Risky Bulletin: Microsoft investigates MAPP leak

Summary7 min read

Host: Claire Aird
Prepared by: Catalyn Kimpanu
Release Date: July 27, 2025

1. Introduction

The latest episode of Risky Bulletin, hosted by Claire Aird and prepared by Catalyn Kimpanu, dives deep into significant cybersecurity incidents affecting global entities. This episode, titled "Microsoft Investigates MAPP Leak", covers a spectrum of topics from zero-day vulnerabilities to ransomware attacks, providing listeners with comprehensive insights into the current cybersecurity landscape.

2. Microsoft’s SharePoint Zero-Day Leak

Timestamp: [00:04]

The episode kicks off with Microsoft investigating a potential leak related to a widely exploited SharePoint zero-day vulnerability. This security flaw may have originated from Microsoft's Active Protections Program (MAPP), which is designed to provide early warnings to security vendors about forthcoming patches.

Catalyn Kimpanu states:

"A widely exploited SharePoint Zero day may have leaked from Microsoft's Active Protections program." [00:04]

According to Bloomberg, there's an ongoing investigation to determine if a Chinese security firm was responsible for leaking these details ahead of the official patch release. This incident underscores the persistent challenges Microsoft faces in safeguarding its protection mechanisms against sophisticated threats.

3. French Military Shipbuilder’s Cyber Breach

Timestamp: [02:15]

A French military shipbuilder, Naval Group, has reported a significant cybersecurity breach, alerting authorities after a hacker claimed to have stolen one terabyte of data. The compromised information pertains to submarine and frigate production, indicating a targeted attack with potential national security implications.

Catalyn Kimpanu notes:

"The hacker said the data was taken from a CMS linked to submarine and frigate production." [02:45]

Naval Group, a state-owned entity with a history dating back to the 1600s, is now grappling with the ramifications of this breach, which could affect both their operational integrity and confidential military projects.

4. Ukrainian Hackers Breach Russian Government Systems

Timestamp: [05:30]

In a geopolitical twist, hackers affiliated with Ukraine's military intelligence agency have successfully breached Russia's government systems in Crimea. The GUR (Military Intelligence Directorate) announced that their operations compromised document management and accounting systems.

Catalyn Kimpanu explains:

"The agency says it collected more than 100 terabytes of data before wiping service on Friday." [05:30]

This cyber offensive not only showcases the escalating cyber warfare tactics between nations but also highlights the vulnerability of critical governmental infrastructures to state-sponsored cyberattacks.

5. Alliance Life Insurance Data Breach

Timestamp: [08:20]

The US insurance giant, Alliance Life, has fallen victim to a data breach facilitated by a social engineering attack targeting their Customer Relationship Management (CRM) platform. Mid-July saw the confirmation that personal details of 1.4 million customers were compromised.

Catalyn Kimpanu reports:

"Most of its 1.4 million customers were stolen." [08:20]

This incident emphasizes the persistent threat of social engineering in bypassing traditional security measures, urging organizations to bolster their defense mechanisms against such intrusive tactics.

6. Ransomware Attack on Universidad Mayor

Timestamp: [12:00]

A Chilean private university, Universidad Mayor in Santiago, has been targeted by the Direwolf ransomware group. In response, the institution is proactively resetting passwords and enforcing two-factor authentication (2FA) for all students and staff.

Catalyn Kimpanu informs:

"The direwolf ransomware group has taken credit for the attack." [12:45]

Despite the breach, the university assured that teaching operations remained unaffected, minimizing the immediate impact on academic activities. With nearly 19,000 enrolled students, this attack underscores the vulnerability of educational institutions to ransomware threats.

7. Data Theft from TheTapp App

Timestamp: [15:10]

Hacking activities have compromised TheTapp, an app designed to allow women to anonymously discuss their dating experiences and perform background checks. The breach involved the theft of data from an internet-exposed backup system, leading to the leakage of information on 4chan.

Catalyn Kimpanu states:

"Details of more than 72,000 users were leaked, including 13,000 selfies and ID photos." [15:10]

This breach highlights the critical importance of securing backup systems and the potential consequences of their exposure to public platforms.

8. Woox Cryptocurrency Exchange Hack

Timestamp: [18:35]

The cryptocurrency exchange platform, Woox, has suffered a significant hack resulting in the theft of $14 million worth of assets. In an effort to contain the breach, the company temporarily paused all transactions.

