Risky Bulletin: Three Chinese APTs are behind the SharePoint zero-day attacks - Risky Bulletin

Summary5 min read

Risky Bulletin Summary: Three Chinese APTs Behind SharePoint Zero-Day Attacks

Podcast Information:

Title: Risky Bulletin
Host: Claire Aird
Author/Team: risky.biz
Description: Regular cybersecurity news updates from the Risky Business team.
Episode: Risky Bulletin: Three Chinese APTs are behind the SharePoint zero-day attacks
Release Date: July 22, 2025

Introduction

In this episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on recent cybersecurity threats and developments. Covering a range of topics from zero-day vulnerabilities to legislative proposals, the bulletin provides insights into the evolving landscape of cyber threats and defenses.

Chinese APTs Exploiting SharePoint Zero-Day

At the outset, Claire highlights a significant threat involving three Chinese Advanced Persistent Threat (APT) groups exploiting a recently disclosed zero-day vulnerability in Microsoft SharePoint.

“At least three Chinese linked APT groups are exploiting a recently disclosed zero day in Microsoft SharePoint,” Claire Aird states. [00:04]

These groups have been deploying web shells to infiltrate systems, resulting in the breach of hundreds of systems over a weekend until Microsoft released a patch on Monday. Notably, according to the Washington Post, some compromised services belong to U.S. federal and state agencies, underscoring the severity of the threat.

Exploitation of Patched Cisco Vulnerabilities

Claire continues by addressing the ongoing exploitation of vulnerabilities in Cisco’s Identity Services Engine (ISE) network access control system.

“Threat actors are exploiting recently patched vulnerabilities to take over Cisco devices,” she explains. [00:04]

Despite Cisco issuing patches in late June, attackers have found ways to bypass authentication and execute malicious commands with root privileges, highlighting the persistent challenges in securing network infrastructure.

UK’s Proposed Ban on Ransom Payments

Transitioning to legislative measures, Claire discusses the UK's proposed law aimed at curbing ransomware activities.

“A proposed UK law seeks to ban public sector bodies and critical infrastructure operators from paying ransomware gangs,” Claire informs listeners. [00:04]

Under this proposal, private businesses would also need government approval before making ransom payments, and all organizations would be required to report ransomware incidents. The initiative aims to aid law enforcement in tracking and disrupting cybercriminals, thereby reducing the financial incentives for such attacks.

Russia’s Takedown of Malware Operation

Shifting focus to Russia, Claire reports on the removal of over 100 domains by Russia's National Domain Registrar, targeting a malware operation known as Naiash team malware as a service.

“The group has offered custom made malware and hosting to Russian speaking cybercriminals since 2022,” she notes. [00:04]

The crackdown was initiated after the service was used to target Russian citizens, marking a significant step in combating domestic cyber threats.

South Korean Charges Over Celebrity Data Sales

In South Korea, legal actions have been taken against airline employees accused of selling sensitive flight passenger data.

“Three suspects have been charged in South Korea for allegedly selling the data of local celebrities,” Claire reports. [00:04]

These employees facilitated fans in booking the same flights as famous K-pop bands like BTS, culminating in arrests earlier this year and ongoing investigations.

Dell Technologies Breach and Extortion Attempt

A notable breach at Dell Technologies is also covered, where hackers attempted to extort the company by compromising a product demonstration platform.

“Dell has confirmed the breach but said the stolen information was dummy data used for demos,” Claire explains. [00:04]

Despite the breach, Dell assures that no sensitive real data was affected. However, the incident underscores the importance of securing all aspects of digital infrastructure, including demonstration environments.

World Leaks Group and Dark Web Listings

Claire highlights the activities of the World Leaks Group, a rebranded version of the Hunters International ransomware group.

“The World Leaks Group has listed the data on its Dark Web Leaks site,” she states. [00:04]

Since its rebranding, the group has been offering stolen data and hosting services to cybercriminals, posing ongoing threats to data security.

Hungarian Arrest for DDoS Attacks on News Outlets

In Hungary, authorities have apprehended a 23-year-old man from Budapest accused of launching Distributed Denial of Service (DDoS) attacks against independent news outlets.

“A Hungarian man accused of launching DDoS attacks against local independent news outlets has been arrested,” Claire reports. [00:04]

The suspect, known online as Hano, targeted six Hungarian news sites and Vienna's International Press Institute, reflecting the politicization of cyberattacks against media organizations.

iOS Spyware Targeting Iranians

Claire also sheds light on spyware activities targeting Iranian nationals, particularly ahead of anticipated Israeli cyber activities.

“More than a dozen Iranians were targeted with iOS spyware ahead of Israeli attacks this year,” she informs. [00:04]

Apple has notified victims in two rounds, but details about the specific spyware used remain undisclosed.

Data Breaches in Various Sectors

Several other significant breaches are mentioned:

US Drug and Alcohol Testing Organization: Personal data of 750,000 individuals was stolen in a breach that occurred last July. The organization is now informing affected users.
European Healthcare Provider Amio: A major security breach led to the disconnection of all IT systems to investigate the incident. Amio operates over 100 hospitals and clinics across Central Europe.
Fitness App Fitify: Nearly 140,000 user photos intended for fitness tracking leaked from Google Cloud storage, along with hard-coded secrets for Fiddefi's infrastructure.

