Cyber Briefing: 2025.07.21

Microsoft patches active SharePoint RCE. AppLocker bug found. PoisonSeed bypasses FIDO. Arcadia hit for $3.5M. Korea insurer hit by ransomware. Phobos decryptor released. FBI tracks Ryuk hacker.

Jul 21, 2025

👉 What's happening in cybersecurity today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. Microsoft Patch Fixes SharePoint RCE Under Attack

Microsoft has released urgent security patches for actively exploited vulnerabilities in on-premises SharePoint Servers, including a critical remote code execution flaw (CVE-2025-53770) being actively exploited by attackers to compromise organizations. Organizations are strongly advised to immediately apply updates, rotate keys, and assume compromise if their on-premises SharePoint is internet-exposed.

2. Microsoft AppLocker Bug Enables Security Bypass

Security researchers at Varonis Threat Labs found a subtle vulnerability in Microsoft's AppLocker feature, stemming from an incorrect MaximumFileVersion setting, which could allow malicious applications to bypass restrictions if not for accompanying digital signature checks. While not critical due to these checks, it highlights the importance of precise security configurations.

3. PoisonSeed Hackers Bypass FIDO with QR Phishing

Cybersecurity researchers have uncovered a new attack technique, dubbed PoisonSeed, that circumvents FIDO key protections by tricking users into authenticating through spoofed login portals via cross-device sign-in features. This method, which doesn't exploit a FIDO flaw but rather abuses a legitimate feature, allows attackers to gain unauthorized access to user accounts.

For more alerts, click here!

Check Jobs

💥 Cyber Incidents

4. Arcadia Finance Hit as $3.5M Stolen in WETH Heist

Arcadia Finance, a DeFi platform on the Base blockchain, was exploited for approximately $3.5 million in USDC and USDS due to a vulnerability in its Rebalancer contract. The stolen funds were converted to WETH and moved to the Ethereum mainnet, prompting Arcadia to advise users to revoke asset manager permissions.

5. ATM Jackpotting in Michigan Nets $107K for Suspects

Two Florida men, Robert R. Rosales Rivero and Geniver Antonio Pinuela Testa, allegedly stole over $100,000 from Michigan ATMs in September 2024 using a "jackpotting" scheme and were later found with cash in Minnesota, leading to federal charges for Rivero while Testa remains at large.

6. Ransomware Hits Korea’s Top Guarantee Insurer

Seoul Guarantee Insurance, South Korea's largest guarantee insurer, is experiencing a severe disruption due to a ransomware attack that has taken its core systems offline for three days, significantly impacting services, especially in the housing market. The company is working to restore operations and has pledged full compensation for affected customers.

For more incidents, click here!

Click to Read

📢 Cyber News

7. Free Decryptor Released for Phobos and 8Base

Japanese authorities, in collaboration with Europol and the FBI, have released a free decryptor for victims of Phobos and 8Base ransomware, enabling them to recover encrypted files without paying a ransom. This release follows recent international law enforcement efforts that have targeted and disrupted the operations of these ransomware groups, including multiple arrests.

8. FBI Traces BTC to Armenian Ransomware Hacker

U.S. authorities are dismantling a major ransomware operation by tracing over 1,600 Bitcoin in ransom payments, leading to charges against global cybercriminals. This effort recently resulted in the extradition and indictment of an Armenian national in the United States for his role in the Ryuk ransomware campaign.

9. Roblox’s AI Safety Tools Spark Teen Concerns

Roblox is implementing new safety and privacy features for teenagers, including an AI-powered age estimation system and enhanced parental controls, in response to growing regulatory scrutiny and legal challenges. A key update is the requirement for users aged 13 and above to submit a video selfie for age verification to unlock "Trusted Connections," raising privacy concerns despite Roblox's assurances about data handling.

For more news, click here!

Check Events

📈Cyber Stocks

Cybersecurity stocks showed modest movement on Monday, July 21, 2025, as investors responded to institutional activity, strategic partnerships, and evolving market sentiment. Below is a summary of each company’s performance and the primary driver behind its stock movement:

Okta (OKTA) rose 3.63% to $95.43, driven by institutional buying as Envestnet Asset Management added 39,189 shares in Q2, along with growing investor interest in its AI-focused partnership with Palo Alto Networks.
Radware (RDWR) increased 1.98% to $29.17, as upgraded analyst coverage and optimism ahead of its upcoming Q2 earnings boosted investor sentiment.
CrowdStrike (CRWD) gained 1.27% to $475.96, supported by continued confidence in its AI-enhanced, tariff-resilient platform amid steady enterprise demand.
Palo Alto Networks (PANW) dipped 0.31% to $195.78, as profit-taking and a slight analyst downgrade outweighed enthusiasm around its AI collaboration with Okta.
Fortinet (FTNT) edged up 0.46% to $105.42, buoyed by strong technical indicators and anticipation of its August investor day, along with ongoing success as a Google Cloud networking partner.

💡 Cyber Tip

Watch Out for Weak Application Control

Security researchers have identified a flaw in Microsoft AppLocker’s suggested configuration that could allow certain unauthorized applications to bypass restrictions. The issue stems from an incorrect file version value, which could let tampered apps slip through if digital signature checks are not enforced. While not critical on its own, this misconfiguration highlights how small errors in security settings can open the door to exploitation.

✅ What you should do:

Review your AppLocker rules to ensure file version ranges are configured correctly.
Only allow applications that are digitally signed by trusted publishers.
Monitor for unsigned or unusually versioned executables attempting to run.
Regularly check Microsoft’s official documentation for updates or configuration changes.
Test configuration updates in a secure environment before deploying organization-wide.

🔒 Why this matters:

Even minor misconfigurations can create exploitable gaps that sophisticated attackers may target. By aligning your settings with current guidance and enforcing digital signatures, you reduce the risk of unauthorized software execution within your environment.