Catalyn Kimpanu reports:

"The exchange said nine customer accounts were affected and it remains unclear how the breach happened." [18:35]

This incident reflects the ongoing security challenges within the cryptocurrency sector, particularly concerning the protection of digital assets against sophisticated cyber threats.

9. Indian Cyber Espionage Targeting Turkish Defense Contractors

Timestamp: [21:50]

An Indian cyber espionage group, believed to be the Dropping Elephant group, is targeting Turkish defense contractors, specifically those involved in manufacturing precision-guided missile systems. The attacks reportedly commenced following Turkey's increased military cooperation with Pakistan in June.

Catalyn Kimpanu explains:

"According to security firm Arctic WUF, the attacks began after Turkey increased its military cooperation with Pakistan in June." [21:50]

This targeting indicates a strategic move to undermine Turkey's defense capabilities, showcasing the intersection of cyber operations and international military alliances.

10. Seizure of Black Suit Ransomware Infrastructure

Timestamp: [24:25]

Law enforcement agencies have successfully seized the infrastructure of the Black Suit ransomware group, which has been active since 2023. This group, formed by former members of the Royal ransomware group, has ransomed over 100 organizations to date.

Catalyn Kimpanu notes:

"It was formed by members of the old Royal ransomware group." [24:25]

This operation marks a significant victory for law enforcement in combating organized ransomware activities and disrupting their operational networks.

11. U.S. Sanctions on North Korean IT Workers

Timestamp: [27:00]

The U.S. Department of the Treasury has imposed new sanctions targeting North Korean IT workers. The sanctions specifically affect three individuals and a private company believed to be facilitating North Korea's nuclear and ballistic missile programs through illicit financial channels.

Catalyn Kimpanu reports:

"The company allegedly operates as a front for North Korea's munitions industry." [27:00]

These sanctions are part of broader efforts to curb North Korea's proliferation activities by targeting financial pathways supporting their advanced weaponry programs.

12. Arizona Woman Sentenced for Operating a Laptop Farm

Timestamp: [29:20]

A 50-year-old woman from Arizona, Christina Marie Chapman, has been sentenced to 8 and a half years in prison for running a laptop farm that facilitated North Korean IT operations within the United States. These laptops enabled North Korean workers to appear as though they were based in the U.S., securing jobs across 300 companies and generating over $17 million in revenue for North Korea.

Catalyn Kimpanu states:

"Chapman once posted a TikTok about a smoothie bowl which inadvertently showed numerous active laptops in the background." [29:20]

This case highlights the lengths to which state actors may go to mask their cyber operations and the domestic repercussions faced by individuals unwittingly aiding such endeavors.

13. UK Student Sentenced for Creating and Selling Phishing Kits

Timestamp: [31:45]

A 21-year-old UK student, Ollie Holman, has been sentenced to 7 years in prison for developing and distributing phishing kits. Between 2021 and 2023, Holman created over 1,000 kits targeting global organizations, earning upwards of £300,000. He faced a second arrest in 2024 for continuing his illicit activities by providing ongoing support to his customers.

Catalyn Kimpanu reports:

"He was arrested a second time in 2024 after he continued to provide support to customers." [31:45]

Holman's actions demonstrate the lucrative nature of cybercrime and the severe legal consequences for individuals involved in facilitating such activities.

14. Expel Retracts FIDO Authentication Bypass Claim

Timestamp: [34:10]

Expel, a security firm, has retracted its earlier claim regarding an FIDO authentication bypass. Initially, the company asserted that the attack utilized a cross-device authentication flow, but upon further review, they acknowledged a misinterpretation of the attack logs.

Catalyn Kimpanu clarifies:

"It's now said it misinterpreted the logs of the attack." [34:10]

This correction underscores the complexities involved in accurately diagnosing cybersecurity incidents and the importance of thorough analysis before public disclosures.

15. Conclusion

The Risky Bulletin episode delivered a comprehensive overview of recent cybersecurity events, emphasizing the dynamic and multifaceted nature of cyber threats. From state-sponsored attacks and ransomware operations to data breaches and regulatory actions, the episode highlights the critical need for robust security measures and vigilant monitoring in an increasingly digital world.

