Daily Brief

More than 400 organizations globally have been impacted by a series of cyberattacks exploiting vulnerabilities in Microsoft SharePoint. The attacks comprised multiple waves starting from July 17, with significant breaches including the US Department of Energy (DOE) and its National Nuclear Security Administration. DOE confirmed only a minimal impact, crediting robust cybersecurity measures and quick mitigation response. Among the other victims were additional government agencies and key sectors like telecommunications and software. Key vulnerabilities exploited were identified as remote code execution bug CVE-2025-53770 and a security bypass flaw CVE-2025-53771, both addressed in Microsoft's recent updates. Microsoft acknowledged the exploits late after initial reports, which suggest Chinese cyberspies involvement according to both Google and Microsoft. Measures including patching of affected SharePoint versions and strategic mitigations for impacted systems are underway across the victim organizations.

Clorox is suing Cognizant for gross negligence following a major cyberattack in August 2023, facilitated by a social engineering scheme. Hackers, identified as Scattered Spider, accessed Clorox systems by convincing Cognizant's help desk to reset an employee's password without proper verification. This breach led to network paralysis, halted manufacturing, widespread product shortages, and significant business disruption for Clorox. Clorox claims Cognizant failed to follow established security procedures for credential verification, leading to unauthorized access and spread of the breach. The lawsuit alleges Cognizant’s mishandling of the incident response exacerbated the situation, causing prolonged network downtime and ineffective containment. Clorox is seeking $49 million for direct remediation costs and a total of $380 million in damages for breach of contract and negligence. This incident highlights critical vulnerabilities in third-party vendor management and the importance of rigorous identity verification protocols in cybersecurity.

Threat actor Mimo has transitioned from targeting Craft CMS to exploiting Magento CMS and misconfigured Docker instances to deploy cryptocurrency miners and proxyware. Mimo's operations have evolved in sophistication, indicating potential preparation for more financially lucrative criminal activities beyond cryptojacking. The attack involves exploiting PHP-FPM vulnerabilities via a Magento plugin, using it to drop GSocket for persistent and stealth access through a reverse shell. Techniques include using memfd_create() for in-memory execution of an ELF binary loader called "4l4md4r," facilitating the deployment of IPRoyal proxyware and XMRig miner without leaving disk traces. Mimo modifies the “/etc/ld.so.preload” file to inject a rootkit, hiding the presence of mining and proxyware tools to maximize monetization from compromised machines. The dual utilization of CPU resources for mining and bandwidth for proxy services allows continuous revenue generation even if the mining activity is detected and halted. Datadog has also detected Mimo exploiting publicly accessible Docker instances to further spread their malware and achieve persistence on compromised systems.

Unknown threat actors exploited a Microsoft SharePoint zero-day vulnerability to breach the National Nuclear Security Administration's (NNSA) network. The Department of Energy confirmed limited impact from the breach due to robust cybersecurity measures and cloud usage. The attacks, linked to Chinese state-sponsored groups, aimed at internet-facing SharePoint servers, affecting over 400 servers globally. Earlier incidents in 2019 involved Russian state hackers using a trojanized SolarWinds Orion update to breach similar US systems. No evidence exists of sensitive or classified information being compromised in the current breach. Cybersecurity agencies, including CISA, have urged immediate action to secure systems against the exploited vulnerabilities. Ongoing investigations seek to identify further exploit implications and additional threat actors involved.

Broadcom's VMware unit is currently preventing some customers with perpetual licenses from accessing necessary security patches. Customers affected are those without current support contracts and the company will not renew these unless converted to subscription models. This issue exposes users to increased cyber risks, particularly as VMware has issued multiple security advisories for critical flaws in 2025. CEO Hock Tan had promised in April 2024 free access to zero-day patches for supported vSphere versions to ensure security for perpetual license holders. Due to recent changes in the support portal that require entitlement validation, patch downloads have been delayed, with some users reporting a 90-day wait time. A VMware spokesperson mentioned a separate patch delivery cycle for non-entitled customers will be implemented, though no specific date has been provided. A Dutch court mandated continued support for at least two years for Rijkswaterstaat, a government agency, highlighting the severity and legal implications of Broadcom's support policy changes.

