This Week in Issue

A sweeping Bluetooth vulnerability known as PerfektBlue puts over a billion devices and 350 million cars at risk of remote code execution with a single click. Chinese APTs are actively exploiting a Microsoft Exchange zero-day targeting North American government systems, while deepfake threats escalate with attackers impersonating public figures. A critical flaw in WordPress Gravity Forms and active GeoServer exploits raise alarm for web admins. Meanwhile, attackers are bypassing MFA protections, abusing SQL exploitation tools released on GitHub, and deploying heavily obfuscated Android malware to evade detection.

CYBER NEWS ROUNDUP

Nexus-Dragon Cybersecurity Roundup: News Articles from Around the Web Relevant to the SMB

Godfather Android Malware Now Uses Virtualization to Hijack Banking Apps
A new variant of the Godfather Android malware uses virtualization to conceal itself while hijacking banking sessions in real time, stealing credentials and bypassing detection. This technique raises the stakes for mobile security across both personal and unmanaged devices. SMBs should treat mobile device protection as seriously as desktop security, especially with rising BYOD use.

Read more: Godfather Android Malware Now Uses Virtualization to Hijack Banking Apps

Krispy Kreme Says November Data Breach Impacts Over 160,000 People
Krispy Kreme confirmed a breach affecting over 160,000 customers, exposing names and partial payment data from a November 2023 attack. The incident highlights how even mainstream retail brands face lasting risk from unaddressed security gaps. SMBs handling customer data must have clear breach detection and response plans in place.

Read more: Krispy Kreme Says November Data Breach Impacts Over 160,000 People

Bluetooth Vulnerabilities Threaten 1B Devices and 350M Cars
A set of critical vulnerabilities known as PerfektBlue lets attackers remotely execute code via Bluetooth with minimal user interaction. With over a billion affected devices, the threat spans consumer and commercial sectors.

Read more: Bluetooth Vulnerabilities Threaten 1B Devices and 350M Cars

China-Linked APTs Exploiting Microsoft Exchange Zero-Day
Chinese APTs are actively exploiting a zero-day in Microsoft Exchange to target North American government and critical infrastructure networks. The flaw enables stealthy data exfiltration, and SMBs using Exchange must patch immediately and monitor email systems for unusual activity.

Read more: China-Linked APTs Exploiting Microsoft Exchange Zero-Day

Deepfake Scams Using Politician Impersonations on the Rise
Attackers are using deepfakes to impersonate public figures like Senator Marco Rubio in scams to steal personal and financial data. These synthetic campaigns are becoming more sophisticated and common. SMBs should train teams to recognize deepfake tactics and verify unusual requests.

Read more: Deepfake Scams Using Politician Impersonations on the Rise

WordPress Gravity Forms Plugin Exploited in Active Attacks
Hackers are exploiting a high-severity flaw in Gravity Forms to upload malicious files and take over WordPress sites. With over 900,000 installations at risk, patching and reviewing recent uploads is critical for SMBs running WordPress.

Read more: WordPress Gravity Forms Plugin Exploited in Active Attacks

Android Malware Uses Ducex Packer to Evade Detection
A new Android malware campaign uses the Ducex packer to heavily obfuscate payloads, bypassing static and dynamic defenses. It targets users globally, especially on unmanaged or personal devices. SMBs should enforce mobile device policies and limit app installs to trusted sources.

Read more: Android Malware Uses Ducex Packer to Evade Detection

GeoServer RCE Flaw Exploited to Breach Server Environments
Attackers are exploiting a remote code execution vulnerability in GeoServer, putting geospatial services at risk. Organizations in logistics, energy, and mapping should patch immediately and restrict external access.

Read more: GeoServer RCE Flaw Exploited to Breach Server Environments

New GitHub Tool ‘MSSQLPwner’ Lowers Barrier to SQL Exploits
The newly released MSSQLPwner tool simplifies privilege escalation and lateral movement in Microsoft SQL environments. Though intended for red teams, it's easily abused by threat actors. SMBs should harden SQL permissions and monitor for suspicious activity.

Read more: New GitHub Tool ‘MSSQLPwner’ Lowers Barrier to SQL Exploits

McDonald’s Chatbot Leak Exposes 64M Job Application Conversations
A default password (123456) led to the exposure of 64 million McDonald’s job applicant chats. The incident underscores the importance of securing third-party integrations. SMBs should enforce password standards and vet external platforms.

