CyberWire Daily: "SharePoint Springs a Leak" – July 23, 2025

Hosted by N2K Networks

Introduction

In today's episode of CyberWire Daily, host Dave Bittner delves into a series of pressing cybersecurity issues, ranging from significant zero-day exploits affecting critical infrastructure to evolving ransomware threats and groundbreaking AI initiatives within the Department of Defense. The episode also features an insightful interview with Tim Starks from Cyberscoop, discussing recent UK sanctions on Russian cyber operatives.

Microsoft SharePoint Zero-Day Exploit

A major cybersecurity incident took center stage with the revelation of a zero-day exploit in Microsoft SharePoint, which has impacted over 50 organizations, including the National Nuclear Security Administration (NNSA).

• Impact on NNSA: The NNSA, responsible for supplying nuclear reactors for US Navy submarines, was among the affected entities. According to Bloomberg, while multiple systems were breached, no classified data has been leaked. The Department of Energy attributed the limited impact to robust cybersecurity measures and the utilization of Microsoft 365 cloud services, leading to the restoration of the compromised systems.

• Technical Details: The exploit is linked to two vulnerabilities unveiled during the Pwn to Own hacking contest. These vulnerabilities allowed attackers to gain remote access to SharePoint servers. Microsoft promptly issued patches for all affected versions.

• Attribution: The breach is associated with Chinese state-affiliated actors, heightening concerns over foreign targeting of US critical infrastructure.

Congressional Hearing on Critical Infrastructure Security

A significant congressional hearing was held by the Homeland Security Subcommittee on Cybersecurity, commemorating 15 years since the Stuxnet worm discovery.

• Expert Testimony: Journalist Kim Zetter, author of Countdown to Zero Day, provided a historical perspective, emphasizing the real-world implications of cyber-attacks on physical infrastructure.

  Kim Zetter [03:57]: "Stuxnet was the first known case of malicious code designed to leap from the digital world to the physical realm, causing disruption and destruction of equipment and processes controlled by infected computers."

• Robert M. Lee's Statement:

  Robert M. Lee [04:55]: "We are not prepared for a major attack on our critical infrastructure. ... The results of continued failure could be catastrophic, including the loss of life."

• Key Points:

  • Operational Technology (OT) security remains inadequate, exposing sectors like water, energy, and transportation to ransomware, malware, and state-sponsored threats.
  • Panelists advocated for the reauthorization of key laws such as the Cybersecurity Information Sharing Act and increased funding for state and local cybersecurity grants.
  • Emphasis was placed on the necessity for federal guidance, public-private collaboration, and the development of OT-specific security strategies to prevent future catastrophic failures.

Healthcare and Critical Infrastructure Ransomware Threats

• AMIOS Group Breach: On July 7, AMIOS Group, a major private healthcare provider in Central Europe, experienced a breach resulting in the shutdown of its digital systems across clinics in Switzerland, Germany, and Austria. While patient care remained unaffected, communications and data transmission were disrupted. The attack’s nature remains under investigation, with authorities alerting patients to potential phishing and scam threats.

• FBI Warning on Interlock Ransomware: The FBI has issued warnings to healthcare and critical infrastructure providers about the Interlock ransomware group, active since late 2024. Interlock employs unconventional initial access methods such as drive-by downloads and fake browser updates. Notable targets include DaVita and a significant Ohio healthcare system. The group demands ransoms in Bitcoin and is suspected to be linked to the Raisita Group.

  Dave Bittner [16:16]: "Interlock targets victims opportunistically and may be linked to the Raisita Group."

New York's Proposed Cybersecurity Regulations for Water Systems

New York State has introduced new cybersecurity regulations specifically targeting water and wastewater systems, accompanied by a $2.5 million grant program to aid compliance.

• Regulatory Requirements:

  • Systems serving over 3,300 residents must implement comprehensive cybersecurity programs, conduct regular risk assessments, report incidents within 24 hours, and train staff accordingly.
  • Larger systems are mandated to appoint a dedicated cybersecurity executive.

• Financial Implications: While the grant aims to mitigate compliance costs, major systems might incur expenses up to $5 million annually. The regulations align with EPA and CISA guidelines, addressing the escalating threats from ransomware and state-backed attacks.

• Implementation Timeline: Public comments are solicited until September, with full compliance expected by 2027.

  Dave Bittner [08:50]: "Officials emphasize the need for proactive security amid federal retreat from state-level support."

Crypto Mining Campaign SoCO404

Researchers at WIZ have identified an active crypto mining campaign named SoCO404, which targets cloud environments by exploiting misconfigurations and vulnerabilities, particularly in PostgreSQL databases.

• Attack Mechanism:

  • Exploitation of exposed Linux and Windows systems through fake 404 pages and compromised servers.
  • Use of cron jobs and shell scripts for persistence.
  • Delivery and concealment of malware via legitimate but compromised infrastructure and fraudulent crypto trading websites.

• Payload and Impact:

  • The malware eradicates competitor mining operations, obfuscates traces, and utilizes cryptocurrency pools for mining.
  • The Windows variant leverages built-in tools like Certutil and PowerShell to enhance mining performance through embedded drivers.

• Broader Implications: The campaign is part of a larger crypto scam network, indicative of long-term automated and opportunistic operations. With nearly 90% of cloud environments self-hosting PostgreSQL, SoCO404 poses a high-risk attack vector and remains active.

  Dave Bittner [11:50]: "The campaign remains active, highlighting the persistent threats in cloud environments."

Coyote Banking Trojan Exploits Windows UI Automation

A new variant of the Coyote Banking Trojan is actively exploiting Microsoft's Windows UI Automation (UIA) framework to steal credentials from banking and cryptocurrency websites.

