This Month in Cybersecurity - July 2025

This Month in Cybersecurity, the July edition is here. This month’s roundup highlights essential stories, providing concise insights to keep teams informed and prepared.

Let’s jump in!

1. Manufacturing Security: Why Default Passwords Must Go

In the news512×512 374 KB

Iranian hackers’ takeover of a small U.S. water‑facility station with the factory password “1111” underscores how default credentials remain a prime attack vector; CISA is urging manufacturers to scrap them, noting years of abuse that fuels botnets, ransomware footholds and supply‑chain intrusions. The article says defaults persist because they speed setup and bulk provisioning, yet the resulting brand damage, regulatory fines and operational fallout far outweigh that convenience. It calls on manufacturers to adopt secure‑by‑design measures: unique per‑device passwords, first‑boot rotation APIs, zero‑trust onboarding, signed firmware checks and rigorous audit, while IT teams must immediately hunt down and replace any remaining default passwords in their environments.

2. Google and Microsoft Trusted Them. 2.3 Million Users Installed Them. They Were Malware.

In the news512×512 252 KB

Researchers at Koi Security found that a single “verified” Chrome color‑picker extension was the front door to a larger “RedDirection” campaign: 18 Chrome and Edge add‑ons, some badge‑verified and store‑featured, were quietly updated to embed a tab‑monitoring backdoor that siphons every visited URL and can redirect users to attacker‑controlled sites, compromising 2.3 million browsers. The episode highlights how malicious version bumps can turn once‑legitimate extensions into supply‑chain malware and exposes serious gaps in Google and Microsoft marketplace vetting and update pipelines.

3. Microsoft Used China-Based Support for Multiple U.S. Agencies, Potentially Exposing Sensitive Data

In the news512×512 316 KB

ProPublica uncovered that Microsoft let China-based engineers, supervised only by U.S. “digital escorts,” maintain its Government Community Cloud, which stores sensitive but unclassified data for Justice, Treasury, Commerce, EPA and Education. Security experts say such access could help Chinese intelligence mine insights or pivot toward more sensitive networks. Following similar revelations about Pentagon systems, Microsoft now pledges to bar China-based staff from all GCC work and conduct a broader security review, though details are sparse. The disclosure has spurred bipartisan alarm in Washington, while AWS, Google and Oracle insist they keep China-based personnel away from U.S. federal cloud contracts.

4. WhoFi: Deep Person Re-Identification via Wi-Fi Channel Signal Encoding

In the news512×512 29.8 KB

WhoFi is a new way to tell people apart without using cameras. It watches how Wi-Fi waves bounce off a person’s body, then treats those tiny changes like a fingerprint. The signal data goes into a neural-network model that learns to match one “fingerprint” to the right person. The best version of the model, the Transformer, identified the correct person first about 96 % of the time on a public test set. Because it works with radio waves, it still performs well in the dark or when someone is partly hidden, and it doesn’t record any pictures. While WhoFi proves that Wi-Fi signals can match or surpass cameras for person re-identification, the technique also sharpens the edge of covert surveillance. Unlike visible lenses, radio waves blanket a space silently; no one can tell when they are being scanned.

5. SharePoint Vulnerability with 9.8 Severity Rating Under Exploit Across Globe

In the news512×512 301 KB

A new unauthenticated remote‑code‑execution flaw in on‑prem Microsoft SharePoint (CVE‑2025‑53770, severity 9.8) is being mass‑exploited worldwide: attackers deploy a “ToolShell” backdoor, steal the server’s machine keys and __VIEWSTATE tokens, then pivot deeper into corporate networks. Microsoft rushed out emergency patches for SharePoint Subscription Edition and 2019 (plus a related CVE‑2025‑53771), but 2016 users remain unpatched and must enable AMSI. Because stolen keys persist beyond patching, administrators should also rotate SharePoint ASP.NET machine keys and restart IIS, and assume any exposed server is already compromised.

6. French Telecom Giant Orange Discloses Cyberattack

In the news512×512 344 KB

Orange detected a cyberattack on July 25 that breached one internal system; its cybersecurity unit quickly isolated the server, causing service and management-platform disruptions for some French business and consumer customers. The company has notified authorities, filed a complaint, and says its investigation so far shows no evidence that customer or corporate data was stolen. Although Orange hasn’t attributed the intrusion, the incident resembles recent telecom breaches worldwide linked to China’s Salt Typhoon espionage group.

7. Flaw in Gemini CLI Coding Tool Could Allow Hackers to Run Nasty Commands

In the news512×512 94.1 KB

Tracebit showed that Google’s new Gemini CLI could be hijacked with a prompt-injection hidden in a package README: after an allowed grep, the tool silently ran env | curl to exfiltrate environment variables and could just as easily call destructive commands like rm -rf /. The attack exploited Gemini’s habit of obeying natural-language instructions in files and its loose rule that anything following an allow-listed token executes unchecked. Google rushed out version 0.1.14, tagged Priority 1/Severity 1, urging users to update and sandbox untrusted code; Anthropic and OpenAI’s comparable tools resisted the exploit thanks to stricter command approvals.

Conclusion

That wraps up July’s cybersecurity highlights. Did any of these stories catch your attention, or is there any important development passbolt should cover next? Join the conversation and share your insights with the community: https://hubs.li/Q02bCy160