Notable Quotes Recap:

"A widely exploited SharePoint Zero day may have leaked from Microsoft's Active Protections program." — Catalyn Kimpanu [00:04]
"It was formed by members of the old Royal ransomware group." — Catalyn Kimpanu [24:25]
"Chapman once posted a TikTok about a smoothie bowl which inadvertently showed numerous active laptops in the background." — Catalyn Kimpanu [29:20]

Sponsor:
This episode was brought to you by Nucleus Security, a leading vulnerability management and analysis platform. For more information, visit nucleusec.com.

End of Summary

Loading summary

Transcript1 lines

[00:04]
Catalyn Kimpanu
Microsoft investigates a map leak as the Source of the SharePoint Zero day US law enforcement takes down the black suit ransomware portal An Arizona woman is imprisoned for running a North Korean laptop farm and Allianz life insurance suffers a security breach. This is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 28th of July and this podcast episode is brought to you by vulnerability management and analysis platform Nucleus Security. In today's top story, a widely exploited SharePoint Zero day may have leaked from Microsoft's Active Protections program. The platform provides advance warnings to security vendors about upcoming patches. According to Bloomberg, Microsoft is investigating whether a Chinese security firm leaked details ahead of the patch. In other news, A French military shipbuilder is investigating a cybersecurity breach. The naval group has alerted authorities after a hacker claimed to have stolen one terabyte of data from its servers. The hacker said the data was taken from a CMS linked to submarine and frigate production. The naval group is a state owned shipmaker founded in the 1600s. Hackers from Ukraine's military intelligence agency have breached Russia's government in Crimea. The GUR said it compromised document management and accounting systems. The agency says it collected more than 100 terabytes of data before wiping service on Friday. Hackers have breached US insurance company Alliance Life. The hackers allegedly used a social engineering attack to access the insurer's CRM platform. In mid July, the company confirmed that the personal details of Most of its 1.4 million customers were stolen. A Chilean private university has been attacked by a ransomware group. Universidad Mayor in Santiago is resetting passwords and enforcing 2fa for all students and staff. The school said. The incident last week did not not impact teaching. The direwolf ransomware group has taken credit for the attack. The University has almost 19,000 enrolled students. Hackers have stolen and leaked user data from the tapp. The app allows women to anonymously post about men they're dating and perform background checks and reverse image searches. The data was allegedly stolen from an Internet exposed backup system. It's since been leaked on 4chan. Details of more than 72,000 users were leaked, including 13,000 selfies and ID photos. A hacker has stolen $14 million worth of assets from cryptocurrency exchange platform Woox. The company temporarily paused transactions to limit the hack's reach. The exchange said nine customer accounts were affected and it remains unclear how the breach happened. An Indian cyber espionage group is believed to be targeting Turkish defence contractors. The Dropping Elephant group is targeting manufacturers of precision guided missile systems. Security firm Arctic WUF said the attacks began after Turkey increased its military cooperation with Pakistan in June. Law enforcement agencies have seized the black suit ransomware infrastructure the group's been active since 2023 and has ransomed more than 100 organisations. It was formed by members of the old Royal ransomware group. The U.S. treasury Department has imposed new sanctions on North Korean IT workers. Three individuals and a private company have been sanctioned. The company allegedly operates as a front for North Korea's munitions industry. Department wages gathered by North Korean IT workers are funneled through the company to the country's nuclear and ballistic missile programs. A 50 year old Arizona woman has been sentenced to 8 and a half years in prison for operating a laptop farm. Christina Marie Chapman hosted laptops that helped North Korean IT workers appear to be based in the US. The workers secured jobs at more than 300 US companies. They generated more than $17 million in revenue for North Korea. According to Bloomberg, Chapman once posted a TikTok about a smoothie bowl which inadvertently showed numerous active laptops in the background. A 21 year old UK student has been sentenced to 7 years in prison for creating and selling fishing kits. Ollie Holman created more than 1,000 fishing kits that targeted organisations globally. He than £300,000 from selling the kits between 2021 and his arrest in 2023. He was arrested a second time in 2024 after he continued to provide support to customers. And finally, security firm Expel has retracted a claim that it saw an attacker bypass FIDO authentication. In a blog post earlier this month, the company said the attack leveraged a cross device authentication flow. It's now said it misinterpreted the logs of the attack and that is all for this podcast edition. Today's show was brought to you by our sponsor Nucleus Security. Find them@nucleusec.com thanks for your company.