CyberSecurity news

FlagThis - #microsoft

@office365itpros.com //
Microsoft is bolstering its security posture through advancements in artificial intelligence and cloud services. The company has released a new e-book that advocates for the development of AI-powered Security Operations Centers (SOCs), aiming to unify security operations and provide a more robust defense against contemporary cyber threats. This initiative underscores Microsoft's commitment to leveraging cutting-edge technology to tackle the evolving landscape of cybersecurity challenges.

In addition to its focus on security operations, Microsoft is enhancing its Copilot AI assistant. Users will now benefit from audio overviews generated from Word and PDF files, as well as Teams meeting recordings stored within OneDrive for Business. This feature utilizes the Azure Audio Stack to create audio streams that can be saved as MP3 files, offering a new way to consume and interact with digital content. Furthermore, Microsoft has launched workload orchestration in Azure Arc, designed to simplify the deployment and management of Kubernetes-based applications across distributed edge environments, ensuring consistent management in diverse locations such as factories and retail stores.

These developments highlight Microsoft's strategic direction towards integrating AI and cloud capabilities to improve both security and user productivity. The emphasis on unified SOCs and enhanced AI features in Copilot demonstrates a clear effort to provide more intelligent and streamlined solutions for businesses navigating the complexities of the modern digital world. The introduction of workload orchestration in Azure Arc further extends these benefits to edge computing scenarios, facilitating more efficient application management in a wider range of environments.

Recommended read:
References :
  • Tony Redmond: Copilot Audio Overviews for OneDrive Documents Microsoft 365 Copilot users can generate audio overviews from Word and PDF files and Teams meeting recordings stored in OneDrive for Business. Copilot creates a transcript from the file and uses the Azure Audio Stack to generate an audio stream (that can be saved to an MP3 file). Sounds good, and the feature works well. At least, until it meets the DLP policy for Microsoft 365 Copilot.
  • Talkback Resources: Learn how to build an AI-powered, unified SOC in new Microsoft e-book

@cyberscoop.com //
Microsoft has issued its July 2025 Patch Tuesday updates, a crucial monthly release that addresses a significant number of vulnerabilities across its product lines. This release tackles a total of 130 CVEs, with 10 of them classified as critical. Notably, while no vulnerabilities were reported as actively exploited in the wild at the time of the release, one flaw in Microsoft SQL Server (CVE-2025-49719) has been publicly disclosed. This information disclosure vulnerability, rated as important with a CVSS score of 7.5, means that technical details are available, potentially increasing the risk of future exploitation. Organizations should prioritize patching this vulnerability, particularly as it affects SQL Server versions 2016 through 2022 and does not require authentication to exploit, potentially exposing sensitive data like credentials.

Among the critical vulnerabilities addressed, a particularly concerning one is a remote code execution (RCE) flaw in Windows SPNEGO Extended Negotiation (NEGOEX), designated CVE-2025-47981. This vulnerability carries a high CVSS score of 9.8 and is described as a heap-based buffer overflow, allowing an unauthenticated attacker to execute code remotely on a target system with low attack complexity and no user interaction. The nature of this flaw makes it a prime target for attackers seeking initial access or lateral movement within networks. Microsoft has also highlighted critical RCE vulnerabilities in Microsoft Office, with several rated as "more likely" to be exploited, including some that can be triggered via the preview pane without requiring a user to open a document, posing a significant risk to users' security.

The July Patch Tuesday also includes fixes for vulnerabilities in Microsoft SharePoint, with an RCE flaw that requires authenticated access but could allow an attacker to execute code on the server. Additionally, vulnerabilities impacting Windows Hyper-V and other system components have been addressed. With a total of 130 CVEs patched, including numerous critical flaws, it is imperative for all organizations to review and apply these updates promptly to protect their systems and data from potential exploitation. The proactive patching of these vulnerabilities is essential for maintaining a strong security posture against the ever-evolving threat landscape.

Recommended read:
References :
  • Tenable Blog: Microsoft’s July 2025 Patch Tuesday Addresses 128 CVEs (CVE-2025-49719)
  • Cisco Talos Blog: Microsoft Patch Tuesday for July 2025 — Snort rules and prominent vulnerabilities
  • isc.sans.edu: Microsoft Patch Tuesday, July 2025, (Tue, Jul 8th)
  • cyberscoop.com: Microsoft Patch Tuesday addresses 130 vulnerabilities, none actively exploited
  • krebsonsecurity.com: Microsoft Patch Tuesday, July 2025 Edition
  • thecyberexpress.com: Microsoft Patch Tuesday July 2025: 130 Vulnerabilities Fixed, 17 High-Risk
  • blog.talosintelligence.com: Microsoft Patch Tuesday for July 2025 — Snort rules and prominent vulnerabilities
  • Arctic Wolf: Reports on Microsoft's July 2025 security update addressing 130 vulnerabilities.
  • The Register - Security: Microsoft enjoys first Patch Tuesday of 2025 with no active exploits
  • Action1: Patch Tuesday July 2025
  • securityaffairs.com: Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day
  • The Hacker News: Microsoft Patches 130 Vulnerabilities, Including Critical Flaws in SPNEGO and SQL Server
  • arcticwolf.com: Microsoft Patch Tuesday: July 2025
  • Arctic Wolf: Microsoft's July 2025 security update, addressing 130 newly disclosed vulnerabilities.
  • arcticwolf.com: Microsoft Patch Tuesday: July 2025
  • Sophos News: July Patch Tuesday offers 127 fixes
  • SOC Prime Blog: CVE-2025-47981: Critical Heap-Based Buffer Overflow Vulnerability in Windows SPNEGO Extended Negotiation Leads to RCE
  • socprime.com: CVE-2025-47981: Critical Heap-Based Buffer Overflow Vulnerability in Windows SPNEGO Extended Negotiation Leads to RCE
  • Threats | CyberScoop: Microsoft Patch Tuesday addresses 130 vulnerabilities, none actively exploited

@cyberpress.org //
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against critical U.S. infrastructure, with a notable 133% surge in activity observed during May and June 2025. The transportation and manufacturing sectors have been identified as the primary targets of these intensified operations. This trend aligns with ongoing geopolitical tensions, as well as recent warnings issued by U.S. authorities like CISA and the Department of Homeland Security, which highlighted U.S. entities as prime targets for Iranian cyber actors.

