SharePoint patched, World Leaks hits Dell, $44 million crypto theft

Cyber Security Headlines – Episode Summary Hosted by CISO Series | Release Date: July 22, 2025

The latest episode of Cyber Security Headlines by CISO Series delves into critical incidents and developments shaping the information security landscape. Hosted by Rich Stroffolino, the episode covers a range of topics from patched vulnerabilities and significant data breaches to substantial cryptocurrency thefts and strategic AI partnerships. Below is a comprehensive summary of the key discussions, insights, and conclusions presented in the episode.

1. SharePoint RCE Vulnerabilities Patched and Exploited

Overview: The episode begins with an analysis of recently patched Remote Code Execution (RCE) flaws in Microsoft SharePoint, known as toolshell. These vulnerabilities have been actively exploited by multiple threat actors, primarily originating from China.

Key Points:

• Active Exploitation: Various threat actors are racing to exploit the newly discovered SharePoint RCE flaws.
• Chinese Involvement: Mandiant CTO Charles Carmichael confirmed the involvement of groups operating out of China. He stated, “We fully anticipate that this trend will continue as various other threat actors driven by diverse motivations will leverage this exploit as well” (Rich Stroffolino, 00:06).
• Impact: Mandiant estimates that several hundred organizations are affected, including US Government agencies, educational institutions, and organizations managing critical infrastructure.
• Microsoft’s Response: Microsoft released emergency patches for SharePoint Server Subscription Edition and SharePoint Server 2019, with patches for SharePoint Server 2016 forthcoming.

Conclusion: The swift patching by Microsoft underscores the urgency and severity of the threat, while the ongoing exploitation highlights the need for organizations to apply updates promptly to safeguard their systems.

2. Dell Acknowledges World Leaks Data Breach

Overview: Dell recently disclosed a data breach involving the Extortion Group, a rebrand of Hunters International, targeting its Customer Solutions center platform.

Key Points:

• Breach Details: The breach impacted a platform used for commercial customer demos, which Dell claims is separated from customer partner systems and does not affect the provision of services to customers.
• Data Compromised: World Leaks released samples of the stolen data, which appear to be configuration and backup data.
• Dell’s Position: Dell stated it would not release further details until the investigation concludes, emphasizing that the breached platform primarily uses synthetic data and is not linked to customer services.

Conclusion: While Dell maintains that customer services remain unaffected, the breach highlights the ongoing threat to corporate demo environments and the importance of securing all facets of IT infrastructure.

3. $44 Million Crypto Theft from CoinDCX

Overview: The Indian cryptocurrency exchange CoinDCX suffered a significant theft, with $44 million worth of stablecoins stolen from an internal operational account.

Key Points:

• Impact on Users: Importantly, user funds were not affected by this breach.
• Source of Theft: The company’s investigation revealed unauthorized access to its account on a partner exchange as the entry point for the theft.
• Response Measures: CoinDCX announced it would cover the losses from its own reserves and is establishing a bug bounty program, offering up to 25% of recovered assets to those who can help retrieve the stolen funds.

Notable Quote: “We will cover its losses from its own reserves,” emphasized Rich Stroffolino (00:06).

Conclusion: CoinDCX’s proactive measures, including covering the losses and launching a bug bounty program, demonstrate a commitment to maintaining trust and enhancing security post-incident.

4. UK Government and OpenAI Forge Strategic Partnership

Overview: The UK government has entered into a strategic partnership with OpenAI aimed at advancing AI security research and investing in AI infrastructure within the country.

Key Points:

• Investment: The UK government plans to invest £1 billion in computing infrastructure for AI over the next five years, as announced at the London Tech Summit.
• Collaboration Scope: The partnership will focus on AI security research and expanding OpenAI’s London office to support sectors such as justice, defense, security, and education technology.
• Future Deployments: OpenAI will explore deploying its technology stack across various government and public sector domains to enhance AI capabilities and security measures.

Conclusion: This collaboration signifies a substantial commitment to integrating advanced AI technologies within critical public sectors, aiming to bolster national security and technological resilience.

5. Arizona Election Officials’ Cyberattack Response

Overview: Arizona’s Secretary of State office experienced a defacement attack where candidate photos were replaced with images of the late Iranian Ayatollah Khomeini.