The popular NPM package 'is' was compromised through a supply chain attack that placed backdoor malware into the software. Over 2.8 million weekly downloads of 'is' exposed numerous development environments after maintainer accounts were hijacked via phishing. Compromised versions ranged from 3.3.1 to 5.0.0, and were available for several hours before being removed, creating a window for extensive malware spread. The malware enabled remote code execution, retrieved system information, and established a WebSocket connection to exfiltrate the data. Other packages like 'eslint' were also affected by similar attacks, containing infostealers targeting data in web browsers. The attacking pattern included using a fake domain to capture maintainer credentials and manipulate package versions. Recommendations for remediation include password and token resets, disabling auto-updates, and using lockfiles to secure dependencies against unauthorized changes.

Breach occurred at the National Nuclear Security Administration (NNSA), leveraging a recently patched Microsoft SharePoint zero-day. The Department of Energy confirmed minimal impact due to robust cybersecurity measures and rapid containment efforts. No sensitive or classified data was reportedly compromised in the attack on NNSA. Chinese state-sponsored groups identified by Microsoft and Google as exploiting the SharePoint vulnerabilities in global attacks. Over 400 servers infected and 148 organizations breached globally as per Cybersecurity firm investigations. The attack is reminiscent of the 2019 breach by APT29, a Russian state-sponsored group, using compromised SolarWinds software. CISA has responded by adding the exploited vulnerability to its catalog, ordering prompt security measures by U.S. federal agencies.

Security teams must ensure full visibility of all devices accessing their environment to close security gaps. Microsoft identifies unmanaged devices as a major risk, with 90% of successful ransomware attacks originating from these devices. Scattered device data and the reality of shadow IT and remote work complicate maintaining a real-time, accurate device inventory. The enforcement and proper scoping of Multi-Factor Authentication (MFA) and access controls remain pivotal yet challenging for security teams, with 99.9% of account compromises affecting accounts without MFA according to Microsoft. Security tests against modern attack techniques are crucial, with static defenses often bypassed by new, innovative attack strategies. Prelude is enhancing security response by aggregating data across multiple security platforms into a unified dashboard, allowing for real-time security insights and optimizations. Prelude’s platform also includes capabilities for simulating attacks to test and validate security measures, ensuring defenses are effective against actual threats.

Kerberoasting is a complex cyberattack method that targets service accounts in Microsoft Active Directory using the Kerberos authentication protocol. Attackers leverage low detection risks and tools available online for spying on accounts with Service Principal Names (SPN) and subsequently cracking their passwords. The primary defense against Kerberoasting includes implementing robust password policies, such as enforcing unique, long passphrases and blocking known compromised passwords. Specops Software provides tools like Specops Password Policy and Specops Password Auditor to enhance Active Directory security by preventing weak and reused passwords. Multi-factor authentication (MFA) is crucial in safeguarding accounts against initial access, which is a prerequisite for launching a Kerberoasting attack. An exportable report from tools like Specops Password Auditor can help identify and secure stale accounts, commonly exploited in Kerberoasting. Verizon's Data Breach Investigation Report highlights that stolen credentials play a role in approximately 44.7% of data breaches, underlining the importance of secure authentication practices. Organizations are encouraged to adopt comprehensive, compliant password policies to protect against sophisticated password cracking techniques used in Kerberoasting.

Clorox is suing Cognizant for $380 million, alleging negligence in handling cybersecurity which facilitated a major cyberattack. The lawsuit claims that Cognizant’s service desk improperly handed over Clorox staff credentials to a cybercriminal, violating security protocols. Clorox reported severe disruptions to its operations due to the cyberattack, including paused manufacturing and substantial sales losses. The cybercriminals were able to penetrate further into the network by targeting additional IT security credentials and manipulating multi-factor authentication settings. Clorox criticizes Cognizant's sluggish response in reinstating critical cybersecurity tools and handling the aftermath of the attack. Despite Clorox’s efforts to remove the intruders within three hours of the breach, the impact included prolonged manual processes and operational downtime. Clorox seeks a jury trial and substantial damages, highlighting significant financial and operational damages resulting from the incident.

