Alright team, a busy 24 hours in the cyber world! We've got some significant updates on nation-state activity, a couple of actively exploited vulnerabilities, a new ransomware decryptor, and a reminder about the ever-evolving privacy landscape. Let's dive in.
Russian Alcohol Retailer Hit by Ransomware 
- WineLab, a major Russian alcohol retailer and part of Novabev Group, has shut down its stores and online operations following a cyberattack.
- The company confirmed a ransom demand was made but stated they would not comply, indicating potential data theft or system encryption.
- While most major Russian-origin ransomware groups typically avoid targeting entities within Russia or CIS, this incident highlights a growing trend of smaller RaaS operations or non-Russian actors breaching such targets.
Bleeping Computer | https://www.bleepingcomputer.com/news/security/russian-alcohol-retailer-winelab-closes-stores-after-ransomware-attack/
Actively Exploited Vulnerabilities
CrushFTP Zero-Day Under Active Exploitation 
- CrushFTP is warning customers about a zero-day vulnerability, CVE-2025-54309, actively exploited to gain administrative access via the web interface.
- The flaw affects versions prior to CrushFTP v10.8.5 and v11.3.4_23, with exploitation detected since July 18th, potentially earlier.
- Indicators of compromise include unexpected entries in MainUsers/default/user.XML and new, unrecognised admin-level usernames like "7a0d26089ac528941bf8cb998d97f408m". Admins should review logs and consider IP whitelisting or DMZ instances.
Bleeping Computer | https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-to-gain-admin-access-on-servers/
Hackers Scanning for TeleMessage Signal Clone Flaw 
- Researchers are observing active exploitation attempts for CVE-2025-48927 in the TeleMessage SGNL app, a Signal clone, which can expose usernames, passwords, and other sensitive data.
- The vulnerability stems from exposing the '/heapdump' endpoint from Spring Boot Actuator without authentication, allowing attackers to download a full Java heap memory dump.
- Organisations using on-premise installations of TeleMessage SGNL should immediately disable or restrict access to the '/heapdump' endpoint and limit exposure of all Actuator endpoints.
Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-scanning-for-telemessage-signal-clone-flaw-exposing-passwords/
Nation-State Activity, Malware, and Ransomware Updates
UK Sanctions Russian GRU for Cyber Operations and Murders 
- The UK government has sanctioned 18 Russian military intelligence officers and three GRU units (26165, 29155, 74455) for cyber reconnaissance operations linked to civilian targeting in Ukraine and destabilisation efforts in Europe.
- Unit 26165 (Fancy Bear/APT28) is specifically attributed to deploying 'Authentic Antics' malware, a sophisticated credential stealer for Microsoft 365 accounts that exfiltrates data by sending emails from the victim's own account without appearing in the sent folder.
- This action underscores the UK's commitment to exposing and countering hybrid threats, with international allies like the EU and NATO issuing solidarity statements.
The Record | https://therecord.media/uk-sanctions-gru-personnel-accused-murder-civilians-ukraine
CyberScoop | https://cyberscoop.com/uk-sanctions-russian-hackers-spies-as-us-weighs-its-own-punishments-for-russia/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/uk-ties-russian-gru-to-authentic-antics-credential-stealing-malware/
Singapore Accuses Chinese APT of Critical Infrastructure Attacks 
- Singapore's Minister for National Security, K. Shanmugam, has publicly accused Chinese espionage group UNC3886 of actively targeting the nation's critical infrastructure.
- UNC3886 is known for exploiting routers and network security devices (like Juniper, Fortinet, VMware) to deploy custom backdoors, focusing on stealth and long-term persistence in defence, technology, and telecommunication sectors.
- This ongoing threat highlights the potential for cascading impacts on business operations and supply chains, urging a re-evaluation of vendor trust and system security.
The Record | https://therecord.media/singapore-accuses-chinese-backed-hackers-critical-infrastructure-attacks
Free Decryptor Released for Phobos and 8Base Ransomware 
- The Japanese National Police Agency, in collaboration with Europol and the FBI, has released a free decryptor for victims of Phobos and its spin-off, 8Base ransomware.
- This tool supports files encrypted with extensions like ".phobos", ".8base", ".elbie", ".faust", and ".LIZARD", and is believed to be possible due to information obtained during recent law enforcement disruptions and arrests of key operators.
- Victims are strongly encouraged to try the decryptor, available on the Japanese police website and NoMoreRansom platform, even if their file extensions aren't explicitly listed, as it has been confirmed to successfully decrypt files from recent variants.
Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-phobos-ransomware-decryptor-lets-victims-recover-files-for-free/
The Record | https://therecord.media/decryptor-phobos-8base-ransomware-japan-national-police
Arch Linux AUR Packages Spread Chaos RAT Malware 
- Arch Linux has removed three malicious packages ("librewolf-fix-bin", "firefox-patch-bin", "zen-browser-patched-bin") from its Arch User Repository (AUR) that were installing the CHAOS remote access trojan (RAT).
- The packages, uploaded by user "danikpapas", contained a source entry pointing to a GitHub repository with malicious code executed during the build/installation phase.
- Users who installed these packages should immediately check for and delete a suspicious "systemd-initd" executable, potentially located in the /tmp folder, and take further measures to ensure their systems are not compromised.
Bleeping Computer | https://www.bleepingcomputer.com/news/security/arch-linux-pulls-aur-packages-that-installed-chaos-rat-malware/
Social Engineering and AI: The New Zero-Day? 
- Former IDF cyber chief Ariel Parnes highlights that social engineering, rather than zero-days, is increasingly the primary concern for cyber defenders, as demonstrated by groups like Scattered Spider and Iranian APTs.
- Generative AI significantly enhances social engineering capabilities by automating reconnaissance and enabling the creation of highly convincing phishing emails, fake documents, and spoofed websites at scale.
- This shift means attackers don't need advanced cyber weapons; they just need to understand target organisations, people, language, and culture, making the threat more scalable and effective.
The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/19/idf_cyber_chief_iran/
Data Privacy and AI Terms of Service
AI and Terms of Service: A Privacy Minefield 
- Companies integrating AI are updating their Terms of Service (ToS), causing user backlash over data usage for AI model training, as seen with WeTransfer.
- WeTransfer faced significant user anger after a ToS change granted broad licensing permissions for content, including for "improving performance of machine learning models," despite denying intent to use files for AI training.
- This incident highlights the "AI trust crisis" where users are wary of how their data is used, underscoring the need for clear, transparent communication from companies regarding AI features and data handling.
The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/18/llm_products_terms_of_service/