Daily Brief

Microsoft has released updates for SharePoint Server 2016 to fix critical zero-day vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, which were actively exploited and allowed attackers unauthenticated access and full control over the network. The vulnerabilities could let attackers impersonate users or services, maintaining access even after patch application, which prompted an urgent call for administrators to apply patches and enhance security measures. Tens of thousands of on-premises SharePoint servers, including those used by US federal and state agencies, were at risk, though Microsoft 365 users were unaffected. Before the patches, options to mitigate the risk included using Microsoft Defender for Endpoint to block post-exploit activity or disabling server connections to the internet. Microsoft issued guidance to rotate the ASP.NET machine keys and restart Internet Information Services (IIS) to reduce the risk of attackers regaining access post-patch. The exploitation of these vulnerabilities could lead to severe consequences like data theft, password harvesting, and potential access to linked services such as Outlook and Teams. SharePoint Server 2016 is currently in Extended Support, set to end on July 14, 2026, highlighting the critical need for timely security updates and active vulnerability management.

Cisco has identified active exploitation of three critical vulnerabilities in its Identity Services Engine (ISE) platform. Flaws allow remote code execution and arbitrary file execution, posing a maximum severity threat with a CVSS score of 10.0. Vulnerabilities are present in both the Cisco ISE and ISE Passive Identity Connector (ISE-PIC) and can be exploited without authentication. Patches have been issued in ISE versions 3.3 and 3.4, aimed at fully mitigating these security risks. Cisco strongly advises customers to upgrade their systems immediately to prevent potential breaches in network security. There are no viable workarounds for these vulnerabilities, making the application of updates critical. Timely patching and system upgrades are essential in maintaining the integrity and security of large organizational networks against unauthorized access.

Cisco has updated its advisory on actively exploited vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector. In July 2025, exploits targeting critical-rated ISE flaws were detected, which allow root-level command execution by unauthenticated users. The vulnerabilities enable attackers to bypass network access controls and gain unrestricted access to internal systems. Two of the flaws stem from insufficient input validation, and one from inadequate file validation checks, allowing the placement of malicious files in privileged directories. Attackers exploit these vulnerabilities via crafted API requests or malicious file uploads to affected devices. Cisco has not disclosed specifics regarding the identities of the attackers or the extent of the exploitation. Immediate software updates and vigilant system log reviews for suspicious activities are recommended to mitigate the risks. The high-risk nature of these flaws poses significant threats to critical infrastructure and compliance-sensitive environments.

Mexican organizations are currently targeted in a sophisticated malware campaign involving modified Allakore RAT and SystemBC. The cybercriminal group behind the attacks, known as Greedy Sponge, has been active since early 2021, focusing on financial fraud through credential theft. Greedy Sponge utilizes phishing and compromised ZIP files to deploy malware and enhance its attacks with secondary payloads such as proxy tools. Arctic Wolf Labs notes that Greedy Sponge has evolved its tactics, implementing server-side geofencing to hinder analytical efforts. The campaign, first spotted by the BlackBerry Research team, has remained financially motivated and regionally focused, with limited technological advancements in its operation. Another related attack detailed by eSentire in May 2025 involved a phishing scheme that used a new crypter service called Ghost Crypt to deliver PureRAT efficiently. The malware landscape has been enriched with emerging threats like Neptune RAT and Hijack Loader, which continue to threaten data security through advanced techniques and payload delivery methods.

The UK government intends to prohibit public sector entities from paying ransoms in response to cyberattacks. Affected organizations would include local councils, schools, and the National Health Service (NHS). This measure aims to undermine the profitability of the ransomware model and enhance the security of vital public services. The legislation would require private sector companies to consult the government before potentially violating laws related to sanctioned cybercriminal groups. A mandatory reporting system for ransomware incidents is also set to be developed to aid law enforcement. This strategy emerged following a consultation that started in January, targeting all public bodies and critical infrastructure. Ransomware is deemed the top cybercrime threat in the UK and a significant national security risk, involving prominent institutions like the NHS and the British Library. Recent ransomware incidents at leading UK businesses, like Marks & Spencer and Harrods, underscore the urgency of this new policy.

