Posted inCybersecurity News Bytes

SparTech Software – Cybersecurity News Bytes (July 23, 2025 10:41 AM)

No CommentsPosted inCybersecurity News Bytes

Cybersecurity News – July 23, 2025

Table of Contents

  • 1. US Nuclear Weapons Data Compromised via SharePoint Zero-Day
  • 2. Widespread Exploitation of SharePoint Zero-Day Vulnerability Targets Governments and Tech Firms
  • 3. CISA Issues Emergency Patching Order Amid SharePoint Attacks on U.S. Agencies
  • 4. Interlock Ransomware Targets Critical Infrastructure in North America and Europe
  • 5. UK Proposes Ban on Ransomware Payments for Public Sector and Critical Infrastructure

1. US Nuclear Weapons Data Compromised via SharePoint Zero-Day

Background and Scope of Attack

The National Nuclear Security Administration (NNSA), a core agency managing the U.S. Navy’s nuclear reactor supply for submarines and critical nuclear functions, has confirmed a cybersecurity breach leveraging a Microsoft SharePoint zero-day vulnerability. This breach was reportedly orchestrated by threat actors with alleged ties to the Chinese government. The discovery came shortly after Microsoft reported ongoing exploitation of a previously unknown flaw within its widely deployed SharePoint software.

Technical Details of the Exploit

The exploited vulnerability impacts on-premises SharePoint Server deployments, sparing organizations who exclusively use the Microsoft 365 cloud-based SharePoint. Attackers targeted vulnerable platforms through a zero-day exploit capable of granting them unauthorized access and potentially enabling lateral movement throughout affected network segments.

NNSA and related government entities have stated that sensitive and classified data remained uncompromised. Their confidence is attributed to a strategic migration of core SharePoint operations to the cloud, which limited exposure to the on-premises software flaw.

Breach Containment and Response

The Department of Energy (DOE) spokesperson indicated that only a “very small number of systems were impacted” and the infected infrastructure is in the process of being restored. The breach has emphasized the value of cloud adoption and robust cybersecurity frameworks for safeguarding critical federal operations.

2. Widespread Exploitation of SharePoint Zero-Day Vulnerability Targets Governments and Tech Firms

Timeline and Scale of Attacks

The critical SharePoint vulnerability has been actively exploited since at least July 7, 2025. Initial detected cases targeted a major Western government, followed by a marked increase targeting government, telecommunications, and technology sectors, especially on July 18 and 19. The attacks have rapidly spread across North America and Western Europe, indicating a globally coordinated effort.

Technical Tactics and Persistent Threats

Malicious actors have utilized three distinct IP addresses in the exploit campaigns. Analysis suggests at least one address previously linked to other high-profile exploitations involving Ivanti Endpoint Manager Mobile (CVE-2025-4427 and CVE-2025-4428).

Attackers primarily seek to steal cryptographic keys and establish persistent, stealthy access into compromised environments. The nature of the zero-day enables attackers to achieve remote code execution, potentially leading to extended lateral movement and deeper infiltration of enterprise networks.

Risk Mitigation and Recommendations

The threat level remains high, especially for organizations running on-premises SharePoint servers. Security experts are urging swift system updates and implementation of additional network segmentation and monitoring to detect unusual patterns indicating compromise.

3. CISA Issues Emergency Patching Order Amid SharePoint Attacks on U.S. Agencies

Urgency from US Cybersecurity Authorities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive mandating all U.S. federal agencies to immediately patch their Microsoft SharePoint on-premises servers in the wake of active exploitation by suspected Chinese threat actors. This response follows growing evidence of ongoing breaches affecting federal, state, local, and tribal agencies.

Details on Affected Entities and Mitigation

Current estimates indicate that approximately 400 governmental and corporate organizations may have been compromised globally. CISA is collaborating closely with Microsoft, the FBI, and affected entities to assess the full scope, coordinate mitigation, and ensure fast remediation.

Incident Response and Future Outlook

The agency has emphasized the fluidity of the situation, stating that incident investigation is still in early stages and that further vulnerabilities or affected systems may be uncovered as forensic analysis progresses.

4. Interlock Ransomware Targets Critical Infrastructure in North America and Europe

Advisories Target Operators of Essential Sectors

US government agencies have issued a joint cybersecurity advisory warning about the Interlock ransomware threat to critical infrastructure operators across North America and Europe. This ransomware, first identified in late September 2024, has resurfaced with advanced tactics and widespread targeting.

Tactics, Techniques, and Indicators of Compromise

Interlock ransomware targets both Windows and Linux environments and has demonstrated the capability to encrypt virtual machines on either platform. Notably, the initial infection vector includes drive-by downloads from compromised legitimate websites, a relatively uncommon approach among ransomware groups.

Additionally, attackers utilize the “ClickFix” social engineering method, tricking users into executing malware by posing as technical support resolving system issues. Once inside, attackers engage in discovery, credential harvesting, and lateral movement to maximize spread before launching their ransomware payload.

Double Extortion and Operational Defense

Interlock employs a double extortion model where data is both encrypted and exfiltrated, amplifying extortion pressure on victims to pay ransoms for both decryption and data secrecy. The FBI and allied agencies recommend organizations scan for known indicators of compromise and strengthen endpoint, network, and user awareness defenses.

5. UK Proposes Ban on Ransomware Payments for Public Sector and Critical Infrastructure

Policy Proposal and National Security Context

The United Kingdom government has announced plans to introduce a targeted legislative ban on ransomware payments within the public sector and critical infrastructure domains. This proposal aims to undermine financial incentives fueling the ransomware ecosystem and to enhance national cyber resilience.

Scope and Enforcement

The proposed ban would cover government bodies, health sector organizations, and critical infrastructure operators. The effort aims to standardize a non-payment policy and drive investment in prevention, recovery, and resilience measures.

Expected Impact and Sector Response

By closing off ransom payment options for high-value public entities, the policy intends to deter threat actors who frequently target sectors where downtime and data loss pose severe risk. Consultation with stakeholders is ongoing as the government refines the draft legislation.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply