Cyber Threat Intelligence Report | 7/28/2025 | PacketWatch

This week, we briefed our clients on new TTPs from the Interlock ransomware gang and how to protect your organization from the SharePoint vulnerabilities.

 KEY TAKEAWAYS 

• CISA and FBI published joint advisory on Interlock ransomware TTPs. Learn how to protect your organization.

• Microsoft SharePoint 0-days actively exploited by multiple China-based threat actors. Patch and protect now!

• Critical and high severity vulnerabilities in VMware, Cisco, SonicWall, Sophos, and CrushFTP, plus updates to CISA KEV, patch now! 

New Interlock Ransomware TTPs

 On July 22, the FBI and CISA published a joint #StopRansomware advisory detailing new tactics, techniques, and procedures for the Interlock ransomware gang. Interlock is a relatively new double-extortion ransomware group, whose ransomware was first observed in the wild in September 2024. Unlike many ransomware gangs that target specific industry verticals, Interlock targets their victims based on opportunity. This initial access has recently been achieved via ClickFix and FileFix social engineering attacks.

Initial Access and Persistence

Interlock achieves initial access via drive-by compromise. Unsuspecting users will visit a compromised website and be presented with a ClickFix or FakeCAPTCHA prompt. These attacks trick the user into running malicious PowerShell commands on their system, which downloads malicious files allowing the threat actor to gain a foothold in the victim's environment. Interlock has also previously been observed disguising payloads as fake Google Chrome or Microsoft Edge browser updates. These malicious executables function as a remote access trojan (RAT). These files run PowerShell that adds a file into the Windows Startup folder, ensuring the RAT is executed each time the victim logs in.

Reconnaissance

Interlock heavily leverages Powershell for early recon. Per the advisory, common commands used are WindowsIdentity.GetCurrent(), systeminfo, tasklist/svc, Get-Service, Get-PSDrive, and arp -a. 

Command and Control

Interlock uses a variety of commercial and custom tools for command and control (C2). They have been observed using common C2 tooling such as Cobalt Strike and SystemBC. However, in recent attacks, they have used custom malware identified as Interlock RAT and NodeSnake RAT.

Lateral Movement

In order to obtain credentials to elevate privileges for lateral movement, Interlock uses a variety of infostealers and keyloggers. In some instances, they use a custom credential stealer 'cht.exe' and keylogger 'klg.dll'. In more recent intrusions, they have been observed using more common infostealers such as Lumma Stealer and Berserk Stealer. Once additional credentials have been obtained, Interlock uses remote desktop protocol (RDP) to move between systems. They have also been observed using AnyDesk to enable remote connectivity, as well as PuTTY for additional lateral movement. 

Data Exfiltration

One of the more notable techniques used by Interlock is using 'AzCopy' to exfiltrate data to Azure storage blobs. They have also been observed using WinSCP to exfiltrate data. 

How to Protect Your Organization

• User Awareness Training - Interlock specializes in attacking the human in order to gain initial access. These methods are only successful if they can trick the user into executing malicious commands. End users should be educated on modern social engineering threats such as ClickFix so they can avoid them and report malicious sites to their security team.
• Require and implement multifactor authentication (MFA) across all accounts where possible.
• Keep all operating systems, software, and firmware up to date - patch, patch, and patch!
• Ensure up to date EDR tools are deployed across all endpoints and all servers where possible.
• Implement a network monitoring tool such as PacketWatch to detect potential lateral movement and data exfiltration.
• Baseline and document known administrative tools (such as AnyDesk or WinSCP). This is a crucial step in detecting anomalous tool usage and activity on the network. 
• Maintain offline backups of data, and ensure those backups are encrypted and immutable.
• For a full listing of mitigation strategies, please review the joint advisory here.

Resources:

• https://www.cisa.gov/sites/default/files/2025-07/aa25-203a-stopransomware-interlock-072225.pdf
• https://www.bleepingcomputer.com/news/security/cisa-and-fbi-warn-of-escalating-interlock-ransomware-attacks/
  
• https://www.bleepingcomputer.com/news/security/interlock-ransomware-adopts-filefix-method-to-deliver-malware/

Microsoft SharePoint 0-Days

As part of the July Patch Tuesday, Microsoft released patches for 2 vulnerabilities in SharePoint known as "ToolShell": CVE-2025-49704 (a remote code execution vulnerability), and CVE-2025-49706 (a "spoofing" vulnerability). Threat actors can chain these vulnerabilities together to compromise on-premise SharePoint servers. Eleven days later, Microsoft disclosed they had observed active exploitation of these vulnerabilities. Further investigation revealed this exploitation was actually a bypass of the fixed vulnerabilities, and designated new CVEs for each of them, CVE-2025-53770 and CVE-2025-53771. Microsoft has attributed this exploitation to two Chinese nation-state threat actors specializing in espionage, Linen Typhoon and Violet Typhoon, as well as a third China-based threat actor Storm-2603 who has been observed deploying Warlock ransomware.

Per the Microsoft Customer Guidance, these vulnerabilities only affect on-premises SharePoint servers only. SharePoint Online in Microsoft 365 is not affected. 

How to Protect Your Organization

There are several steps administrators must take into order to ensure these vulnerabilities have been fully mitigated:

• Apply the latest security updates from Microsoft. Links to these updates can be found here.
• Ensure the Antimalware Scan Interface (AMSI) is turned on and properly configured. Per Microsoft's documentation, if HTTP Request Body scanning is enabled in "Full Mode", this will stop unauthenticated attackers from exploiting this vulnerability.
• Deploy an EDR solution to the SharePoint server to detect and prevent post-exploit activity.
• Rotate the SharePoint Server ASP.NET machine keys. This is a critical step that should be followed after applying the security updates. Detailed steps can be found here.
• Administrators should also consider limiting access to the SharePoint server, either through firewall ACLs or by VPN. 

Resources:

• https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
  
• https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/
  
• https://www.rapid7.com/blog/post/etr-zero-day-exploitation-of-microsoft-sharepoint-servers-cve-2025-53770/
  
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704
  
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706
  
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
  
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
  
• https://thehackernews.com/2025/07/microsoft-releases-urgent-patch-for.html

Vulnerability Roundup

VMWare Fixes 4 Vulnerabilities Across Multiple Products

VMWare published a security advisory detailing 4 vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Tools products. These vulnerabilities were initially discovered as zero-days in the Pwn2Own Berlin 2025 hacking competition in May 2025. Three of the vulnerabilities, tracked as CVE-2025-41236, CVE-2025-41237, and CVE-2025-41238, all have a severity rating of 9.3, and allow for a threat actor with local administrative privileges on a guest machine to execute code on the host (sandbox escape). For a full listing of affected versions and their corresponding patches, please see the Broadcom security advisory here. Administrators are urged to patch as soon as possible.

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877
• https://www.bleepingcomputer.com/news/security/vmware-fixes-four-esxi-zero-day-bugs-exploited-at-pwn2own-berlin/

Maximum-severity Cisco ISE Flaws Exploited in the Wild

In late June, Cisco published a security advisory detailing two maximum-severity vulnerabilities in Cisco ISE products. This advisory was recently updated with a third maximum severity vulnerability, tracked as CVE-2025-20337. Successful exploitation can allow for a remote, unauthenticated attacker to store malicious files, execute arbitrary code, or gain root privileges. This vulnerability affects Cisco ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration. Cisco has since confirmed these vulnerabilities are being actively exploited in the wild. Administrators are urged to patch as soon as possible. 

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6
  

• https://www.bleepingcomputer.com/news/security/max-severity-cisco-ise-bug-allows-pre-auth-command-execution-patch-now/
  

• https://www.scworld.com/news/cisco-warns-of-attempted-exploitation-of-max-severity-ise-flaws

Critical File Upload Vulnerability in SonicWall SMA 100

SonicWall released yet another security advisory for a vulnerability in the SonicWall SMA 100 series devices. The vulnerability, tracked as CVE-2025-40599, allows for unrestricted file uploads in the web management interface. Successful exploitation does require the attacker to have administrative privileges on the device, but the exploitation can result in remote code execution. Affected devices are the SMA 100 Series (SMA 210, 410, 500v) versions 10.2.1.15-81sv and earlier. Administrators are urged to patch as soon as possible.

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0014
  

• https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-rce-flaw-in-sma-100-VPN-appliances/

Multiple Vulnerabilities in Sophos Firewalls

Last week, Sophos published a security advisory detailing 5 new critical and high severity vulnerabilities affecting Sophos Firewall:

• CVE-2025-6704 - Critical-severity arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature that can be exploited to achieve pre-authenticated remote code execution. This vulnerability only exists if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode. Per the advisory, this affects only approximately 0.05% of devices.
• CVE-2025-7624 - Critical-severity SQL injection vulnerability in the legacy SMTP proxy that can be exploited to achieve remote code execution. This vulnerability only exists if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA. Per the advisory, this affects only approximately 0.73% of devices.
• CVE-2025-7382 - High-severity command injection vulnerability in WebAdmin that can be exploited by "adjacent" attackers to achieve pre-authenticated code execution on HA devices, only if OTP authentication for the admin user is enabled. Per the advisory, this affects approximately 1% of devices.
• CVE-2024-13974 - High-severity logic vulnerability in the Up2Date component. Successful exploitation allows an attacker controlling the firewall's DNS environment to achieve remote code execution.
• CVE-2024-13973 - Medium severity post-authentication SQL injection vulnerability in WebAdmin. Successful exploitation allows an attacker with administrative privileges to achieve arbitrary code execution.

CVE-2024-13974 and CVE-2024-13973 apply to Sophos Firewall v21.0GA (21.0.0) and older.

CVE-2025-6704, CVE-2025-7624, and CVE-2025-7382 apply to Sophos firewall v21.5 GA (21.5.0) and older.

Administrators are urged to apply patches as soon as possible.

• https://www.sophos.com/en-us/security-advisories/sophos-sa-20250721-sfos-rce
  

• https://thehackernews.com/2025/07/sophos-and-sonicwall-patch-critical-rce.html

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2025-49706 - Microsoft SharePoint Improper Authentication Vulnerability
• CVE-2025-49704 - Microsoft SharePoint Code Injection Vulnerability
• CVE-2025-54309 - CrushFTP Unprotected Alternate Channel Vulnerability
• CVE-2025-6558 - Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
• CVE-2025-2776 - SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
• CVE-2025-2775 - SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
• CVE-2025-53770 - Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
• CVE-2025-25257 - Fortinet FortiWeb SQL Injection Vulnerability
• CVE-2025-47812 - Wing FTP Server Improper Neutralization of Null Byte or NUL Character Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.