Read more: McDonald’s Chatbot Leak Exposes 64M Job Application Conversations

MFA Under Attack: Threat Actors Bypass Protections
Attackers are bypassing MFA using phishing kits, token replay, and session hijacking. Even trusted MFA methods are at risk without additional safeguards. SMBs should upgrade to phishing-resistant MFA and monitor user sessions closely.

Read more: MFA Under Attack: Threat Actors Bypass Protections

ServiceNow Vulnerability CVE-2025-3648 Enables Unauthorized File Access
A critical ServiceNow flaw allows unauthenticated API requests to retrieve sensitive files. Organizations using ServiceNow must patch now and restrict API access to trusted systems.

Read more: ServiceNow Vulnerability CVE-2025-3648 Enables Unauthorized File Access

Cyber Hygiene Tips/Why this Matters – Week of Jul 14, 2025

This week’s threat landscape demands swift, coordinated defense. Attackers are actively exploiting everyday tools and overlooked systems, from Bluetooth and MFA to WordPress plugins and digital signage platforms. The PerfektBlue vulnerability affects over a billion devices, while zero days in Microsoft Exchange and ServiceNow are being used by nation state actors. Tools like MSSQLPwner are lowering the bar for lateral movement inside compromised networks, and attackers are now bypassing traditional MFA and using deepfakes to enhance social engineering. SMBs must patch aggressively, enforce MDM policies, harden configurations, secure third-party integrations, and educate staff. These threats are real, active, and increasingly aimed at the systems businesses depend on every day. Maintaining strong cyber hygiene is no longer a best practice; it is a necessity for operational survival.

Government advisories

CISA Adds One Known Exploited Vulnerability to Catalog
https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog

THREAT FOCUS

Overview

This week’s most impactful intelligence centers around two fronts: the arrest of a suspected member of Silk Typhoon—a Chinese state-sponsored threat group—and a sharp escalation in unpatched vulnerabilities, driven by a record-setting CVE publication pace. The convergence of increasing exploitability (via Known Exploited Vulnerabilities, or KEVs) and state-backed cyber-espionage operations presents a strategic warning to defenders globally. SMBs and enterprises alike must contend with adversaries exploiting both unpatched software and advanced tradecraft.

Threat Actor Profile

Name: Silk Typhoon (also known as APT41)
Origin: China (state-affiliated)
Motivation: Cyber-espionage, intelligence collection, and supply chain compromise
Recent Activity: A Chinese national allegedly tied to Silk Typhoon was arrested in Milan for cyberattacks targeting U.S. government agencies and private organizations. This group is known for blending espionage and financially motivated operations, often abusing trusted tools and zero-days.

Tools and Techniques

Silk Typhoon relies on tools like Cobalt Strike, ShadowPad, and stolen credentials. At the same time, attackers are taking advantage of a fragmented CVE system and overwhelming patch volumes. In July alone, Microsoft patched 132 flaws, 14 of them critical, amid a surge of 131 new CVEs per day.

Mapped MITRE ATT&CK Techniques

• T1133 – External Remote Services

• T1190 – Exploit Public-Facing Application

• T1055 – Process Injection

• T1203 – Exploitation for Client Execution

• T1566 – Phishing

• T1218 – Signed Binary Proxy Execution

• T1210 – Exploitation of Remote Services

• T1078 – Valid Accounts

• T1059 – Command and Scripting Interpreter

• T1027 – Obfuscated Files or Information

• T1027.002 – Software Packing

Strategic Implications

The Silk Typhoon arrest is a rare win, but their campaign continues through tool reuse, cloud abuse, and CVE exploitation. Rising KEVs and fragmented vulnerability tracking strain IT teams, especially in small orgs. With growing RCE risks across Microsoft platforms, exploitation is only a matter of time.

Defensive Recommendations

Organizations should immediately apply Microsoft’s July updates, especially for SharePoint, Office, and Hyper-V. Align patching efforts with CISA’s Known Exploited Vulnerabilities (KEV) list and set up alerts for high-risk flaws. Enforce least privilege by auditing remote access and account permissions, and monitor for lateral movement through unusual command-line activity or credential use. Prepare for blended attacks by combining phishing resistance training with endpoint monitoring to catch tools like Cobalt Strike. Finally, centralize vulnerability tracking across CVE sources to eliminate blind spots and streamline response.

