shut down over 2,000 liquor stores across Russia.
Financial Impact: Experts estimate the attack is costing NovaBev up to $3.8 million daily. Additionally, the company's website and mobile app are currently non-operational.
Attribution: No ransomware group has claimed responsibility for this attack to date.

5. Fortinet Web Flaw Added to CISA’s Known Exploited Vulnerabilities Catalog

[12:00] Steve Prentiss:
“CISA adds Fortinet 40 web flaw to known exploited vulnerabilities catalog.”

Vulnerability Details: The newly cataloged flaw is an SQL injection vulnerability with a CVSS score of 9.6, allowing unauthenticated attackers to execute unauthorized SQL commands via crafted HTTP or HTTPS requests.
Exploitation Activity: Active exploitation began on July 11, coinciding with the release of a proof-of-concept exploit. This has led to the compromise of dozens of systems.
Recommendations: Organizations utilizing affected Fortinet Web versions are strongly urged to apply updates immediately to mitigate potential breaches.

6. Japanese Police Release Decryptor for Phobos Ransomware

[15:30] Steve Prentiss:
“Japanese police release decryptor for Phobos ransomware following arrests.”

Action Taken: Japan's national police agency has released a free decryption tool and an English-language guide for organizations affected by the Phobos ransomware.
Background: The Phobos and eight related groups have extorted over $16 million from approximately 1,000 victims worldwide since 2019.
Collaboration: The decryption tool was disseminated with assistance from the European Cybercrime Centre and the FBI, specifically the FBI Baltimore office, which led the investigation resulting in charges against Phobos affiliates earlier in the year.

7. UK Government Alerts on Malware from Russian Actors

[18:20] Steve Prentiss:
“UK government warns of malware attributed to Russian actors.”

Threat Actor: The Russian group APT28, also known as Fancy Bear and Forest Blizzard, is identified as deploying new malware variants.
Malware Characteristics: Nicknamed Authentic Antics, this malware targets the Windows operating system and operates within Microsoft Outlook, prompting users to enter their credentials.
Data Compromise: Upon credential entry, the malware steals both credential data and OAuth authentication tokens, granting attackers access to services like Exchange Online, SharePoint, and OneDrive.
Data Exfiltration: The stolen data is sent to an attacker-controlled email address without appearing in the sent folder, making detection more challenging.

8. Cyberattack on Virginia Radiology Practice

[21:50] Steve Prentiss:
“Virginia Radiology practice suffers a cyberattack.”

Institution Affected: Radiology Associates of Richmond, Virginia, a practice with over a century of operation since 1905.
Incident Details: An infiltration occurred between April 2nd and 6th, 2024, with confirmation made a year later on May 2nd.
Data Compromised: Personal and health information of over 1.4 million individuals was accessed. No ransomware group has taken responsibility for this breach.

Conclusion

In this episode, Steve Prentiss provides a comprehensive overview of the latest cybersecurity threats and incidents, emphasizing the evolving tactics of cybercriminals and the critical need for organizations to stay vigilant. From vulnerabilities in widely-used hardware and software to sophisticated ransomware attacks targeting specific industries, the landscape of cyber threats continues to expand and become more intricate.

For those interested in diving deeper into these stories, Steve encourages listeners to visit CISOseries.com for the full articles behind each headline.

This summary captures the essential points discussed in the episode, providing insights into current cybersecurity challenges and responses. For real-time updates and further information, regularly tuning into Cyber Security Headlines by CISO Series is recommended.

Transcript

Steve Prentiss (0:00)

