CyberWire Daily: The SharePoint Siege Goes Strategic Release Date: July 22, 2025
Overview
In this episode of CyberWire Daily, host Dave Bittner delves into a series of significant cybersecurity incidents and developments impacting various sectors globally. The episode, titled "The SharePoint Siege Goes Strategic," covers a range of topics from sophisticated zero-day attacks on Microsoft SharePoint servers to strategic policy proposals by the UK government to combat ransomware. Additionally, the episode features an insightful discussion on cybersecurity collaboration in the Threat Vector segment with Michael Sikorsky and Michael Daniel of the Cyber Threat Alliance.
1. Microsoft SharePoint Zero-Day Attacks
Timestamp: [02:05] – [05:00]
The episode opens with a detailed analysis of a surge in zero-day attacks targeting Microsoft SharePoint servers. These attacks exploit vulnerabilities linked to a remote code execution exploit chain known as Toolshell. Initiated around July 17, these attacks have predominantly targeted strategic sectors, including energy, technology, consulting, and government institutions.
-
Exploited Vulnerabilities: Two patched flaws were bypassed, leading Microsoft to assign two new CVEs (Common Vulnerabilities and Exposures). One CVE facilitates unauthenticated code execution, while the other allows spoofing. Despite the deployment of patches, there remains considerable confusion regarding the specific vulnerabilities exploited in these attack chains.
-
Attack Clusters: Sentinel 1 has identified three distinct attack clusters, some attributed to state-sponsored actors. Reports have detailed the exfiltration of cryptographic secrets and the evasion of Multi-Factor Authentication (MFA) and Single Sign-On (SSO) protections. Over 9,000 internet-facing SharePoint servers are currently at risk, primarily located in North America and Europe.
-
CISA's Response: The Cybersecurity and Infrastructure Security Agency (CISA) has added one of the CVEs to its known exploited vulnerabilities list, urging organizations to apply patches immediately. Microsoft recommends that organizations rotate cryptographic keys post-remediation to mitigate the risk of prolonged exploitation.
Notable Quote:
"Despite patches, confusion persists about which vulnerabilities were chained during the attacks."
— Dave Bittner [04:50]
2. Microsoft Windows Server 2019 Update Bug
Timestamp: [05:01] – [07:00]
In another Microsoft-related update, issues have been identified in the July 2024 Windows Server 2019 update. This bug disrupts cluster service operations, leading to repeated restarts, node failures, and virtual machine (VM) instability, especially in systems utilizing BitLocker with cluster shared volumes.
- Current Status: While Microsoft is developing a permanent fix, it has not been publicly released yet. In the interim, Microsoft advises organizations to contact support for guided mitigation strategies to address the ongoing disruptions.
3. Crush FTP Zero-Day Vulnerability
Timestamp: [07:01] – [10:00]
Crush FTP has confirmed the active exploitation of a zero-day vulnerability in older versions of its file transfer software. The vulnerability, patched in builds post-July 1, was discovered following a reverse engineering effort by hackers.
-
Impact: Over 1,000 unpatched instances have been identified globally, with significant concentrations in the US and Europe. Most attacks commenced around July 18.
-
Attack Techniques: Some attackers masquerade outdated vulnerable systems as current versions to evade detection.
-
Presumed Perpetrators: While the attackers remain unidentified, there are suspicions towards groups like the CLOP Ransomware Gang, known for exploiting similar flaws in file transfer tools.
-
CISA's Stance: The agency continues to monitor threats in the file transfer space, emphasizing the critical nature of securing file-sharing platforms used by government, corporate, and academic sectors.
Notable Quote:
"This incident highlights ongoing threats to file sharing platforms, which are prime targets for stealing sensitive data from government, corporate and academic users."
— Dave Bittner [09:30]
4. UK Government Proposes Ban on Ransomware Payments
Timestamp: [10:01] – [14:00]
The UK government is advancing proposals to ban ransomware payments within the public sector, aiming to protect critical services such as hospitals, businesses, and national infrastructure.
-
Key Provisions:
- Public Sector Ban: Entities like the NHS and educational institutions would be prohibited from paying ransoms.
- Private Sector Notifications: Private businesses intending to pay a ransom must notify the government to ensure compliance with sanctions.
- Mandatory Reporting: A new reporting regime is being developed to assist law enforcement in gathering intelligence and disrupting ransomware networks.
-
Rationale: The initiative seeks to undermine the financial foundations of cybercrime, particularly targeting Russian-based ransomware groups.
-
Support and Reception: Approximately 75% of public consultation respondents support the ban. Organizations like the British Library and Co Op have publicly endorsed the measures, emphasizing the need for robust cybersecurity practices such as offline backups and comprehensive recovery plans.
Notable Quote:
"These steps are part of the UK's broader plan for change to defend against evolving cyber threats."
— Dave Bittner [13:45]
5. Emergence of Global Group Ransomware as a Service
Timestamp: [14:01] – [17:00]
A new player has entered the ransomware landscape: Global Group, which has rebranded from older threats including Mamona, Rip, and Blacklock.
-
Innovative Approach: Global Group distinguishes itself by utilizing an AI chatbot to manage victim negotiations. Operating via a Tor-based panel, the chatbot automates communication and applies psychological pressure, enabling the group to scale operations efficiently across multiple time zones.
-
Technical Capabilities: The ransomware employs a Golang-based payload compatible with Windows, Linux, macOS, and even ESXi systems, prioritizing fast and concurrent encryption processes.
-
Operational Security: Analysts have detected poor operational security practices linking Global to Russian infrastructure previously used by Mamona. The group’s builder allows affiliates to customize attacks, enhancing their evasion techniques and expanding their reach.
-
Mitigation Strategies: Picus Security recommends a multi-faceted approach, including:
- Monitoring Go-based processes
- Restricting access to native utilities
- Simulating attacks
- Enforcing least privilege policies
Notable Quote:
"Picus Security recommends multiple detection and mitigation strategies including monitoring go based processes, restricting access to native utilities, simulating attacks and enforcing least privilege policies."
— Dave Bittner [16:30]
6. Australia's ASIC Takes Legal Action Against Fortnum Private Wealth
Timestamp: [17:01] – [20:00]
Australia's financial regulator, ASIC (Australian Securities and Investments Commission), has initiated legal action against Fortnum Private Wealth. The firm is accused of negligence in managing cybersecurity risks, which resulted in significant exposure of client data.
-
Allegations:
- Inadequate Cybersecurity Policies: Despite implementing a cybersecurity policy in 2021, ASIC deems it insufficient.
- Insufficient Training and Oversight: The firm failed to provide proper training and oversight for its authorized representatives.
- Data Breach Impact: Over 200 gigabytes of sensitive data from nearly 10,000 clients were leaked and later discovered on the dark web.
-
Fortnum's Response: The company denies the allegations but has refrained from further comment due to ongoing court proceedings.
Notable Quote:
"Fortnum denies the allegations but declined further comment due to ongoing court proceedings."
— Dave Bittner [19:30]
7. WordPress Attack Exploiting Google Tag Manager
Timestamp: [20:01] – [23:00]
Researchers at Sucuri have identified a sophisticated WordPress attack that leverages Google Tag Manager (GTM) to redirect site visitors to malicious spam pages without altering the site's themes or plugin files.
-
Attack Mechanism:
- Malicious Script Injection: Attackers inject a malicious script directly into WordPress database tables.
- GTM Container Usage: The script loads a GTM container that triggers redirections after a five-second delay.
- Admin Account Compromise: The GTM tag is likely sourced from a compromised admin account.
-
Scope and Impact: Over 200 websites were compromised, enabling attackers to remotely control the payload via their GTM accounts. These redirections can severely damage site SEO, reputations, and endanger visitor safety.
-
Defense Recommendations: Sucuri advises website administrators to:
- Inspect for suspicious GTM tags
- Secure admin accounts with two-factor authentication (2FA)
- Keep all plugins updated regularly
Notable Quote:
"GTM's trusted status makes such attacks hard to detect."
— Dave Bittner [22:45]
8. Arizona Election Portal Cyber Attack and CISA Criticism
Timestamp: [23:01] – [25:00]
Arizona election officials disclosed a cyber attack on a state portal where candidate profiles were defaced with images of the late Ayatollah Khomeini. The breach, identified on June 23, exploited a legacy system to upload malicious images containing PowerShell scripts.