Why This Matters

The Silk Typhoon arrest shows that well-backed adversaries are actively targeting Western systems. With rising exploited flaws and rapid vulnerability disclosures, SMBs are increasingly exposed. Nexus-Dragon urges proactive patching, visibility, and readiness to counter both espionage and criminal tactics.

Source

Patch, Track, Repeat – Talos Intelligence
AlienVault Pulse – IOC & MITRE Mapping

Overview: Deep Dive: CVE-2025-4632 – Samsung MagicINFO Path Traversal Exploitation

CVE-2025-4632 is a newly exploited path traversal vulnerability targeting Samsung MagicINFO, a digital signage content management solution used in retail, healthcare, transportation, and education sectors. The flaw enables unauthenticated attackers to access sensitive files on the system by manipulating file paths in web requests. According to GreyNoise telemetry, multiple malicious scanning campaigns are now actively probing for vulnerable MagicINFO instances, with infrastructure distributed across Europe and Asia.

Technical Summary

This vulnerability exists in the way MagicINFO handles file path input through web-exposed endpoints—specifically CGI scripts. Improper sanitization allows attackers to craft requests that include sequences like ../ to traverse directories outside the intended scope. Threat actors are leveraging this to access configuration files, credential stores, and potentially execute chained attacks in environments where signage systems are not properly segmented from internal networks.

Recent Exploitation Activity

GreyNoise classifies CVE-2025-4632 as malicious, with activity confirmed from 13 distinct IP addresses across Germany, Netherlands, Poland, Singapore, and Bulgaria, targeting hosts primarily in the United States and Europe.

Defanged IOCs and Observed Hosts:

• hxxp://147.45.112[.]219 – Germany – Alviva Holding Limited

• hxxp://88.214.26[.]30 – Bulgaria – Alviva Holding Limited

• hxxp://195.3.221[.]137 – Poland – MEVSPACE sp. z o.o.

• hxxp://157.230.193[.]102 – Singapore – DigitalOcean, LLC

• hxxp://196.251.86[.]118 – Netherlands – cheapy[ . ]host LLC

• hxxp://138.199.59[.]173 – Poland – Datacamp Limited

• Additional destinations: U.S., France, Italy, Germany, Mexico, Brazil

Tags Associated with Activity:

• CGI Script Scanner

• Generic Path Traversal Attempt

• Samsung MagicINFO CVE-2024-7399 Path Traversal Attempt (likely misclassification overlap)

• Web Crawler

• HTTP PUT Uploader

Mapped MITRE ATT&CK Techniques

• T1190 – Exploit Public-Facing Application

• T1005 – Data from Local System

• T1083 – File and Directory Discovery

• T1210 – Exploitation of Remote Services

• T1595.002 – Active Scanning: Vulnerability Scanning

• T1040 – Network Sniffing (used in some scanners)

Threat Actor Infrastructure & TTPs

• Infrastructure used includes cheap VPS providers (e.g., DigitalOcean, cheapy[ . ]host, Datacamp).

• Multiple sources are reusing infrastructure previously seen in RCE attempts against ColdFusion, RocketMQ, and Confluence.

• Behavior suggests inclusion in automated exploit scanning kits; likely part of broad, low-skill scanning bots or preliminary reconnaissance by ransomware affiliates.

Strategic Implications

Digital signage systems like Samsung MagicINFO are often exposed, underpatched, and overlooked. Attackers exploit them to steal credentials or pivot into business networks, posing serious risks to SMBs in sectors like healthcare, retail, and education.

Defensive Recommendations

• Immediately apply security updates for Samsung MagicINFO or isolate vulnerable systems.

• Deploy Web Application Firewalls (WAFs) with rules to detect path traversal patterns (../, encoded characters).

• Segment signage and IoT devices from core networks using strict VLAN and firewall policies.

• Inspect logs for CGI-based access attempts and suspicious file requests.

• Block known malicious IPs and monitor outbound DNS/HTTP activity from signage systems.

• Verify configurations do not expose sensitive files via HTTP/S endpoints.

Threat Modeling Summary

• Likely Targets: SMBs in public spaces, hospitals, school campuses, retail chains.