The UK government announced plans to prohibit public sector organizations and critical national infrastructure from paying ransomware demands. This policy is aimed at targeting NHS, local councils, and educational institutions to counteract the growing threat from cybercriminals. A government consultation showed that almost three quarters of respondents support the proposed ban. Security Minister Dan Jarvis emphasized that the move is designed to disrupt the business model of cybercriminals and protect public services. The proposed regulations are part of the broader Cyber Resilience Bill expected to be introduced to Parliament this year, enhancing enforcement powers and expanding the scope to include data centers and MSPs. Under the new guidelines, failure to implement necessary security updates could lead to fines of £100,000 per day or 10 percent of turnover. The new measures would still require commercial entities to notify the government before making any ransom payment, linking compliance to avoiding payments to sanctioned groups, particularly those based in Russia. The government advises maintaining offline backups and having robust contingency plans in place to mitigate the impacts of cyber-attacks.

Chinese-linked threat actors targeted multiple organizations worldwide by exploiting zero-day vulnerabilities in Microsoft SharePoint. The attack utilized a vulnerability chain known as "ToolShell," initially identified in on-premise SharePoint servers and linked to nation-state actors. Dutch cybersecurity experts detected the attacks, revealing that at least 54 organizations, including multinational corporations and government entities, were breached. Microsoft responded by patching the vulnerabilities (CVE-2025-49706 and CVE-2025-49704) in their July updates, later reassigning them new CVE IDs due to ongoing exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) categorized one exploit as "known exploited" and mandated federal agencies to apply patches promptly. After the initial patches, Microsoft issued additional emergency patches for several versions of SharePoint to tackle the remote code execution flaws. Following the release of security measures, a proof-of-concept exploit for CVE-2025-53770 was also published on GitHub, potentially facilitating further attacks by other malicious actors.

Transitioning from SOC manager to CISO involves developing leadership skills and aligning security practices with business objectives. Critical skills for CISOs include strategic thinking, business acumen, effective communication, and service management. CISOs must communicate technical risks in business terms and manage security decisions impacting financial and operational aspects. Future CISOs should increase visibility in their roles, sharing notable contributions and engaging in broader business initiatives. Understanding the varying reporting structures in different organizations is essential, as CISOs can report to CIOs, CFOs, or CROs depending on the company. The role of a CISO transcends technical duties, requiring strategic decision-making and comprehensive risk management. Proactively seeking leadership roles and demonstrating readiness for executive responsibilities are important for career advancement. Networking and continuous learning through formal education and certifications are also crucial for aspiring CISOs.

Ethical hacker John Hammond demonstrates techniques on analyzing potential malware in open-source projects. His analysis focuses on Talon, a Windows de-bloater considered suspicious by some due to its methods of modifying system-level settings. Open-source coding involves scrutiny by the community, supposedly enhancing security due to the 'many eyeballs' theory. Hammond navigates through complex Python and PowerShell scripts to demonstrate Talon's functionality and intentions. The potential for open-source coding to inadvertently trigger malware scanners is highlighted. Successful cybersecurity approaches involve understanding both the technical logic and the broader impact of coding decisions. The article suggests incorporating defensive coding practices to avoid misinterpretation of software actions as malicious. Open-source software can gain trust and avoid suspicion through clear documentation and community engagement.

Critical Microsoft SharePoint vulnerabilities were exploited as of July 7, 2025, targeting sectors including government and telecom across North America and Western Europe. Attackers used sophisticated techniques to leverage newly discovered SharePoint Server vulnerabilities for initial access and privilege escalation. Exploited SharePoint flaws allowed for unauthenticated remote code execution and sensitive cryptographic keys theft, establishing persistent unauthorized access. Detected exploitation efforts originated from three distinct IP addresses, with one tied to previous security flaw weaponizations. Analysis detected extensive and selective targeting of organizations with strategic value, involving early reconnaissance and exploitation. Notable security firms like Check Point, Bitdefender, Palo Alto Networks, and SentinelOne have conducted detailed analyses, underscoring the urgency and complexity of the campaign. The activity is tentatively attributed to a China-aligned hacking group, emphasizing a significant nation-state threat and global security impact. Immediate remedial actions recommended include applying SharePoint patches, key rotation, and vigilance for potential exploitation signs even post-patch.

Dell confirmed a breach in its IT environment where data was stolen, but asserts the stolen content was predominantly synthetic or "fake" data. WorldLeaks, succeeding the Hunters International group, claimed to have stolen 1.3 TB of data from Dell to extort a payment. According to Dell, the compromised files included 416,103 files, primarily used within a controlled environment for product demonstration and testing. The targeted environment was Dell's Solution Center, intentionally isolated from critical customer, partner, and operational systems. Dell did not disclose the quantity of stolen data or the ransom amount demanded by the criminals. Dell reassured that no sensitive, customer, or partner data was affected and emphasized their commitment to combating online criminal threats. The incident is contrasted with a serious breach last year where 49 million customer records were compromised.

Intel has announced the termination of its Clear Linux OS project, ending its 10-year run in the open-source ecosystem. Clear Linux, known for its optimizations for Intel hardware and fast performance, will no longer receive updates or maintenance. Users of Clear Linux OS are urged to migrate to other actively maintained distributions to ensure ongoing security and system stability. The closure is attributed to possible low adoption rates and the high resource demand for maintaining a unique distribution not forked from others. Intel will continue to support the Linux community and provide optimizations for other distributions despite the shutdown of Clear Linux OS. The ending of this project is part of Intel's broader strategy to streamline operations and cut down on niche projects with limited strategic value. The Clear Linux OS GitHub repository will be archived in read-only mode, halting any further contributions or updates to the codebase.

Government-backed hackers have exploited a critical zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, following Microsoft's partial resolution attempt in a prior security update. The vulnerability allows attackers to seize control of SharePoint Servers to steal sensitive data, deploy backdoors, and exfiltrate cryptographic keys. US Cybersecurity and Infrastructure Security Agency (CISA) and UK's National Cyber Security Centre have reported that attacks are underway, affecting sectors such as government, telecommunications, and education globally. Over 205,000 potentially vulnerable instances are identified, with initial attacks targeting a "major Western government." Despite patches and security advisories, attacks continue, highlighting the strategic importance of compromising widely used platforms like Microsoft's products. Security professionals advocate rapid implementation of mitigations and thorough investigations even post-patch application, emphasizing that patching alone is insufficient due to potential pre-patch system compromises. Experts stress this series of breaches likely represents a sophisticated espionage effort by nation-state actors, with widespread implications for global security architecture.

On May 28th, many Ring users observed unauthorized devices logging into their accounts from various global locations. Ring attributed the suspicious activity to a backend update bug, stating it caused inaccurate display of logins dated May 28, 2025. Customers expressed skepticism about Ring's explanation, citing specific instances of devices and locations never used or visited by them. User complaints included seeing devices named after unknown persons and logins from foreign countries, inconsistent with their own travel history. Some users also reported live view activity during unaccessed periods and a lack of security alerts or multi-factor authentication for new devices. Despite Ring's reassurance of no unauthorized access, users are advised to review their account's authorized devices and update security settings, including passwords and two-factor authentication. BleepingComputer has reached out to Ring for further clarification in response to persistent user concerns and anomalies.

Lookout security researchers uncovered Android spyware linked to the Iranian Ministry of Intelligence and Security (MOIS), disguised as VPN apps. The malware, named DCHSpy, was first seen in July 2024 and is attributed to the Iranian nation-state group MuddyWater. DCHSpy is capable of collecting extensive user data including WhatsApp conversations, SMS, call logs, location, and can record audio and take photos. The spyware targets dissidents, activists, and journalists, particularly those opposing the Iranian regime, by mimicking apps like Earth VPN, Comodo VPN, and Hide VPN. Its distribution has been strategically timed to align with recent Middle-Eastern conflicts, suggesting an ongoing cyber-espionage campaign. DCHSpy uses similar tactics and infrastructure as another Android malware, SandStrike, also known as targeting Persian speakers via deceptive VPN apps. The discovery highlights an increase in cyber threats in the Middle East, with various malware, including AridSpy and SpyNote, focusing on mobile surveillance. The spyware's operational use of lures linked to Starlink, following its recent activation and subsequent ban in Iran, underscores the geopolitical aspect of this cyber threat.