Nozomi Networks Labs reported a total of 28 distinct cyber incidents linked to Iranian APTs during May and June, a substantial increase from the 12 incidents recorded in the preceding two months. Among the most active groups identified are MuddyWater, which targeted at least five U.S. companies primarily in the transportation and manufacturing sectors, and APT33, responsible for attacks on at least three U.S. entities. Other groups such as OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice were also observed conducting attacks against U.S. companies in these critical industries.

The resurfacing of the Iranian-backed Pay2Key ransomware, now operating as Pay2Key.I2P, further highlights the evolving threat landscape. This ransomware-as-a-service operation, linked to the Fox Kitten APT group, is reportedly offering an 80% profit share to affiliates targeting Iran's adversaries, including the U.S. and Israel. This financially motivated scheme has also demonstrated an ideological commitment, with claims of over 51 successful ransom payouts, netting substantial profits. The use of the Invisible Internet Project (I2P) for its infrastructure represents a notable shift in RaaS operations, potentially enhancing its evasiveness.

Recommended read:
References :
  • securityaffairs.com: Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates
  • www.morphisec.com: Reporting on Iranian CyberWarfare
  • newsinterpretation.com: Iranian ransomware gang Pay2Key/I2P returns, offers huge rewards for attacks on U.S. and Israel.
  • Matthew Rosenquist: Iran sponsored Pay2Key Ransomware-as-a-Service (RaaS)
  • securityonline.info: Iranian Ransomware “Pay2Key.I2P†Resurfaces on I2P Network, Offering 80% Profit for Targeting Western Enemies
  • The Hacker News: Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals
  • Industrial Cyber: Nozomi finds 133% surge in Iranian cyberattacks targeting US, as transportation and manufacturing most affected
  • cyberpress.org: CyberPress: Iranian APTs Launch Active Cyberattacks on Transportation and Manufacturing Industries
  • industrialcyber.co: Industrial Cyber: Nozomi finds 133% surge in Iranian cyberattacks targeting US, as transportation and manufacturing most affected
  • gbhackers.com: gbhackers: Iranian APT Hackers Targeting Transportation and Manufacturing Sectors in Active Attacks

Aman Mishra@gbhackers.com //
Hackers have successfully compromised the popular WordPress plugin Gravity Forms, embedding malicious code into versions downloaded directly from the official gravityforms.com website. This sophisticated supply chain attack targets a significant portion of WordPress websites relying on Gravity Forms for form creation and data collection. The attackers are reportedly exploiting a vulnerability within the plugin, specifically targeting the gf_api_token parameter. This allows them to inject malicious PHP code into core plugin files, such as gravityforms/common.php and includes/settings/class-settings.php, creating backdoors that can lead to remote code execution and unauthorized access.

The malicious campaign was first detected when security researchers observed suspicious HTTP POST requests to a newly registered domain, gravityapi.org, which served as a command-and-control server. The injected malware is capable of exfiltrating sensitive WordPress site data, including URLs, plugin lists, user counts, and environment details, transmitting this information to the attacker-controlled domain. Upon receiving a response, the malware can deploy further payloads, such as writing a backdoored PHP file to the server that masquerades as legitimate content management tools. This backdoor enables attackers to execute arbitrary code, create new administrator accounts, upload files, and manipulate site content with devastating effects.

In response to the discovered vulnerability, Gravity Forms has swiftly released version 2.9.13 of the plugin, which is confirmed to be free of the backdoor. Additionally, the registrar Namecheap has suspended the malicious gravityapi.org domain to disrupt ongoing exploitation efforts. Website administrators are strongly advised to update their Gravity Forms plugin to the latest version immediately to mitigate the risk of compromise. Monitoring network traffic for suspicious activity, particularly POST requests to the identified malicious domain, is also a crucial step in preventing unauthorized access and code execution on affected WordPress sites.

Recommended read:
References :
  • cyberpress.org: WordPress GravityForms Plugin Targeted in Malicious Code Injection Attack
  • Ian Campbell: Just a heads-up on this supply chain attack on the Gravity Forms wordpress plugin, one IOC is POST requests to gravityapi[.]org - a 3 day old domain. That domain shares an IP with gravityapi[.]io. cc
  • Talkback Resources: WordPress Gravity Forms developer hacked to push backdoored plugins
  • gbhackers.com: Hackers Compromise WordPress GravityForms Plugin with Malicious Code Injection
  • Cyber Security News: WordPress GravityForms Plugin Targeted in Malicious Code Injection Attack
  • securityonline.info: WordPress Supply Chain Attack: Gravity Forms Plugin Backdoored Through Official Downloads
  • gbhackers.com: Hackers have targeted the popular WordPress plugin Gravity Forms, injecting malicious code into versions downloaded from the official gravityforms.com domain.