Posted inCybersecurity News Bytes

SparTech Software – Cybersecurity News Bytes (July 23, 2025 5:03 AM)

No CommentsPosted inCybersecurity News Bytes

Cybersecurity News — July 23, 2025

Table of Contents

  • Active Exploitation of Microsoft SharePoint Zero-Day Elevates Global Security Risk
  • CISA Mandates Immediate SharePoint Patching Amid Sophisticated Chinese Cyberattacks
  • CISA Issues Critical Alert on “ToolShell” Vulnerability Chain Putting On-Premises SharePoint at Severe Risk
  • Interlock Ransomware Campaign Targets Critical Infrastructure: Tactics, Initial Access, and Defensive Measures

Active Exploitation of Microsoft SharePoint Zero-Day Elevates Global Security Risk

Discovery and Timeline of Exploit Activity

A newly disclosed zero-day vulnerability in Microsoft SharePoint has been actively exploited since July 7, 2025, with initial attacks observed against a major Western government entity. The campaign intensified on July 18 and 19 and now targets governments, telecommunications, and technology firms across North America and Western Europe. Threat intelligence researchers have attributed the attacks to multiple sophisticated groups, coordinating offensive operations via at least three different IP addresses. Notably, one of these addresses was previously implicated in prominent endpoint management vulnerabilities.

Tactics, Techniques, and Impact

The attackers exploit a critical vulnerability that enables remote code execution on affected SharePoint systems. This allows the clandestine theft of cryptographic keys and capitalization on persistent access to sensitive networks. These activities enable threat actors to silently access confidential data and maintain footholds for further exploitation, including lateral movement and secondary malware deployment. The fast-moving nature of the incident signals an urgent need for organizations operating SharePoint on-premises to reevaluate their defenses and incident response capabilities.

Recommendations

Security experts strongly urge all organizations to apply official patches and update detection signatures. Network segmentation, vigilant monitoring for anomalous activity, and rapid containment procedures should be implemented without delay. Given the evidence of continued exploitation, reliance on legacy mitigations or incomplete patching strategies may leave critical infrastructure exposed.

CISA Mandates Immediate SharePoint Patching Amid Sophisticated Chinese Cyberattacks

Regulatory Intervention and Urgency

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a strict order compelling federal agencies and critical industry operators to patch Microsoft SharePoint vulnerabilities by July 23. The urgency follows verification that state-sponsored Chinese groups are actively abusing the flaws at scale.

Bypassing Existing Mitigations: Technical Details

Recent research demonstrates that proof-of-concept exploits for CVE-2025-53770 can successfully bypass the Antimalware Scan Interface (AMSI) — a Microsoft security feature intended to catch unauthenticated attacks. This means that organizations which have only enabled AMSI, without deploying full patches, remain vulnerable to advanced threat actors capable of sidestepping these mitigations.

Risks of Incomplete Remediation

The misconception that enabling AMSI is a sufficient defense has contributed to a false sense of security in some organizations. Nation-state adversaries are expected to use public proof-of-concept code in combination with custom techniques to evade detection, emphasizing that only comprehensive patching can address the underlying vulnerabilities.

CISA Issues Critical Alert on “ToolShell” Vulnerability Chain Putting On-Premises SharePoint at Severe Risk

Vulnerability Chain Details

CISA has confirmed a coordinated attack chaining together two SharePoint vulnerabilities: CVE-2025-49706 (network spoofing) and CVE-2025-49704 (remote code execution). This dual-pronged exploit — dubbed “ToolShell” — grants attackers both unauthenticated access (via spoofing) and authenticated access (as a result of arbitrary code execution).

Attack Surface and Technical Mechanisms

With the “ToolShell” chain, adversaries gain potential access to entire file systems, internal configurations, and the ability to stealthily deploy malicious payloads on connected enterprise networks. Public-facing SharePoint deployments are especially susceptible, as attackers can exploit these flaws from external networks to escalate privileges and traverse internal environments.

Response by Microsoft and Security Community

Microsoft, in concert with leading cybersecurity firms, has released patches and technical guidance. Security teams are advised to urgently review deployment architectures, monitor system logs for unusual activity, and escalate any indications of compromise to CISA. Incident reporting has been prioritized to allow real-time threat sharing and coordinated defense.

Interlock Ransomware Campaign Targets Critical Infrastructure: Tactics, Initial Access, and Defensive Measures

Threat Landscape and Victim Profile

U.S. intelligence agencies have documented a surge in Interlock ransomware attacks against critical infrastructure entities in North America and Europe. The campaign, first observed in late September 2024, is associated primarily with financially motivated actors known for opportunistic exploitation.

Technical Attack Flow

Interlock ransomware groups design encryptors for both Windows and Linux, expanding their attack scope to include numerous virtual machine environments. FBI investigations reveal that initial access is often gained through drive-by downloads on compromised legitimate websites, representing a less common but increasingly popular vector among ransomware operators. Additionally, the “ClickFix” social engineering technique has been observed: victims are deceived into executing disguised malicious payloads under the pretense of troubleshooting.

Post-Exploitation Techniques

Once inside, threat actors utilize a range of discovery and credential access tactics to spread laterally across organizational networks. These steps include privilege escalation, internal reconnaissance, and the deployment of ransomware payloads to maximize operational disruption and potential ransom payments.

Guidance for Defenders

Authorities urge immediate implementation of defense-in-depth principles, particularly in the segmentation of critical workloads, proactive patching, and ongoing user security awareness training. Detection and response teams should monitor for indicators of compromise associated with the latest Interlock TTPs and closely follow joint advisories from government cyber agencies.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply