Good Morning Security Gang!
Happy Tuesday from the Cyber Hub Podcast bunker — well, temporarily broadcasting from Israel before heading out to Black Hat.
Today’s episode is packed tighter than an unpatched SharePoint server. We’re diving into Chinese-attributed zero-days, luxury brand data leaks, crypto heists, and a not-so-private VPN issue — and that’s just the beginning.
So, whether you’re sipping espresso or still chewing on that incident response ticket from last night, buckle up.
🚨 ToolShell SharePoint Zero-Day: Attributed to China
We kicked off today’s show with a deep dive into the SharePoint zero-days (CVE-2025-53770 and CVE-2025-53771), now being linked to Chinese APTs. SentinelOne began detecting exploitation as early as last week, and ShadowServer confirmed that nearly 9,000 internet-facing SharePoint instances — especially in North America and Europe — are exposed. Victims include energy companies, universities, telecoms, and government agencies. Attackers bypassed MFA and SSO, deployed backdoors, and even stole cryptographic keys. Microsoft urges immediate key rotation post-patching. This isn’t a vulnerability you ignore; it’s a trust-breaker.
🗣️ “How much did the Chinese know before Microsoft even discovered this zero-day? And how much do you trust China?” James Azar on Sharepoint Zeroday
💥 CrushFTP Flaw: Over 1,000 Instances Exposed
Next, we revisited the CrushFTP mess (CVE-2025-54309). Over 1,000 vulnerable servers remain online, offering admin access to attackers. Brazil, Russia, China, Kazakhstan, and the U.S. all have affected instances. This actively exploited vulnerability, caused by mishandled S2 validation, impacts versions below 10.8.5 and 11.3.4_23. If CrushFTP touches your infrastructure or supply chain, consider this your red alert.
🪙 CoinDCX Breach: $4.4M in Crypto Vanishes
Indian crypto exchange CoinDCX confirmed an internal breach, where $4.4 million was siphoned out of one of its operational wallets. Thankfully, customer funds were untouched. The stolen funds were traced across multiple wallets and are now gone. The company plans to reimburse losses through reserves and launch a bug bounty. But as I warned — if you're in blockchain, you're a target. Full stop.
🕵️ APT41 Targets Africa
Chinese cyber-espionage group APT-41 is now gunning for African government IT systems. Kaspersky revealed malware hardcoded with internal network details and captive SharePoint servers — suggesting serious reconnaissance. This points to a possible shift in African nations backing away from Chinese influence, which China is countering through predatory loans and now, it seems, digital infiltration.
👜 Dior Confirms January Data Breach
Luxury brand Dior is notifying customers of a January 2025 data breach. Exposed data includes names, addresses, contact info, dates of birth, government IDs, and Social Security numbers — but no payment information, thanks to PCI compliance. These letters come just as Louis Vuitton notifies global customers of a separate incident. It's a rough season for high fashion cybersecurity.
💻 Dell Demo Platform Breach
Dell confirmed that its product demo environment was breached by the World Leaks extortion gang. The environment was isolated and filled with fake data, but the gang still tried to blackmail Dell. Dell wisely called their bluff. This reinforces the need for every enterprise to know exactly what kind of data lives where — especially in sandboxed or demo environments.
🕳️ ExpressVPN Exposes Real IPs via RDP
ExpressVPN had one job — hide user IPs. And they fumbled. A debug code mistakenly included in production caused RDP and other TCP traffic over port 3389 to bypass the VPN tunnel. Builds from 12.97 through 12.121.0.2 beta are affected. If you’re using ExpressVPN on Windows, update now — and maybe audit your VPN provider’s CI/CD pipeline while you’re at it.
📱 Iran's MuddyWater Deploys Android Spyware
Mango Sandstorm (a.k.a. Static Kitten or MuddyWater), an Iranian threat group tied to their Ministry of Intelligence, is deploying new spyware targeting Android devices. Disguised as VPNs or banking apps, the spyware surfaced just a week after the Israel-Iran conflict reignited. Cyber in wartime is no longer a side hustle — it’s central to the strategy.
🇭🇺 Hungary Arrests Cyberattack Suspect
Hungarian police arrested a 23-year-old from Budapest linked to a wave of DDoS attacks against independent media outlets, including the International Press Institute. The suspect, operating under the alias “Hano,” used DDoS-for-hire services. The targets? Media critical of Prime Minister Viktor Orbán. Pro-government sites? Untouched. Just another example of digital censorship masquerading as disruption.
🎯 Action Items:
Patch SharePoint vulnerabilities CVE-2025-53770 and CVE-2025-53771 immediately and rotate crypto keys.
Scan for CrushFTP versions below 10.8.5 / 11.3.4_23 and update immediately.
Audit VPN clients — especially ExpressVPN if you use RDP — and ensure patch levels are current.
Track crypto transactions in CoinDCX-related wallets if you're in blockchain security.
Investigate vendor exposure for Dell, Dior, or any other demo/testing systems.
Educate teams on APT trends in Africa and Asia as strategic targeting evolves.
Harden Android defenses against politically themed spyware apps.
🧠 James Azar's CISO Take:
The attack surface isn’t expanding — it’s exploding. From Chinese zero-days in critical platforms like SharePoint to espionage in demo environments, the battlefield is no longer defined by firewalls or endpoints. It’s defined by trust — in your tools, your vendors, and your processes. And attackers know exactly where that trust is weakest.
What ties all these stories together? Accessibility. Zero-days, DDoS kits, spyware disguised as VPNs — all are affordable and effective. And AI is making the barrier to entry even lower. We’re entering an era where cyberwarfare isn’t limited to global superpowers — it’s accessible to anyone with motive and bandwidth. That’s a future we need to prepare for now.
Until next time — patch those endpoints and…
Stay cyber safe.
✅ Story Links:
https://therecord.media/indian-crypto-dcx-millions-stolen
https://thehackernews.com/2025/07/china-linked-hackers-launch-targeted.html
https://www.securityweek.com/dior-says-personal-information-stolen-in-cyberattack/
https://therecord.media/hungary-arrest-suspect-hacking-independent-media
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post