Cybersecurity Saturday - Ermer and Suter PLLC

Exploitation of Microsoft SharePoint Vulnerabilities

Last Sunday, July 20, the Cybersecurity and Infrastructure Security Agency (CISA) added a known exploited vulnerability to its catalog
- CVE-2025-53770 Microsoft SharePoint Server Remote Code Execution Vulnerability

CISA also created an alert on the new KVE, which the agency updated on Tuesday and Thursday.

The Wall Street Journal reported on July 21,
- “Microsoft issued an alert about “active attacks” targeting its server software and urged customers to install new security updates that have been released.
- “Microsoft’s Security Response Center said in a blog post over the weekend that the attacks target on-premises SharePoint server customers and exploit vulnerabilities that were partially addressed by a July security update.
- “Organizations typically use Microsoft SharePoint to create intranet websites, store and organize information, and facilitate file-sharing among workers. Cloud-based SharePoint Online in Microsoft 365 isn’t affected, the company said.
- “By Monday, cybersecurity investigators said that the SharePoint attacks were widespread. At least one of the “multiple” hacking groups involved in the attacks was linked to China, according to Google’s Mandiant cybersecurity group.
- “Microsoft declined to comment beyond its blog post.
- “Hackers exploiting the SharePoint flaws then stole cryptographic keys that could be used to run commands on the affected server in the future, even if it had been patched, cybersecurity investigators said on Monday.”
and added on July 24,
- Last year, Satya Nadella pledged to make security priority number one at Microsoft. A new hack involving China is showing just how difficult that can be.
- The attack involves several versions of Microsoft’s SharePoint software that serve as a document storage platform for customers who don’t want to use the cloud. Microsoft released patches for a pair of SharePoint bugs earlier this month, but the fixes were quickly bypassed, allowing China-linked hackers to break into hundreds of organizations, according to security researchers.
- Instead of protecting customers, the faulty patches may have served as a road map for hackers to hone their attacks, the researchers said.
- It’s the latest in a string of lapses by the technology giant that have benefited China’s vast and global cyber-espionage operations, a top U.S. national security threat. * * *
- “In the SharePoint attack * * * the issue began in May 2025, at a hacking contest in Berlin where the Vietnamese researcher [and pentester] Dinh Khoa (LinkedIn page) won $100,000 and a laptop.
- “This is a very hard target so we spent a lot of time digging into it,” Khoa said in an interview posted online after the contest.
- “To the applause of audience members, he showed how to break into a SharePoint system and was soon escorted into a private room where he explained the bugs to a representative from Microsoft and Dustin Childs, head of threat awareness with cybersecurity company Trend Micro’s Zero Day Initiative. Two months later, on July 8, Microsoft fixed the bugs. They were two of the 130 bugs that Microsoft fixed that month.” * * *
- “On Saturday [July 19], Microsoft took the unusual step of issuing two emergency patches, which contain “more robust protections” to the bugs that Khoa had found, the company said. SharePoint customers should also change the cryptographic keys used by their servers, a move that—when combined with the new patches—effectively closes the back door created by the attack, Microsoft said.”

Cyberscoop noted on July 24,
- The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread nearly a week after zero-day exploits were discovered, setting off alarms across the globe. More than 400 organizations have been actively compromised across four waves of attacks, according to Eye Security.
- Multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services, have been hit. The California Independent System Operator, which operates some of the state’s wholesale electric grid, was also impacted.
- As more victims confirm varying levels of compromise from the attack spree, researchers are learning and sharing more details about post-exploit activities. One of the China-based attackers behind the initial wave of attacks, Storm-2603, deployed Warlock ransomware starting July 18, Microsoft Threat Intelligence said Wednesday in an updated blog post.
- The Chinese government-affiliated threat groups Linen Typhoon and Violet Typhoon — which have been active for at least a decade — are also actively exploiting the zero-day vulnerabilities, Microsoft said. Linen Typhoon has focused on stealing intellectual property and Violet Typhoon is an espionage threat group. Storm is a moniker Microsoft uses for threat groups in development.