From the CISO series, it's Cybersecurity Headlines these are the cybersecurity headlines for Monday, July 21, 2025. I'm Steve Prentiss. Hewlett Packard warns of hard coded passwords in Aruba access points. This warning refers to hard coded credentials in Aruba instant on access points which are compact plug and play WI fi dev designed primarily for small to medium sized businesses offering enterprise grade features with cloud mobile app management. The existence of hard coded access points means that attackers can bypass normal device authentication and access the web interface. This issue has a CVE number as well as a critical CVSS score of 9.8. SharePoint Zero day exploited via remote code execution no patch available this critical zero day vulnerability, which also has a CVE number, has been actively exploited since at least July 18. At least 85 servers have already been compromised worldwide. In May, researchers From Vietl Cybersecurity I.e. v I E T T E L demonstrated this vulnerability at Pwn to Own Berlin, in which two other Microsoft SharePoint flaws were chained in a tool shell attack to achieve remote code execution. Microsoft did patch the tool shell flaws as part of the July patch Tuesday. However, they say this new variant is being actively exploited in the wild. The company adds the flaw does not impact Microsoft 365 and that they are working on a security update which will be released as soon as possible. Encrypt Hub uses fake AI platforms to target Web3 developers Encrypt Hub, also known as larva208, is targeting Web3 developers in a new campaign using Information Stealer malware, according to Swiss firm Prodaft. The group lures victims through fake AI platforms like Norlax AI posing as job recruiters or even portfolio reviewers. While previously known for ransomware, Encrypt Hub now focuses on harvesting data from crypto wallets and development environments. Freelance developers working in decentralized ecosystems are particularly vulnerable due to limited security controls. The attackers spread malicious meeting links via platforms like X Telegram and job boards like Remote 3, disguising them as legitimate interview invitations. Russian vodka producer suffers ransomware attack the NovaBev group, which is the Russian producer and distributor of the Beluga and Belenkaya vodka brands, has announced what it calls technical issues involving an unnamed organization that happens to be demanding a ransom. The company has closed more than 2,000 of its liquor stores across Russia as it deals with this issue, one that experts calculate is costing it up to the equivalent of $3.8 million a day. Its website and mobile app are also down no Ransomware Group has yet claimed responsibility for this attack, huge thanks to our sponsor Nudge Security. What do identity risks, d, data security risks and third party risks have in common? They are all made dramatically worse by SaaS sprawl. Nudge security helps you mitigate these risks by discovering every SaaS account ever created by anyone in your organization within minutes of starting a free trial. But discovery is just the first step. With Nudge, you can automate ongoing governance tasks like security posture checks, enforcing MFA, revoking risky app to app access, and more. Visit nudgesecurity.com headlines to start a free trial. That is the two words nudgesecuritytogether.com headlines CISA adds Fortinet 40 web flaw to known exploited vulnerabilities Catalog this flaw is an SQL injection vulnerability with a CVSS score of 9.6 which allows unauthenticated attack to execute unauthorized SQL commands via crafted HTTP or HTTPs requests. The exploitation began on July 11, the same day a proof of concept was released, resulting in dozens of compromised systems. Organizations using the affected Forta Web versions are of course urged to update immediately. Japanese police release decryptor for Phobos ransomware following arrests following up on a story we covered last February, Japan's national police agency has now released a free decryption tool and a guide published in English for organizations impacted by attacks from the Phobos and eight base groups, which collected more than $16 million from about 1,000 victims worldwide dating back to 2019. The decryption tool was shared by the European Cybercrime Centre and the FBI, who pointed out that it was the FBI Baltimore office that led an investigation that brought charges against Phobos affiliates earlier this year. UK government warns of of malware attributed to Russian actors this warning focuses on Russian group APT28, also known as Fancy Bear and Forest Blizzard, and it has been deploying previously unknown malware to harvest Microsoft email credentials and steal access to compromised accounts, end quote. This malware has been nicknamed Authentic Antics by the UK government, which refers to the malware that targets the Windows operating system and which runs within Microsoft Outlook, prompting users to enter their credentials. The malware then steals the credential data along with OAuth authentication tokens, hence the nickname, which allow access to Microsoft services including Exchange Online, SharePoint and OneDrive. The malware also sends the exfiltrated data to an actor controlled email address without the email showing in the sent folder. Virginia Radiology practice suffers a cyberattack Radiology Associates of Richmond, Virginia has been in practice for more than a century. Having opened its doors in 1905, it provides imaging services to several hospitals and outpatient facilities in the Richmond area, and it is now dealing with an infiltration that occurred between April 2nd and 6th of 2024 and confirmed a year later on May 2nd of this year. The personal and health information of over 1.4 million individuals has been affected, but no known ransomware group has claimed responsibility for this attack. Remember to join us this week for Super Cyber Friday at 1pm Eastern, 10am Pacific, where we will be digging into the problem of the cybersecurity poverty line. How do you define it, how do you start identifying when you are below it and what can you do to improve things? Make sure you head on over to the events page@cisoseries.com to register to join us. And also if you find yourself in Toronto this upcoming Friday, please be sure to join David Spark and myself and a whole bunch of great CISOs and fans of the show for coffee at the Brick Street Bakery in the beautiful and historic Distillery District of downtown Toronto. Again, you can register for this event by going to the events page@ciso series.com I'm Steve Prentice reporting for the CISO Series. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.