Ukrainian authorities have arrested the suspected administrator of XSS.is, a prominent Russian-speaking cybercrime forum, collaborating closely with French law enforcement and Europol. The arrest was based on evidence gathered during a four-year investigation by the Paris public prosecutor’s office, focused on ransomware and other cybercriminal activities related to the forum. Despite XSS.is banning ransomware topics in 2021, intercepted communications on the encrypted platform Jabber revealed ongoing illicit cyber operations generating millions in profits. French police penetrated 'thesecure.biz' server, used by threat actors for secure messaging, to surveil and collect evidence, leading to the identification of the forum’s administrator. The judicial inquiry into the forum’s activities includes charges of complicity in attacks on data processing systems, extortion, and criminal conspiracy. With over 50,000 users, XSS.is is a central hub for cybercriminals to trade malware, compromised system accesses, and discuss illegal activities, potentially leading to further arrests and a decrease in forum activity due to increased risk of law enforcement action. The arrest follows a pattern of increased international cooperation in tackling cybercrime, evidenced by recent similar operations against other cybercrime networks.

CISA has issued a warning about active exploitation of two vulnerabilities in SysAid IT service management software. Hackers are using these flaws, CVE-2025-2775 and CVE-2025-2776, to gain administrator access by exploiting unauthenticated XML External Entity issues. These vulnerabilities were first reported in December 2024 and patched in March 2025 with SysAid On-Prem version 24.4.60. Following the patch, proof-of-concept code was released showing the ease of exploiting these vulnerabilities to access sensitive information. The U.S. Federal Civilian Executive Branch (FCEB) agencies are required to patch their systems by August 12, following the Binding Operational Directive 22-01. Although primarily directed at federal agencies, CISA has urged all organizations to prioritize these patches due to the high risk and prevalence of the exploits. Numerous SysAid instances, primarily in North America and Europe, remain vulnerable and exposed online. Previous exploitation of a different SysAid vulnerability by the cybercrime group FIN11 in 2023 resulted in ransomware deployment, although no ransomware links have been observed with the current exploits.

NPM removed all versions of the Stylus CSS library and replaced them with a "security holding" page, citing an accidental ban. This incident has caused significant disruption, breaking software builds and pipelines worldwide that depend on Stylus. The removal was apparently due to another maintainer associated with the Stylus package, who was banned for publishing malicious packages unrelated to Stylus. Security researcher from Mend.io confirmed the most recent version of Stylus was clean, suggesting the removal was a mistake tied to problematic actions by a different maintainer. Developers have been forced to find workarounds, such as referencing the Stylus package dynamically or using npm overrides to maintain access and functionality in their projects. The npmjs community and Stylus developers are awaiting action from npm to restore the package officially. This event highlights risks associated with dependency management in software development and underscores the broader impact of administrative errors in package management ecosystems.

Microsoft's new Windows 11 update introduces several AI features like Copilot Vision, which captures and analyzes user screen activity and sends data to Microsoft's servers. The new AI capabilities are centralized within Windows 11, designated the platform for innovative AI experiences for consumers, including features like Recall and improved search functions, employing technologies like optical character recognition and large language models. Copilot Vision is an opt-in service that records screen activity only when activated, unlike its predecessor Recall which was always active, making it ostensibly less invasive. Addition of new AI-driven functionalities across various applications, including a reading enhancement tool in Microsoft Word, an immersive reading mode, and AI capabilities in tools like Paint and Snipping Tool. Microsoft is also making significant changes to the system error interfaces with the BSoD becoming a Black Screen of Death, promising a less verbose and more readable error screen. The development includes a new AI-powered agent within the Windows Settings that can autonomously adjust settings based on natural language instructions, built to operate on specific Copilot+ systems with Qualcomm Snapdragon hardware. Microsoft introduced the Surface Laptop 5G, supporting advanced AI features geared towards enhancing user interaction with continuous connectivity to Microsoft 365 Copilot and other cloud tools.

Coyote malware, first identified by Kaspersky in 2024, has evolved to exploit Microsoft's UI Automation (UIA) to steal banking credentials in Brazil. The latest Coyote variant affects users by targeting 75 banking and cryptocurrency exchange websites to harvest sensitive data. The malware utilizes Windows accessibility frameworks to intercept user credentials, leveraging methods similar to those seen in Android banking trojans. Coyote employs both the GetForegroundWindow() API and UIA to identify and extract information from browser tabs and address bars corresponding to the targeted financial sites. Akamai’s recent research demonstrates the malware can operate both online and offline, optimizing its chances of capturing relevant user information. UIA, part of the .NET Framework, though intended for assistive technologies, has potential for misuse in malware operations, presenting a significant security challenge. Akamai had previously showcased a proof of concept in December 2024, illustrating UIA’s capabilities for credential theft or executing malicious code.