• Attacker Goals: Initial access, reconnaissance, credential harvesting, or defacement.

• Attack Vector: Public-facing web interface with CGI path traversal flaw, exploited via botnet scanning or targeted probes.

Why This Matters

CVE-2025-4632 highlights how attackers exploit overlooked systems like signage platforms to gain access. SMBs are especially at risk due to limited defenses. Patching, segmentation, and visibility are critical to stop these footholds from becoming full-blown breaches.

Disclaimer

This report is based on OSINT and scan data. Organizations should validate findings and assess their own risk before making changes.

Source:
Samsung Patches CVE-2025-4632 Used to Target Digital Signage Systems

Discover the Nexus-Dragon Ecosystem

Explore Everything at Nexus-Dragon.com. Your Launchpad for Elite Cybersecurity Training and Business-Grade Protection

Comprehensive Learning Subscription (CLS)
The CLS program is more than just certification prep it’s a full-spectrum, 4-year guided learning pathway for professionals committed to mastering information security and gaining long-term expertise in the field.

Included in CLS:

• Full prep and resources for CISSP, CEH, CASP+, GBK, and Cyber Training certifications

• Access to interactive cloud security labs, recorded workshops, and scheduled mentorship

• Built-in progress tracking, skill assessments, and a structured roadmap to job-ready proficiency

• Complimentary access to our Basic Cyber Operations (BCO) course for foundational knowledge in network security and incident response

Dragon Armor Cybersecurity Suite
Tailored for small and mid-sized businesses, Dragon Armor delivers serious protection without the complexity of big-ticket enterprise tools. It’s everything you need to secure your environment designed to scale as you grow.

Included with Dragon Armor:

• AI-driven threat detection, endpoint security, and real-time response

• Built-in alignment with HIPAA, NIST Cybersecurity Framework (CSF), and ISO 27001

• Guided onboarding and a full cybersecurity risk assessment to identify gaps

• Multi-year price lock and flexible plans that grow with your organization’s needs

Stay Ahead of Cyber Threats

Nexus-Dragon’s Curated Threat Intelligence Service delivers real-time, tailored insights focused on your risks, your industry, and your assets. We cut through the noise to give you high-confidence IOCs, mapped MITRE ATT&CK techniques, and strategic recommendations so you can act fast and stay protected. Get intelligence built for action.

www.nexus-dragon.com 

Dragon Armor Advisors (DAA) by Nexus-Dragon takes the hassle out of hiring by recruiting, vetting, and managing elite cybersecurity professionals for you. From analysts to compliance leads, our mission-ready experts many from NSA, DoD, and CISA integrate seamlessly into your team with zero long-term risk. Fill your security gaps fast. www.nexus-dragon.com

Sponsor Spotlight

Tenable Nessus® Expert is the gold standard for vulnerability assessment—built for security teams facing limited resources and a fast-changing threat landscape. It automates point-in-time assessments to help you quickly find, prioritize, and remediate vulnerabilities across operating systems, devices, and applications.
Discover how Nessus Expert can strengthen your defenses.

Optery helps businesses and individuals automatically remove their private information from hundreds of data broker websites—reducing exposure to phishing, identity theft, and targeted attacks. It’s a powerful privacy protection platform ideal for SMBs looking to safeguard executives, employees, or clients.
Learn more →

Monday Streamline your cybersecurity projects and team workflows with Monday is the flexible work OS built to help small businesses and IT teams stay organized, aligned, and efficient. From managing incident response tasks to tracking compliance milestones, Monday makes it easy to visualize progress and stay ahead of threats.
Learn more →

Ready to move forward?
For full details, customized walkthroughs, or to begin onboarding, contact our team at:
Or explore our solutions directly at:

Meet the Nexus-Dragon

TELL US HOW WE’RE DOING!

Your feedback is VERY valuable! Let us know how we can improve future issues.

🔗 Submit Feedback

Legal Disclaimer

The information provided is for general purposes only and is accurate to the best of our knowledge. We do not guarantee its accuracy or reliability and are not responsible for any outcomes resulting from its use. This post contains affiliate links, meaning we may earn a commission if you purchase through them, at no additional cost to you. Written with the help of our little A.I!

All trademarks belong to their respective owners.

CONTACT US

📞 850-684-0278