-
Response and Containment: The threat was swiftly contained, but officials faced criticism regarding the Cybersecurity and Infrastructure Security Agency (CISA)'s lack of support.
-
Allegations Against CISA:
- Broken Federal Coordination: Post-Trump administration restructuring and budget cuts have allegedly diminished CISA's effectiveness.
- Politicization Concerns: Arizona Secretary of State, Adrian Fontes, accused CISA of becoming politicized, thereby endangering national election security.
-
Impact on Cyber Defense: Experts warn that CISA's reduced role could lead to fragmented national cyber defenses and erode trust between state and federal agencies.
Notable Quote:
"Arizona's chief information security officer said key systems remained unaffected, but emphasized that CISA's former collaborative role has eroded."
— Dave Bittner [24:30]
9. Arrest in Hungary for DDoS Attacks on Independent Media
Timestamp: [25:01] – [28:00]
Hungarian authorities have arrested a 23-year-old man from Budapest, identified by the alias Hano, for orchestrating Distributed Denial of Service (DDoS) attacks against independent media outlets both within Hungary and internationally.
-
Details of the Case:
- Targets: Sites like MediaOne, Telex, and the Vienna-based International Press Institute were among the disrupted platforms.
- Method: Utilized DDoS-for-hire services to execute the attacks.
- Evidence: Electronic evidence was seized from the suspect's residence; however, formal charges are pending as investigations continue.
-
Motivations and Implications: The targeted outlets were predominantly critical of Hungary's government, suggesting a politically motivated agenda. This case underscores the escalating cyber threats against independent journalism, paralleling similar attacks observed in Russia and Ukraine.
Notable Quote:
"Investigators are probing the motive and whether any external coordination or funding was involved."
— Dave Bittner [27:45]
10. Threat Vector Segment: Cybersecurity Collaboration Discussion
Timestamp: [28:01] – [23:00]**
In the Threat Vector segment, guest host Michael Sikorsky engages in a profound discussion with Michael Daniel from the Cyber Threat Alliance (CTA) about the state of cybersecurity collaboration.
- Key Topics Discussed:
-
Early Signs of Effective Collaboration: Michael Daniel recounts the CTA's pivotal role during the WannaCry incident, where member organizations collaboratively debunked the prevalent email vector theory, pivoting the investigation towards alternative attack vectors.
-
CTA’s Distinct Role: Unlike traditional Information Sharing and Analysis Centers (ISACs) that focus on specific industry verticals, CTA centers on entities providing cybersecurity services across various sectors. This unique positioning facilitates large-scale technical data sharing among cybersecurity firms, enhancing collective defense mechanisms.
-
Government Collaboration Challenges: Daniel highlights the difficulties faced by the federal government in selectively collaborating with private sector entities based on their technological capabilities. He emphasizes the need for the government to recognize private companies' operational constraints and the importance of selective collaboration to maintain effective cybersecurity defenses.
-
Improving US Government's Cyber Partnerships: Michael Daniel suggests that the federal government should adopt a more nuanced approach in partnerships, allowing for selective collaboration with key private sector entities that can significantly contribute to cybersecurity efforts. This would involve moving away from the current model that requires equal collaboration with all private entities, irrespective of their capabilities or contributions.
-
Notable Quotes:
"It really prompted everyone to go look in a different direction. And that was one of the first times that I realized that this model could actually work."
— Michael Daniel [15:03]
"We are not focused on a particular industry vertical, which a lot of ISACs are."
— Michael Daniel [16:25]
"The government needs to have a better ability to say, look, I'm going to collaborate with this set of entities... for this reason. And no, we're not going to have to let everybody and their cousin into this collaboration because they don't bring enough to the table."
— Michael Daniel [20:01]
Conclusion
This episode of CyberWire Daily provides a comprehensive overview of the current cybersecurity landscape, highlighting both the evolving threats and the strategic responses from governments and organizations worldwide. From sophisticated zero-day exploits and ransomware innovations to critical discussions on enhancing cybersecurity collaborations, the episode underscores the dynamic and multifaceted nature of cybersecurity in 2025.
For those keen on understanding the intricacies of modern cyber threats and the collaborative efforts required to mitigate them, this episode serves as an invaluable resource.
Note: This summary excludes promotional content, advertisements, and non-essential segments to focus solely on the core discussions and insights presented in the episode.