Legal and Security Updates

Additional updates include:

FTC Petition by Former CEO: Scott Zuckerman, the ex-CEO of Support King, is petitioning the FTC to overturn a ban from the surveillance business due to past app leaks compromising user data.
ExpressVPN Bug Fix: A bug in ExpressVPN’s Windows client that accidentally sent Remote Desktop Protocol (RDP) traffic outside the VPN has been patched. The company assures that exploitation likelihood is extremely low.
Coyote Banking Trojan: The first malware strain abusing the Microsoft UI Automation framework, the Coyote Banking Trojan, has been detected. It interacts with browsers to extract credentials for banks and cryptocurrency exchanges. Claire notes that Akamai's December blog post on this feature was swiftly exploited by the malware within months.

Conclusion

Claire Aird concludes the bulletin by summarizing the diverse range of cybersecurity threats and responses discussed. From sophisticated APT attacks and legislative measures to individual breaches across various sectors, the episode underscores the dynamic and multifaceted nature of cybersecurity challenges in 2025.

Note: This summary excludes advertisements, intros, outros, and non-content sections to focus solely on the informative aspects of the podcast episode.

Loading summary

Transcript1 lines

[00:04]
Claire Aird
Three Chinese APTs are behind the recent SharePoint Zero Day attacks the UK wants to ban the public sector from paying ransoms, Russia takes down a malware operation and South Korea charges airline employees over selling celebrity data. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 23rd of July and this podcast episode is brought to you by Thinkst, makers of the much loved Thinxt Canary. At least three Chinese linked APT groups are exploiting a recently disclosed zero day in Microsoft SharePoint. The groups are using the zero day to deploy web shells. Hundreds of systems were breached on the weekend before the company released a patch on Monday. According to the Washington Post, Some hacked service belonged to U.S. federal and state agencies. Threat actors are exploiting recently patched vulnerabilities to take over Cisco devices. The vulnerabilities impact Cisco ISE network access control system. They allow attackers to bypass authentication and run malicious commands as root. Cisco released patches in late June. A proposed UK law seeks to ban public sector bodies and critical infrastructure operators from paying ransomware gangs. Private businesses would also have to check with the government before paying ransoms. All organisations would be required to report any ransomware incidents. The new proposal is designed to help law enforcement track and disrupt attackers and reduce funding for Russian cybercriminals. Russia's National Domain Registrar has removed more than 100 domains used by a malware operation. The operation targeted the Naiash team malware as a service. The group has offered custom made malware and hosting to Russian speaking cybercriminals since 2022. Officials took down the domains after the service was used to target Russian citizens. Three suspects have been charged in South Korea for allegedly selling the data of local celebrities. All three were employed by foreign airlines and sold flight passenger data. Fans purchased the information to book the same flights as famous K pop bands like bts. One suspect was arrested in February and two others in March. Dell Technologies has been breached and hackers are attempting to extort the company. The breach occurred earlier this month and impacted one of Dell's product demonstration platforms. Dell has confirmed the breach but said the stolen information was dummy data used for demos. The World Leaks Group has listed the data on its Dark Web Leaks site. The group is a rebrand of the Hunters International ransomware group. Hungarian authorities have arrested a man accused of launching DDoS attacks against local independent news outlets. The suspect is a 23 year old man from Budapest who used the online handle Hano. He allegedly launched attacks against six Hungarian news sites and and Vienna's International Press Institute. More than a dozen Iranians were targeted with iOS spyware ahead of Israeli attacks this year, according to Bloomberg. Apple sent two rounds of notifications to victims. It's unclear which spyware was used. A US drug and alcohol testing organisation has been hacked. The alcohol and drug testing service says hackers stole the personal data of 750,000 individuals. The breach took place last July, but the organisation is now notifying affected users. A major European healthcare provider has disclosed a security breach. Amio's disconnected all IT systems to investigate the incident. The company is based in Switzerland and runs over 100 hospitals and clinics across Central Europe. Almost 140,000 user photos have leaked from the fitness app Fitify. The photos were intended to track fitness progress, so users often uploaded images with minimal clothing. The photos leaked from the app's Google Cloud storage. The server also stored hard coded secrets for Fiddefi's infrastructure. A former stalkaware CEO has petitioned the FTC to vacate an order banning him from the surveillance business. In 2021, the FTC banned Scott Zuckerman and his companies from operating in the industry. At the time, he was the CEO of Support King, the company behind the spy phone mobile monitoring app. The FTC sued Zuckerman after the app leaked the personal information of thousands of customers and victims. The agency is now taking public submission on Zuckerman's petition. Express VPN has patched a bug in its Windows client that was sending RDP traffic outside the VPN. Debug code that misrouted traffic on port 3389 was inadvertently included in the production release. ExpressVPN says the likelihood of real world exploitation is extremely low. And finally, the first malware strain abusing the Microsoft UI Automation framework has been spotted in the wild. The Coyote Banking Trojan uses it to interact with a victim's browser and extract credentials for banks and cryptocurrency exchanges. Akamai blogged about the feature in December and the malware implemented it soon after. And that's all for this podcast edition. Today's show was brought to you by our sponsor thinxt, the makers of the much loved thinxt Canary. Find them at Canary Tools. Thanks for your company.