Posted inCybersecurity News Bytes

SparTech Software – Cybersecurity News Bytes (July 23, 2025 7:38 AM)

No CommentsPosted inCybersecurity News Bytes

Cybersecurity News – July 23, 2025

Table of Contents

  • Active Exploitation of SharePoint Zero-Day Targets Government and Tech
  • CISA Orders Swift Remediation for Microsoft SharePoint Flaws Exploited by Chinese Hackers
  • Interlock Ransomware Campaign Threatens Critical Infrastructure in North America and Europe
  • Operational Technology Cybersecurity Gaps Endanger U.S. Critical Infrastructure

Active Exploitation of SharePoint Zero-Day Targets Government and Tech

Introduction to the Exploit

In July 2025, security researchers identified a critical zero-day vulnerability in Microsoft SharePoint. Attackers began exploiting this vulnerability as early as July 7. The affected sectors include government entities, telecommunications firms, and technology companies, with targeted organizations spanning North America and Western Europe.

Technical Details

The exploitation campaign originates from at least three identified IP addresses. Notably, one IP was previously associated with attacks on Ivanti Endpoint Manager Mobile appliances, indicating an advanced offensive capability. The attacks involve leveraging both spoofing and remote code execution (RCE) vulnerabilities, forming a sophisticated exploitation chain capable of bypassing certain Microsoft security controls like Antimalware Scan Interface (AMSI).

Attackers gain unauthorized access by exploiting two interlinked vulnerabilities, allowing code execution on-premises SharePoint servers. This grants adversaries persistent access and potential control over sensitive enterprise data, with the exploitation vector used to escalate privileges and implant persistent malware.

Targets and Threat Actors

The initial wave of attacks specifically targeted a major Western government and swiftly expanded to multiple organizations in various sectors. Evidence points to Chinese state-sponsored groups as orchestrators of this campaign, leveraging the flaws for both espionage and disruption.

Response and Recommendations

As the exploitation is ongoing and highly impactful, industry experts urge organizations running SharePoint on-premises to immediately apply available patches and review their systems for signs of compromise. Standard public proof-of-concept exploitation techniques for these vulnerabilities are not sufficient mitigations, as bypasses have already been observed in active attacks.

CISA Orders Swift Remediation for Microsoft SharePoint Flaws Exploited by Chinese Hackers

Overview of the Directives

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has named two newly uncovered Microsoft SharePoint vulnerabilities—CVE-2025-49704 and CVE-2025-49706—in its Known Exploited Vulnerabilities catalog. Federal Civilian Executive Branch agencies are mandated to remediate and patch these flaws no later than July 23, 2025.

Technical Chain and Exploitation Characteristics

The vulnerabilities represent a chain of spoofing and remote code execution flaws collectively referenced as ToolShell. Exploitation involves leveraging a spoofed authentication token and chaining it with code execution in SharePoint, resulting in elevation of privilege and full compromise of on-premises deployments.

Microsoft’s advisories, in contrast, also list CVE-2025-53770 as actively exploited, reflecting technical uncertainty over the full vulnerability surface. Attackers are able not only to perform intended code execution but also to subvert enterprise-level security monitoring solutions, potentially misleading organizations regarding the effectiveness of their applied mitigations.

Indicators and Attribution

The campaign has been attributed to Chinese nation-state actors, notably the Linen Typhoon and Violet Typhoon APT groups. These sophisticated actors employ public proof-of-concept (PoC) exploits alongside custom payloads to ensure resilient access into target networks.

Remediation Guidance

U.S. government agencies and private sector organizations running on-premises SharePoint are directed to urgently patch the affected instances. CISA emphasizes that even when detection signatures trigger, the underlying vulnerabilities remain exploitable without proper remediation. Entities are advised to perform comprehensive threat hunting for associated indicators of compromise.

Interlock Ransomware Campaign Threatens Critical Infrastructure in North America and Europe

Campaign Synopsis

Interlock ransomware, first documented in late September 2024, continues to pose a significant threat to critical infrastructure operators across North America and Europe. A new joint advisory released by multiple U.S. agencies details the tactics, techniques, and procedures (TTPs) of this campaign and provides concrete indicators of compromise.

Technical Operations and Infection Chain

Interlock ransomware actors employ a dual approach, targeting both Windows and Linux environments. The malware has been seen encrypting virtual machines across both platforms. Tactics observed include initial access via drive-by downloads hosted on otherwise legitimate but compromised websites, a method considered rare in the ransomware ecosystem.

Social engineering plays a central role; the so-called ClickFix technique persuades victims to execute malicious payloads under the pretense of remediation. Upon successful execution, actors perform extensive discovery and credential harvesting, enabling lateral movement within the compromised environment.

Double Extortion and Impact

The group deploys a double extortion model: data is exfiltrated prior to encryption. Victims are forced to pay not only for decryption keys but also to prevent the public release of stolen data, heightening the potential business and reputational impact.

Defensive Measures

The joint advisory urges organizations to educate their workforce regarding social engineering threats, to deploy network segmentation, and to implement advanced endpoint protection on both Windows and Linux environments.

Operational Technology Cybersecurity Gaps Endanger U.S. Critical Infrastructure

Persistent Vulnerabilities

As of July 2025, U.S. critical infrastructure remains broadly exposed to cyber-attacks, a situation that has scarcely improved in the fifteen years since the Stuxnet incident. Legacy issues in operational technology (OT) persist, with programmable logic controllers, supervisory control and data acquisition (SCADA) systems, and remote terminal units remaining largely unprotected.

Inherent Risks

These devices, which operate and monitor equipment and processes distributed across wide geographies (such as electric substations), were not originally designed with cybersecurity in mind. Their inherent vulnerabilities, ease of physical and logical access, and infrequent patching cycles create ongoing exposure for vital national infrastructure.

Congressional Scrutiny and Industry Action

Congressional investigations continue to examine why cybersecurity gaps in OT persist, especially as attacks by advanced persistent threats and ransomware groups increasingly target the industrial sector. This renewed legislative attention could result in policy changes or new federal regulatory frameworks designed to increase the baseline security of OT systems.

Recommendations for Industry

Operators are encouraged to accelerate modernization programs aimed at network segmentation, endpoint monitoring, and continuous vulnerability management. Actionable steps include rigorous asset inventory, deployment of purpose-built industrial firewalls, and implementation of multi-layered authentication for remotely accessible control systems.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply