← Cybersecurity Headlines
Cybersecurity Headlines
Sharepoint hack linked to Chinese groups, NGOs targeted with phishing tactics, engineer admits US missile theft
00:06:49
Loading summary
Transcript3 lines
- [00:00]
A
From the CISO series, it's Cybersecurity Headlines.
- [00:07]
B
These are the cybersecurity headlines for Wednesday, July 23, 2025. I'm Sarah Lane. Microsoft links SharePoint toolshell attacks to Chinese hackers Microsoft formally attributed the widespread exploitation of a SharePoint zero day chain dubbed tool Shell to Chinese state linked hacking groups including Linen Typhoon, Violet Typhoon and Storm 2603. The attacks have targeted on premise SharePoint servers across multiple sectors but with a proof of concept exploit now public and active exploitation ongoing. CISA has issued urgent mitigation guidance for affected organizations. Russian Threat actors target NGOs with new OAuth phishing tactics Russian linked threat groups UTA O3 52 and UTA O3 55 are targeting NGOs and Ukraine related individuals with OAuth phishing campaigns that exploit Microsoft 365 login flows. Veloxity says the attackers impersonate diplomats via messaging apps. They lure victims into providing OAuth codes and then use them to access Microsoft graph data including emails and files. These attacks bypass traditional defenses by abusing legitimate Microsoft infrastructure and and tools like Visual Studio code. Silicon Valley engineer admits theft of US Missile tech secrets Engineer Cheng Wang Gong has pleaded guilty to stealing more than 3,600 trade secret files from two US electronics firms including sensitive missile defense and satellite surveillance tech. Gong transferred the files to personal drives shortly before taking a job with with a direct competitor and had previously pitched similar technologies to Chinese talent programs aimed at acquiring foreign intellectual property. The FBI uncovered the theft during a post employment audit. Gong now faces up to 10 years in prison. Luma Info Stealer malware returns after law enforcement disruption the Luma Info Stealer malware operation has resumed activity after a May law enforcement takedown the that seized 2,300 domains. Despite that disruption, Llama's operators quickly rebuilt infrastructure and returned to near pre takedown levels, now using Russian hosting provider selectal instead of Cloudflare. Distribution methods include fake software cracks, malicious GitHub repos, fake CAPTCHA pages and links shared via YouTube and Facebook, highlighting the resilience of malware as a service operations when no arrests are made. Huge thanks to our Sponsor Nudge Security Day 3 Secure your critical business apps Attackers no longer break in, they log in and your software as a service footprint is now their prime target. Nudge security discovers every SaaS app used in your org, secures configurations, enforces MFA and manages app to app access so you can prevent identity based attacks. Startup free 14 day trial today@nudgesecurity.com Identity contract lapse leaves critical infrastructure cybersecurity sensor data unanalyzed at national lab A critical contract supporting DHS's Cyber Sentry program at Lawrence Livermore National Laboratory expired, leaving threat detection data from key infrastructure networks unanalyzed, the lapse revealed during a House hearing on operational technology. Cybersecurity hinders monitoring of emerging threats on OT environments. Experts warned that under resourcing of ot, security compounded by recent federal budget cuts poses a significant risk to national cybersecurity. FBI urges vigilance against Interlock ransomware group behind recent healthcare attacks the FBI and other federal agencies are warning about a ransomware group known as Interlock, which has recently targeted critical infrastructure and health care organizations in the US and Europe. First observed back in September of 2024, Interlock uses tactics like drive by downloads and fake browser updates to gain access to victim systems. The group has attacked DaVita and a major Ohio health care provider, among others. Ransom notes lack payment instructions but demand Bitcoin. Authorities suspect ties to race data ransomware Cisco confirms active exploitation of ISE and ISE PIC flaws Cisco confirmed that attackers are actively exploiting multiple critical vulnerabilities in its Identity Services Engine, or ise, and ISE Passive Identity Connector, or iscpic. The flaws allow unauthenticated remote access with root level control, making them especially dangerous for enterprises relying on ISE for network access policy enforcement. Cisco detected the exploitation this month and has since released patches urging customers to update immediately. The company hasn't identified the attackers or shared technical details about how the flaws are being used. UK to ban public sector orgs from paying ransomware gangs the UK government plans to prohibit public sector and critical infrastructure organizations, including the nhs, schools and local councils, from paying ransoms after cyber attacks. The move is meant to disrupt the ransomware business model and reduce the appeal of targeting essential public services. Businesses outside the public sector won't be banned from paying, but they will be required to notify the government before doing so to to avoid violating sanctions laws. A mandatory reporting system is also in development to help law enforcement trace attacks and better support victims. Make sure to keep up with us at the ciso series on LinkedIn and YouTube. And if you have thoughts on the news from today or about the show in general, be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Sarah Lane reporting for the CISO series. Thanks for stopping by. Oh and stay classy.
- [06:33]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.