Risky Bulletin Summary: Three Chinese APTs Behind SharePoint Zero-Day Attacks

Podcast Information:

• Title: Risky Bulletin
• Host: Claire Aird
• Author/Team: risky.biz
• Description: Regular cybersecurity news updates from the Risky Business team.
• Episode: Risky Bulletin: Three Chinese APTs are behind the SharePoint zero-day attacks
• Release Date: July 22, 2025

Introduction

In this episode of Risky Bulletin, host Claire Aird delivers a comprehensive update on recent cybersecurity threats and developments. Covering a range of topics from zero-day vulnerabilities to legislative proposals, the bulletin provides insights into the evolving landscape of cyber threats and defenses.

Chinese APTs Exploiting SharePoint Zero-Day

At the outset, Claire highlights a significant threat involving three Chinese Advanced Persistent Threat (APT) groups exploiting a recently disclosed zero-day vulnerability in Microsoft SharePoint.

“At least three Chinese linked APT groups are exploiting a recently disclosed zero day in Microsoft SharePoint,” Claire Aird states. [00:04]

These groups have been deploying web shells to infiltrate systems, resulting in the breach of hundreds of systems over a weekend until Microsoft released a patch on Monday. Notably, according to the Washington Post, some compromised services belong to U.S. federal and state agencies, underscoring the severity of the threat.

Exploitation of Patched Cisco Vulnerabilities

Claire continues by addressing the ongoing exploitation of vulnerabilities in Cisco’s Identity Services Engine (ISE) network access control system.

“Threat actors are exploiting recently patched vulnerabilities to take over Cisco devices,” she explains. [00:04]

Despite Cisco issuing patches in late June, attackers have found ways to bypass authentication and execute malicious commands with root privileges, highlighting the persistent challenges in securing network infrastructure.

UK’s Proposed Ban on Ransom Payments

Transitioning to legislative measures, Claire discusses the UK's proposed law aimed at curbing ransomware activities.

“A proposed UK law seeks to ban public sector bodies and critical infrastructure operators from paying ransomware gangs,” Claire informs listeners. [00:04]

Under this proposal, private businesses would also need government approval before making ransom payments, and all organizations would be required to report ransomware incidents. The initiative aims to aid law enforcement in tracking and disrupting cybercriminals, thereby reducing the financial incentives for such attacks.

Russia’s Takedown of Malware Operation

Shifting focus to Russia, Claire reports on the removal of over 100 domains by Russia's National Domain Registrar, targeting a malware operation known as Naiash team malware as a service.

“The group has offered custom made malware and hosting to Russian speaking cybercriminals since 2022,” she notes. [00:04]

The crackdown was initiated after the service was used to target Russian citizens, marking a significant step in combating domestic cyber threats.

South Korean Charges Over Celebrity Data Sales

In South Korea, legal actions have been taken against airline employees accused of selling sensitive flight passenger data.

“Three suspects have been charged in South Korea for allegedly selling the data of local celebrities,” Claire reports. [00:04]

These employees facilitated fans in booking the same flights as famous K-pop bands like BTS, culminating in arrests earlier this year and ongoing investigations.

Dell Technologies Breach and Extortion Attempt

A notable breach at Dell Technologies is also covered, where hackers attempted to extort the company by compromising a product demonstration platform.

“Dell has confirmed the breach but said the stolen information was dummy data used for demos,” Claire explains. [00:04]

Despite the breach, Dell assures that no sensitive real data was affected. However, the incident underscores the importance of securing all aspects of digital infrastructure, including demonstration environments.

World Leaks Group and Dark Web Listings

Claire highlights the activities of the World Leaks Group, a rebranded version of the Hunters International ransomware group.

“The World Leaks Group has listed the data on its Dark Web Leaks site,” she states. [00:04]

Since its rebranding, the group has been offering stolen data and hosting services to cybercriminals, posing ongoing threats to data security.

Hungarian Arrest for DDoS Attacks on News Outlets

In Hungary, authorities have apprehended a 23-year-old man from Budapest accused of launching Distributed Denial of Service (DDoS) attacks against independent news outlets.

“A Hungarian man accused of launching DDoS attacks against local independent news outlets has been arrested,” Claire reports. [00:04]

The suspect, known online as Hano, targeted six Hungarian news sites and Vienna's International Press Institute, reflecting the politicization of cyberattacks against media organizations.

iOS Spyware Targeting Iranians

Claire also sheds light on spyware activities targeting Iranian nationals, particularly ahead of anticipated Israeli cyber activities.

“More than a dozen Iranians were targeted with iOS spyware ahead of Israeli attacks this year,” she informs. [00:04]

Apple has notified victims in two rounds, but details about the specific spyware used remain undisclosed.

Data Breaches in Various Sectors

Several other significant breaches are mentioned:

• US Drug and Alcohol Testing Organization: Personal data of 750,000 individuals was stolen in a breach that occurred last July. The organization is now informing affected users.

• European Healthcare Provider Amio: A major security breach led to the disconnection of all IT systems to investigate the incident. Amio operates over 100 hospitals and clinics across Central Europe.

• Fitness App Fitify: Nearly 140,000 user photos intended for fitness tracking leaked from Google Cloud storage, along with hard-coded secrets for Fiddefi's infrastructure.

Legal and Security Updates

Additional updates include:

• FTC Petition by Former CEO: Scott Zuckerman, the ex-CEO of Support King, is petitioning the FTC to overturn a ban from the surveillance business due to past app leaks compromising user data.

• ExpressVPN Bug Fix: A bug in ExpressVPN’s Windows client that accidentally sent Remote Desktop Protocol (RDP) traffic outside the VPN has been patched. The company assures that exploitation likelihood is extremely low.

• Coyote Banking Trojan: The first malware strain abusing the Microsoft UI Automation framework, the Coyote Banking Trojan, has been detected. It interacts with browsers to extract credentials for banks and cryptocurrency exchanges. Claire notes that Akamai's December blog post on this feature was swiftly exploited by the malware within months.

Conclusion

Claire Aird concludes the bulletin by summarizing the diverse range of cybersecurity threats and responses discussed. From sophisticated APT attacks and legislative measures to individual breaches across various sectors, the episode underscores the dynamic and multifaceted nature of cybersecurity challenges in 2025.

Note: This summary excludes advertisements, intros, outros, and non-content sections to focus solely on the informative aspects of the podcast episode.