Key Points:

• Attack Details: The defacement targeted a legacy election system with no access to voter rolls.
• Response: The state Department of Homeland Security contacted federal agencies like the FBI but did not engage with the Cybersecurity and Infrastructure Security Agency (CISA).
• Government Support: CISO Michael Moore clarified that Arizona currently lacks direct federal cybersecurity advisor support, highlighting a gap in assistance since the end of 2024.
• Official Statement: Secretary of State Adrian Fontes mentioned that initial outreach attempts to Homeland Security were dismissed outright (00:06).

Conclusion: The incident underscores the challenges states face in securing election infrastructure and the critical need for stronger federal support and coordination in cybersecurity efforts.

6. Crush FTP Exploited with Already Patched Flaw

Overview: Crush FTP, a popular file transfer service, issued a warning about ongoing exploitation of a previously patched vulnerability.

Key Points:

• Exploit Details: Hackers reverse-engineered Crush FTP’s code to identify a bug that had already been fixed in the latest version.
• Vulnerable Versions: Only Crush FTP builds prior to July 1, 2025, remain susceptible to attacks over HTTPS.
• Threat Activity: Exploitation began on July 18th, utilizing scripts from previous attacks to compromise servers.
• Research Findings: Shadow Server Foundation identified over 1,000 unpatched servers still exposed online, posing significant security risks.

Conclusion: This situation highlights the importance of keeping software up-to-date and the persistent threat of attackers targeting known vulnerabilities in outdated systems.

7. Chinese Linked Groups Target African IT Infrastructure

Overview: Researchers at Kaspersky uncovered that the China-linked group APT41 is targeting IT infrastructure across several African countries.

Key Points:

• Attack Methodology: APT41 utilized a hacked SharePoint server for command and control, harvested credentials for privileged accounts, and deployed Cobalt Strike for further network attacks.
• Target Adaptation: The group, typically not very active in Africa, demonstrated rapid adaptation to new target infrastructures.
• Impact: These sophisticated attacks threaten the stability and security of IT infrastructure within the affected African nations.

Conclusion: APT41’s activities in Africa reveal the expanding geographic scope of Chinese-linked cyber threats, emphasizing the need for robust defensive measures in emerging markets.

8. Muddy Water Targets Android with DCHSpy Spyware

Overview: Iranian cyber espionage group Muddy Water has launched a new campaign using the Android-based surveillance tool DCHSpy.

Key Points:

• Disguised as VPN Apps: DCHSpy poses as Earth VPN and Komodo VPN, spoofing locations in Romania and Canada, respectively.
• Distribution Channels: The malicious apps are disseminated through Telegram channels, targeting both English and Farsi speakers with anti-Iranian lures.
• Capabilities: Once installed, DCHSpy can collect account logins, contacts, SMS messages, location data, record audio, and take photos.
• Focus Areas: References to SpaceX's Starlink service in malware samples indicate a potential focus on targeting this platform.

Conclusion: Muddy Water’s exploitation of popular platforms like Telegram and masquerading as legitimate VPN services underscores the evolving tactics of state-sponsored cyber espionage groups in targeting mobile devices.

9. Bridging the Gap Between Compliance and Building Resilience

Overview: The episode concludes with a discussion on the disconnect between compliance and building meaningful cybersecurity resilience within organizations.

Key Points:

• Compliance vs. Resilience: While businesses can understand and implement compliance measures, there is a broader range of risks that go beyond mere regulatory adherence.
• CISO Communication: Emphasizing how CISOs can better communicate the importance of comprehensive risk management to stakeholders.
• Upcoming Segment Tease: The episode hints at a future discussion titled “Recovering from the attack once we ace this audit,” exploring strategies to enhance resilience beyond compliance.

Conclusion: The conversation stresses the need for organizations to move beyond tick-box compliance towards a more holistic approach to cybersecurity resilience, ensuring robust protection against a wide array of threats.

Final Thoughts: This episode of Cyber Security Headlines provides an insightful overview of recent security incidents and strategic developments in the cybersecurity realm. From addressing exploited vulnerabilities and major data breaches to examining the interplay between compliance and resilience, the discussions offer valuable takeaways for security professionals and organizations aiming to navigate the complex threat landscape effectively.

For more detailed stories and ongoing updates, listeners are encouraged to visit CISOseries.com.

Note: All timestamps reference the provided transcript and correspond to specific segments within the episode.