Posted inCybersecurity News Bytes

SparTech Software – Cybersecurity News Bytes (July 21, 2025 7:31 AM)

No CommentsPosted inCybersecurity News Bytes

Cybersecurity News Update – July 21, 2025

Table of Contents

Massive Global Cyberattack Targets Microsoft SharePoint: Unauthenticated Remote Code Execution and System Takeover

Scope and Scale of the Attack

A newly discovered zero-day vulnerability has triggered a sweeping cyberattack against Microsoft SharePoint Server installations worldwide. Multiple US federal agencies, European governmental organizations, research universities, an energy company, and an Asian telecommunications provider have been breached. Attackers exploited the flaw to gain unrestricted access to SharePoint environments, raising the risk profile for thousands of organizations.

Technical Details: CVE-2025-53770 Zero-Day Vulnerability

The core issue, tracked as CVE-2025-53770, is a deserialization of untrusted data vulnerability, classified under CWE-502. This flaw exists in on-premises Microsoft SharePoint Server environments. Adversaries can remotely execute arbitrary code without authentication, granting complete control over targeted servers. Once exploited, attackers may view or alter file systems, access sensitive configuration data, and run malicious payloads throughout organizational networks.

Risks and Impact Analysis

Exploitation of this vulnerability enables malicious actors to penetrate SharePoint content repositories and underlying infrastructures. Threat actors can leak proprietary information, implant persistent backdoors, and pivot to other critical systems within a breached environment. With unauthenticated network access, the attack surface expands substantially, heightening the risk of data exfiltration and operational disruption.

Incident Response and Urgency of Mitigation

The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive mandating organizations implement immediate defensive measures. Microsoft has rolled out an urgent patch for one software version, while updates for two others are still pending. CISA also recommends enabling Anti-Malware Scan Interface (AMSI) integration and deploying Microsoft Defender Antivirus across all SharePoint deployments to block these exploit attempts. The critical mitigation deadline underscores how actively and broadly the vulnerability is already being abused in the wild.

Technical Recommendations

  • Apply all available patches and security updates as soon as they are released by Microsoft.
  • Configure AMSI integration within SharePoint to enhance detection of advanced payloads.
  • Deploy endpoint and network monitoring solutions to identify anomalous SharePoint activity.
  • Restrict and audit user access privileges, especially for service and administrative accounts within SharePoint environments.
  • Review and update incident response plans focusing on rapid SharePoint compromise containment and recovery.

UK NCSC Identifies ‘Authentic Antics’ Malware as Russian State Tool, Issues Fresh Sanctions

Attribution and Geopolitical Context

The UK’s National Cyber Security Centre (NCSC) has formally attributed a sophisticated malware campaign to Russia’s military intelligence agency (GRU), specifically its APT28 group. The malware, dubbed ‘Authentic Antics’, surfaced as part of ongoing hybrid operations targeting European and American public sector entities.

Malware Functionality and Persistence Tactics

Authentic Antics is engineered to enable continuous, covert access to Microsoft cloud accounts across compromised organizations. The malware masquerades as legitimate activity, periodically prompting victims with convincing login windows to harvest account credentials and OAuth authentication tokens. This enables attackers to retain access to Microsoft services with minimal detection risk.

The stolen authentication tokens and credentials are stealthily exfiltrated by sending emails from the victim’s account to external, threat-actor-controlled inboxes. The malware specifically deletes evidence of these outbound emails, bypassing typical detection through users’ sent folders.

Target Profile and Operational Impact

Strategic victims include key government ministries, public infrastructure operators, scientific research institutions, and commercial organizations tied to critical infrastructure. Persistent access equips attackers with a means to perform long-term espionage, data theft, and ultimately to establish footholds for broader supply-chain attacks.

National Security Response and Policy Actions

In response, the UK government has enacted targeted sanctions against identified Russian hacker operatives and entities affiliated with the campaign. This aligns with a significant boost in national defense spending aimed at countering escalating state-sponsored cyber threats and reinforcing UK cyber resilience within its newly adopted security strategy.

Detection, Mitigation, and Guidance for Organizations

  • Strengthen multifactor authentication (MFA) and monitor for abnormal cloud authentication events across Microsoft environments.
  • Audit OAuth and token-granting permissions for all third-party applications and integrations.
  • Deploy behavioral detection controls capable of identifying atypical login attempts and credential phishing within cloud service contexts.
  • Review email monitoring configurations to identify anomalous outbound messages, especially those not present in sent folders.
  • Educate staff regarding advanced phishing techniques and promote organizational vigilance against suspicious authentication prompts.
Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply