Ransomware, Phishing, and Vulnerability Exploits Targeting Key Sectors from AI to Software Supply Chains

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Cloud Under Siege: Hypervisors Targeted For Sabotage

Virtualization infrastructure, particularly VMware ESXi hypervisors and vCenter management systems, faces escalating attacks aimed at causing systemic disruption. Threat actors are bypassing traditional technical exploits by weaponizing human error, such as social engineering help desk teams to gain privileged access. Once compromised, attackers dismantle virtual environments, triggering operational paralysis and financial loss. Organizations must treat hypervisors as critical assets, not just infrastructure. Enforce identity isolation for administrative accounts, integrate behavioral analytics into support workflows, and mandate callback verification for high-risk requests.

2. Multi-Monetization Models Emerge: Ransomware Meets Espionage

Sophisticated actors now blend financially motivated ransomware with nation-state espionage tactics. Two critical attack chains dominated this week:

• SharePoint Zero-Day Exploitation: Attackers weaponized unpatched vulnerabilities (CVE-2025-49704/49706) in Microsoft SharePoint servers. They leveraged the ToolShell exploit chain to deploy dual ransomware strains (LockBit and Warlock), move laterally using PsExec/Impacket, and establish DNS backdoors.
• Container Escape in AI Clouds: A critical flaw in NVIDIA’s Container Toolkit (CVE-2025-23266) enabled full host takeover via malicious LD_PRELOAD injection, risking proprietary AI models and multi-tenant environments.
  Patch within 24 hours, segment high-value workloads, and block unsigned drivers to counter Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks.

3. Credential Theft Accelerates: Trusted Tools Hijacked

Phishing campaigns increasingly abuse legitimate services to bypass defenses:

• Supply Chain Impersonation: Attackers registered typosquatted domains (e.g., pypj[.]org) mimicking PyPI, using reverse proxies to stealthily harvest credentials while redirecting victims to legitimate portals.
• Email Security Subversion: Proofpoint and Intermedia’s link-wrapping services were exploited to redirect users to Microsoft 365 phishing pages via fake voicemail, Teams, or Zoom lures.
• File-Based Evasion: SVG attachments embedded malicious scripts to silently redirect users. Disable auto-link-wrapping for internal emails, enforce MFA for all cloud accounts, and block SVG script execution in email clients.

The Unifying Vulnerability: Human Trust

Every major attack this week exploited human decisions rather than technical flaws. Threat actors consistently manipulated trust in tools, workflows, and communication channels to achieve compromise.

Proactive steps for the week:

• Patch Urgently: Apply fixes for SharePoint CVEs and NVIDIA Container Toolkit (v1.17.8).
• Isolate Critical Systems: Segment hypervisor management interfaces and AI/GPU workloads.
• Harden Identity Protocols: Require callback verification for password resets and audit privileged accounts.
• Block High-Risk Vectors: Disable SVG scripts in emails and block unsigned drivers.