July Security Roundup

From Kocho’s Security Operations Centre (SOC)

Published: 23 July 2025

From critical SharePoint exploits to spyware, phishing-resistant bypasses, and a new cryptojacking threat. Our SOC team shine a light on urgent threats and practical steps to strengthen your organisation’s defences.

Headlines:

Critical SharePoint zero-day exploited in the wild
FIDO exploit bypasses phishing-resistant login
3,500+ websites hit by new cryptojacking campaign
Office printers leave major security gaps
Weak password brings down 158-year-old firm

Critical SharePoint flaw exploited in the wild

Microsoft has disclosed a serious vulnerability in on-premises SharePoint servers (CVE-2025-53770, CVE-2025-53771), confirmed to be under active exploitation since mid-July. The flaw allows unauthenticated attackers to run malicious code on affected systems — potentially handing them control of internal servers and access to wider network resources. SharePoint Online (Microsoft 365) is not impacted.

The vulnerability affects:

SharePoint Subscription Edition
SharePoint Server 2019
SharePoint Server 2016

Exploitation activity has already been observed globally, with attackers attempting to establish backdoors, move laterally, and compromise sensitive data.

What’s the risk:

Remote code execution by unauthenticated users
Full takeover of SharePoint servers
Lateral movement into wider network infrastructure
Persistent compromise if unpatched or undetected

Recommended actions:

Install Microsoft’s latest security updates for your version of SharePoint.

Rotate machine keys immediately after patching.

Restart IIS services to apply changes.

Enable Microsoft Defender Antivirus and AMSI integration.

Review logs and file systems for suspicious activity, including:

Creation of spinstall0.aspx in layout directories
PowerShell execution via w3wp.exe
POST requests to /layouts/15/ToolPane.aspx?DisplayMode=Edit
Network contact with known malicious IPs:
- 107.191.58[.]76
- 104.238.159[.]149
- 96.9.125[.]147

Action point

This is an active and serious threat. If you manage your own SharePoint environment, patch immediately and review for signs of compromise. Kocho is monitoring the situation and will issue updates as further information becomes available. More details can be found directly via Microsoft’s security blog

FIDO cross-device exploit bypasses phishing protection

A phishing campaign using adversary-in-the-middle (AitM) tactics has exploited weaknesses in FIDO2’s cross-device authentication to trick users into approving rogue login requests. The attackers (dubbed PoisonSeed) abused QR code flows and spoofed login portals to relay stolen credentials and gain access.

What’s the risk:

Bypass of phishing-resistant authentication
High potential for account compromise across trusted services
Exploitation of user trust in security keys and login processes

Recommended action:

Enforce proximity-based FIDO key checks.

Monitor for anomalies in device/browser login patterns.

Extend phishing-resistant auth to all high-value accounts.

Action point

Enforce proximity checks and monitor login anomalies.

Cryptojacking resurgence compromises over 3,500 sites

A surge in cryptojacking activity has seen more than 3,500 websites compromised with stealthy JavaScript-based miners. These scripts use WebSockets to adapt mining intensity and operate covertly on user machines, often without detection.

What’s the risk:

Resource hijacking across user devices
Website reputational damage and SEO penalties
Potential malware delivery alongside mining scripts

Recommended actions:

Scan sites for unauthorised JavaScript.

Apply CSPs (Content Security Policies) and Subresource Integrity.

Patch CMS platforms and remove unsupported plugins.

Action point

Scan for malicious scripts and apply strong web security controls.

Printer security gaps pose seven-figure risks

New research shows 67% of organisations have suffered data loss from insecure printers — with average incident costs over £1 million. Common issues include outdated firmware, default credentials, and no secure wipe policies at disposal.

What’s the risk:

Unmonitored lateral movement via print networks
Data exfiltration or leakage from stored print jobs
Supply chain and lifecycle compromise from device tampering

Recommended actions:

Update printer firmware and replace legacy models.

Enforce secure onboarding and disposal processes.

Treat printers as critical endpoints with network segmentation and logging.

Action point

Treat printers like all other endpoints. Update firmware and enforce security policies.

In the news: Weak password causes collapse of 158-year-old haulier

Akira ransomware actors brought down KNP Logistics by guessing a single weak password. The resulting breach encrypted critical systems, with a £5 million ransom demand.

Unable to recover, the company folded, putting 700 jobs at risk.

What this tells us:

Even a single compromised credential can have catastrophic consequences
Basic cyber hygiene failures remain a key entry point for major attacks
Ransomware continues to be financially and operationally devastating for unprepared organisations
SMEs are particularly vulnerable and often lack the resilience to recover from such breaches

Security foundations like strong passwords, MFA, and offline backups must be treated as non-negotiables.

Especially for organisations without a full-time security team.