NextGov/FCW discusses the impact of the Sharepoint vulnerabilities on federal government agencie here (Homeland Security, among other agencies affected) and there (Defense Department not affected).

From the cybersecurity breaches and vulnerabilities front,

Security Week informs us,
- “The Alcohol & Drug Testing Service (TADTS) is notifying roughly 750,000 people that their personal information was compromised in a July 2024 data breach.
- “TADTS is based in Texas and was until recently known as the Texas Alcohol and Drug Testing Service. It provides workplace and individual alcohol and drug testing services in Texas and other states.
- “The incident, TADTS says, was identified on July 9, 2024, and involved unauthorized access to and the theft of data maintained in its systems.
- “The investigation into the potentially compromised information, conducted with the assistance of a professional data mining team, was concluded only recently, and determined that personal information was included in the stolen data.” * * *
- “While TADTS did not share details on the type of cyberattack it fell victim to, the infamous BianLian ransomware group took credit for the intrusion on July 14, 2024, claiming the theft of roughly 218 gigabytes of data.
- “It is unclear whether the hackers released the stolen information publicly, as their Tor-based leak site is currently offline and the group has been quiet for months, with their last known victim announced on March 31.”
and
- “Marketing software and services company Cierant Corporation and law firm Zumpano Patricios have independently disclosed data breaches, each impacting more than 200,000 individuals.
- “What the Cierant and Zumpano Patricios incidents have in common is that the number of impacted people was brought to light in recent days by the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS).
- “The Zumpano Patricios breach impacts nearly 280,000 individuals. The law firm, which has offices in several major US cities, is representing healthcare providers in disputes with health insurance companies over medical service payments to patients.
- “Zumpano Patricios is informing impacted individuals that it had detected an intrusion in its IT network on May 6, 2025, but could not determine the date and time of initial access.
- “An investigation revealed that the hackers accessed and possibly exfiltrated files containing information such as patient name, date of birth, Social Security number, provider name, health insurer information, dates of service, and amounts charged by the provider and payments they received.”

Cybersecurity Dive tells us,
- “Hackers breached the Philadelphia Indemnity Insurance Company in June and stole customer data, the company said in a filing with the California Attorney General’s office.
- “An unauthorized party accessed customer data during an intrusion discovered between June 9 and June 10, according to the disclosure.
- “The company previously called the incident a network outage, however it said there was no ransomware and no encryption. The company did report the incident to law enforcement and retained outside forensic experts to investigate.”

In addition to the June 20 addition discussed above, CISA added six known exploited vulnerabilities to its catalog this week.
- July 22, 2025
  - “CVE-2025-49704 Microsoft SharePoint Code Injection Vulnerability
  - “CVE-2025-49706 Microsoft SharePoint Improper Authentication Vulnerability”
    - Cybersecurity Dive explains,
      - “The [Sharefile] intrusions are exploiting ToolShell, an attack sequence that combines remote code injection and network spoofing vulnerabilities tracked as CVE-2025-49704 and CVE-2025-49706.”
- Also July 22, 2025,
  - CVE-2025-54309 CrushFTP Unprotected Alternate Channel Vulnerability
    - Tenable discusses the CrushFTP vulnerability
  - CVE-2025-6558 Google Chromium ANGLE and GPU Improper Input Validation Vulnerability
    - Cyber Security News discusses this KVE.
  - CVE-2025-2776 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
  - CVE-2025-2775 SysAid On-Prem Improper Restriction of XML External Entity Reference Vulnerability
    - Security Week discusses the SisAid KVEs.

Security Week notes,
- “SonicWall on Wednesday announced patches for a critical vulnerability in Secure Mobile Access (SMA) 100 series secure access gateways, urging organizations to take immediate action in the wake of the recently disclosed Overstep malware attacks.
- “The newly addressed flaw, tracked as CVE-2025-40599 (CVSS score of 9.1), is described as an arbitrary file upload issue in the SMA 100’s web management interface.
- “The bug can be exploited by remote attackers to upload arbitrary files to the system, which could lead to remote code execution (RCE). The attackers need administrative privileges to exploit the security defect, SonicWall’s advisory reads.”
and
- “The Lumma Stealer has returned after Microsoft and law enforcement caused significant disruption to its infrastructure, Trend Micro reported on Tuesday.” * * *
- “The ability of Lumma Stealer’s operators to regroup and innovate poses a continued risk to organizations and individuals worldwide,” Trend Micro said. “This emphasizes the need for ongoing vigilance, proactive threat intelligence, and sustained collaboration between law enforcement and the cybersecurity community. Without this, even the most significant takedowns might only offer temporary relief from evolving cyber threats.”

Per Dark Reading,
- “A suspected Chinese nation-state threat group is conducting an extensive cyberespionage campaign that takes advantage of vulnerable VMware ESXi and vCenter environments.
- “Since early 2025, researchers at Sygnia have responded to multiple incidents tied to a cyberespionage campaign they track as “Fire Ant.” According to research published Thursday, Fire Ant actors are establishing initial access in organizations’ VMware systems, which have become popular targets for attackers in recent years.
- “More importantly, Fire Ant actors used deep knowledge of the target environments and strong capabilities to consistently bypass segmentations and reach isolated portions of the network.”

From the ransomware front,

In line with this week’s theme, Bleeping Computer points out,
- “A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain.
- “Non-profit security organization Shadowserver is currently tracking over 420 SharePoint servers that are exposed online and remain vulnerable to these ongoing attacks.
- “Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” the company said in a Wednesday report.”

July 22, 2025, CISA issued an alert and advisory on Interlock ransomware.

Per Bleeping Computer,
- “Law enforcement has seized the dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years.
- “The U.S. Department of Justice confirmed the takedown in an email earlier today, saying the authorities involved in the action executed a court-authorized seizure of the BlackSuit domains.
- “Earlier today, the websites on the BlackSuit.onion domains were replaced with seizure banners announcing that the ransomware gang’s sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate.”

From the cybersecurity policy and law enforcement front,

Cyberscoop reports,
- “The Trump administration’s new AI Action Plan calls for companies and governments to lean into the technology when protecting critical infrastructure from cyberattacks.
- “But it also recognizes that these systems are themselves vulnerable to hacking and manipulation, and calls for industry adoption of “secure by design” technology design standards to limit their attack surfaces.
- “The White House plan, released Wednesday, calls for critical infrastructure owners — particularly those with “limited financial resources” — to deploy AI tools to protect their information and operational technologies.
- “Fortunately, AI systems themselves can be excellent defensive tools,” the plan said. “With continued adoption of AI-enabled cyberdefensive tools, providers of critical infrastructure can stay ahead of emerging threats.” * * *
- “The Trump plan states that “all use of AI in safety-critical or homeland security applications should entail the use of secure-by-design, robust, and resilient AI systems that are instrumented to detect performance shifts, and alert to potential malicious activities like data poisoning or adversarial example attacks.”
- “The plan also recommends the creation of a new AI-Information Sharing and Analysis Center (AI-ISAC) led by the Department of Homeland Security to share threat intelligence on AI-related threats.”

Cybersecurity Dive lets us know,
- “Sean Plankey, President Donald Trump’s nominee to lead the Cybersecurity and Infrastructure Security Agency, faced sharp questions during a Senate confirmation hearing Thursday about the looming expiration of an information-sharing law and CISA’s work on election security.
- Plankey — currently a senior adviser to Secretary of Homeland Security Kristi Noem — explained his vision for leading an agency that has experienced major workforce cuts and faces significant budget reductions in Trump’s Fiscal Year 2026 spending proposal.”
- The Senate Homeland Security and Governmental Affairs Committee will vote on whether to send Mr. Plankey’s nomination to the Senate floor at a business meeting next Thursday.

Cyberscoop adds,
- “President Donald Trump’s pick to lead the Cybersecurity and Information Security Agency told senators Thursday that he would prioritize evicting China from the U.S. supply chain, and wouldn’t hesitate to ask for more money for the shrunken agency if he thought it needed it.
- “If confirmed it will be a priority of mine to remove all Chinese intrusions, exploitations or infestation into the American supply chain,” Sean Plankey told Rick Scott, R-Fla., at his confirmation hearing before the Homeland Security and Governmental Affairs Committee. Scott had asked Plankey about reports of Chinese infiltration of U.S. energy infrastructure.”