• Exploitation Technique:

  • UIA, initially designed for accessibility, is being abused to navigate and interact with UI elements, evading traditional detection methods.
  • First observed in February 2025, this marks the inaugural real-world attack utilizing UIA for data theft.

• Target Specifics: The Trojan is programmed to target 75 specific financial services, predominantly in Brazil, using UIA to identify and extract URLs from browser tabs when conventional methods fail.

  Dave Bittner [12:55]: "This is the first real-world attack using UIA for data theft, showcasing innovative evasion tactics by cybercriminals."

Department of Defense's Agentic AI Project Thunderforge

The Department of Defense (DoD) is piloting Thunderforge, an agentic AI initiative designed to assist military planners in evaluating and enhancing war strategies.

• Functionality:

  • Utilizes multiple AI agents to analyze operational plans across various domains, including logistics, cyber, and intelligence.
  • Identifies and flags potential weaknesses within military strategies.

• Integration and Support: Thunderforge integrates with DoD simulations like DARPA's SafeSim and is supported by industry leaders such as Scale AI, Microsoft, and Anduril.

• Operational Testing: Tested in June by Indopacom, Thunderforge aims to transition human users from micromanaging tasks to strategic oversight, enhancing decision-making efficiency.

• Risks and Considerations: Experts caution against potential issues like opaque decision-making, hallucinated outputs, and over-reliance on potentially flawed models. Emphasis is placed on the necessity for explainability, continuous adversarial testing, and stringent human oversight to ensure resilience under wartime conditions.

  Dave Bittner [15:20]: "While promising, Thunderforge must prove resilient in wartime conditions where systems face degraded information and adversarial interference."

Clorox Sues Former IT Service Provider Cognizant

In a significant legal move, Clorox has filed a lawsuit against its former IT service provider, Cognizant, seeking $380 million in damages due to a devastating cyber attack in August 2023.

• Allegations:

  • Cognizant is accused of negligence for failing to verify the identity of a caller before granting access to Clorox's network, thereby violating established password and authentication protocols.
  • The attacker, associated with a known cybercriminal group, exploited these credentials to disrupt Clorox's operations, resulting in weeks-long outages and approximately $49 million in damages.

• Impact on Clorox: The breach disrupted production, strained supply chains, and forced the company to scale back its 2030 sustainability goals.

• Legal Proceedings: The lawsuit is filed in California Superior Court, with Clorox’s legal counsel describing Cognizant’s failure as "indefensible." Cognizant had been serving Clorox for over a decade under a longstanding IT services agreement.

  Clorox’s Legal Counsel [18:14]: "The failure is indefensible and has caused significant operational and financial harm to our company."

Interview: Tim Starks on UK Sanctions on Russian Hackers and Spies

Guest: Tim Starks, Senior Reporter at Cyberscoop

Dave Bittner engages in a comprehensive discussion with Tim Starks regarding the recent sanctions imposed by the UK on Russian cyber operatives.

• Sanction Details:

  • The UK has sanctioned 18 Russian military officers and three military units, including both hackers and regular spies.
  • Reasons include the use of cyber operations to support military actions in Ukraine and historical cyber activities dating back to 2013, such as the deployment of the X Agent malware.

  Tim Starks [15:12]: "The malware specifically targeted in the UK, X Agent, was used against the DCCC and the DNC to interfere with the 2016 election."

• Effectiveness of Sanctions:

  • Starks expresses skepticism regarding the immediate efficacy of sanctions in deterring Russian cyber activities.

    Tim Starks [16:53]: "Sanctions like these are often seen as symbolic. They haven't dissuaded Russia from continuing their cyber operations."

• Potential Shifts in Tactics:

  • The UK warns that the GRU may alter its cyber tactics in response to increased pressure from sanctions, signaling a potential evolution in hybrid warfare strategies.

    Tim Starks [18:14]: "The GRU may shift their cyber tactics in response to this increased pressure."

• International Implications:

  • The UK’s proactive stance, acting independently without waiting for the US, underscores a collective approach to combating hybrid warfare.
  • There is an anticipation of further sanctions and coordinated efforts from other allies to intensify pressure on Russian cyber entities.

• US Response:

  • Currently, no direct response from the US has been observed. However, there is bipartisan interest in the US Congress to impose similar sanctions.

    Tim Starks [20:15]: "I don't think we're going to see much in the way of actual response from the United States until some of those things start to coalesce."

Conclusion

Today's episode of CyberWire Daily highlights the multifaceted nature of current cybersecurity challenges, from sophisticated exploits targeting critical infrastructure to the strategic use of sanctions in international cyber warfare. The discussions underscore the evolving landscape of threats and the imperative for robust, collaborative defense mechanisms to safeguard crucial systems and data.

Notable Quotes:

• Kim Zetter [03:57]: "Stuxnet was the first known case of malicious code designed to leap from the digital world to the physical realm..."

• Robert M. Lee [04:55]: "We are not prepared for a major attack on our critical infrastructure. ... The results of continued failure could be catastrophic, including the loss of life."

• Tim Starks [15:12]: "The malware specifically targeted in the UK, X Agent, was used against the DCCC and the DNC to interfere with the 2016 election."

• Tim Starks [16:53]: "Sanctions like these are often seen as symbolic. They haven't dissuaded Russia from continuing their cyber operations."

• Tim Starks [18:14]: "The GRU may shift their cyber tactics in response to this increased pressure."

Additional Information:

For more detailed analysis and ongoing coverage of these and other cybersecurity stories, subscribe to the CyberWire Daily briefing here.