Ransomware, Credential Theft, and Platform Exploits Converge on Trusted Business Systems

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Remote Access Gateways as Ransomware Entry Points

• Akira ransomware exploiting SonicWall SSL VPN devices, potentially via a zero-day or stolen credentials, with incidents on patched systems.
• Chaos RaaS campaigns using spam-triggered vishing to get victims to install Quick Assist and RMM tools, followed by data theft and selective encryption.

Mitigation: Disable unpatched VPN services until fixes are confirmed, enforce MFA and callback verification for remote access, block unapproved RMM tools, and segment remote-access networks.

2. Enterprise Platform Exploits for Ransomware and Espionage

• SharePoint ToolShell campaign exploiting CVE-2025-49704/49706 to deploy LockBit and Warlock ransomware and create DNS-based backdoors.
• ShinyHunters vishing Salesforce CRM users to steal credentials/MFA tokens and exfiltrate data via Salesforce Data Loader.

Mitigation: Patch enterprise apps rapidly, enforce MFA and conditional access, monitor OAuth and connected app activity, and apply least privilege to CRM accounts.

3. Credential Theft Accelerates: Trusted Tools Hijacked

Phishing campaigns increasingly abuse legitimate services to bypass defenses:

• Supply Chain Impersonation: Attackers registered typosquatted domains (e.g., pypj[.]org) mimicking PyPI, using reverse proxies to stealthily harvest credentials while redirecting victims to legitimate portals.
• Email Security Subversion: Proofpoint and Intermedia’s link-wrapping services were exploited to redirect users to Microsoft 365 phishing pages via fake voicemail, Teams, or Zoom lures.
• File-Based Evasion: SVG attachments embedded malicious scripts to silently redirect users. Disable auto-link-wrapping for internal emails, enforce MFA for all cloud accounts, and block SVG script execution in email clients.

4. AI and Cloud Workloads Under Attack

NVIDIA Container Toolkit flaw (CVE-2025-23266) exploited via LD_PRELOAD injection to escape containers and take full host control.

Mitigation: Update to NVIDIA Container Toolkit v1.17.8, segment high-value workloads, restrict unsigned driver loading, and audit container creation hooks.

5. Supply Chain and Communication Tool Abuse

• PyPI typosquatting (pypj[.]org) harvesting developer credentials while proxying traffic to the real site.
• Link-wrapping services (Proofpoint, Intermedia) used for multi-stage redirects to Microsoft 365 phishing pages.
• Malicious SVG attachments embedding scripts for silent redirection.

Mitigation: Inspect URLs before clicking, disable auto-link wrapping for internal emails, block SVG script execution, and encourage password manager use.

6. Persistent Linux Backdoors

Plague PAM backdoor embedding into authentication modules to allow static-credential SSH access, remove logs, and survive updates.

Mitigation: Audit PAM directories, enable extended PAM/SSH logging, deploy EDR with PAM anomaly detection, and rebuild compromised systems from trusted sources.

Core Weakness: Overconfidence in Familiar Systems

This week’s campaigns reveal that familiarity can be a liability — attackers exploited systems, tools, and workflows that teams inherently trust. By masking malicious activity inside legitimate services, they bypassed technical controls and relied on users’ comfort with routine processes to succeed.

Proactive steps for the week:

1. Patch Urgently: Apply fixes for SharePoint CVEs and NVIDIA Container Toolkit (v1.17.8).
2. Isolate Critical Systems: Segment hypervisor management interfaces and AI/GPU workloads.
3. Harden Identity Protocols: Require callback verification for password resets and audit privileged accounts.
4. Block High-Risk Vectors: Disable SVG scripts in emails and block unsigned drivers.