Per a National Institute of Standards and Technology news release,
- “NIST has issued draft updates to Special Publication (SP) 800-53 to provide additional guidance on how to securely and reliably deploy patches and updates in response to the Executive Order 14306, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. A two-week expedited public comment period on the draft updates is open through August 5, 2025.”
Per a July 23, 2025, HHS news release,
- “Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Syracuse ASC, LLC doing business as Specialty Surgery Center of Central New York, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security and Breach Notification Rules. Syracuse ASC is a single-facility, ambulatory surgery center located in Liverpool, New York that provides ophthalmic and ENT surgical services and pain management procedures to patients.” * * *
- “The settlement resolves an OCR investigation concerning a ransomware breach of ePHI that affected 24,891 individuals. OCR initiated the investigation in October 2021 after Syracuse ASC reported to HHS that an unauthorized individual had accessed its network in March 2021. Further investigation revealed that Syracuse ASC was affected by a ransomware attack involving the PYSA ransomware variant, which is a cross-platform cyber weapon known to target the healthcare industry. OCR’s investigation found that Syracuse ASC never conducted an accurate and thorough risk analysis to determine the risks and vulnerabilities to the ePHI it held. OCR also found that Syracuse ASC failed to timely notify affected individuals and the Secretary of the breach.
- “Under the terms of the resolution agreement, Syracuse ASC agreed to implement a corrective action plan that OCR will monitor for 2 years and paid $250,000 to OCR.”

Cyberscoop reports,
- “Ukrainian authorities Tuesday [July 22, 2025] arrested the alleged administrator of XSS.is, a Russian-language cybercrime forum, following a four-year investigation by the Paris public prosecutor’s office.
- “Law enforcement officials from France and Europol seized the domain of the influential forum following the arrest. Authorities have not named the suspected administrator of XSS.is.
- “The forum, which was active since 2013, had more than 50,000 registered users and was a key marketplace for stolen data, malware, access to compromised systems and ransomware services, officials said. “It has long been a central platform for some of the most active and dangerous cybercriminal networks, used to coordinate, advertise and recruit,” Europol said in a news release.”

Dark Reading alerts us,
- “A “laptop farmer” [Christina Marie Chapman] in Arizona responsible for enabling North Korean IT worker infiltration into US companies is going to jail for eight and a half years, after raising $17 million in illicit funds for Kim Jong-Un’s regime. That news, however, is merely a drop in the justice bucket, and DPRK’s efforts to siphon salaries off of American companies is unlikely to wane anytime soon. So, US organizations need to wrap their heads around the magnitude of the threat.
- “North Korea’s multiyear HR-compromise effort has the twin goals of earning money for the hermit kingdom’s nuclear program and other efforts via salaries, as well as gaining a foothold inside corporate networks for the purpose of planting cryptominers or malware for stealing secrets.”

Cybersecurity Dive adds,
- “The U.S. Department of the Treasury on Thursday [July 24, 2025] sanctioned three North Koreans and their company for participating in remote IT worker scams and other operations designed to generate revenue for Pyongyang.
- “The sanctions target the North Korean firm Korea Sobaeksu Trading Co., Sobaeksu employee Kim Se Un, Sobaeksu “IT team leader” Jo Kyong Hun and Kim’s associate Myong Chol Min.
- “The Treasury Department calls Sobaeksu a front for North Korea’s Munitions Industry Department, which oversees the country’s nuclear weapons program. North Korea “has previously utilized Sobaeksu to send teams of IT workers overseas, including to Vietnam, in order to generate revenue,” the department said.”

From the cybersecurity defenses front,

HelpNet Security explains “Why we must go beyond tooling and CVEs to illuminate security blind spots.”

SC Media discusses “exposure management [, which is] a new blueprint for modern cyber defense.

The Hacker News considers “From Backup to Cyber Resilience: Why IT Leaders Must Rethink Backup in the Age of Ransomware.”

Here is a link to Dark Reading’s CISO Corner.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Subscribe to FEHBlog