Hey everyone! It's been a pretty packed 24 hours in the cyber world, with critical zero-day exploits, major breaches, new malware tactics, and some significant policy shifts from the UK government. Let's dive in:

SharePoint Zero-Days Under Active Exploitation by China-Linked APTs
- Microsoft SharePoint on-premise servers are under active attack via a chain of zero-day vulnerabilities (CVE-2025-53770, CVE-2025-53771), allowing unauthenticated Remote Code Execution (RCE) and spoofing.
- Microsoft attributes exploitation to China-linked nation-state groups Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm-2603, who are deploying web shells and stealing MachineKeys for persistence.
- Emergency patches have been released for SharePoint Server Subscription Edition, 2019, and 2016, but organisations with internet-exposed on-premise servers should assume compromise and rotate ASP.NET machine keys and restart IIS.

Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-toolshell-attacks-linked-to-chinese-hackers/
Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-critical-sharepoint-2016-zero-days-amid-active-exploits/
CyberScoop | https://cyberscoop.com/microsoft-sharepoint-zero-days-china-typhoon/
The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/

Cisco ISE RCE Flaws Actively Exploited
- Cisco warns of active exploitation of three maximum-severity (CVSS 10.0) unauthenticated Remote Code Execution (RCE) vulnerabilities in Cisco Identity Services Engine (ISE): CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337.
- These flaws allow attackers to execute arbitrary commands as root or upload and execute malicious files without authentication.
- Immediate patching to ISE 3.3 Patch 7 or ISE 3.4 Patch 2 is critical, as there are no workarounds.

Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisco-maximum-severity-ise-rce-flaws-now-exploited-in-attacks/

Recent Cyber Attacks and Breaches
- Dell confirmed a breach of its "Solution Center" demo environment, stating that the exfiltrated 1.3 TB of data by WorldLeaks (Hunters International rebrand) was "primarily synthetic (fake) data" or non-sensitive.
- Hungarian police arrested a 23-year-old suspect, "Hano," for a prolonged series of DDoS attacks against independent media outlets in Hungary and the Vienna-based International Press Institute (IPI) since April 2023.
- AMEOS Group, a major Central European healthcare network, disclosed a security breach where external actors gained unauthorised access to IT systems, potentially exposing patient, employee, and partner data, leading to a full IT system shutdown.
- A Silicon Valley engineer, Chenguang Gong, pleaded guilty to stealing thousands of trade secrets, including sensitive US missile technology and radiation-hardened camera designs, from his employers, with links to Chinese "talent programs."

The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/21/dell_scoffs_at_breach/
The Record | https://therecord.media/hungary-arrest-suspect-hacking-independent-media
The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/22/engineer_admits_trade_theft/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/major-european-healthcare-network-discloses-security-breach/

New Malware and Ransomware Tactics
- CISA and FBI issued a joint warning about escalating Interlock ransomware activity, which targets businesses and critical infrastructure, particularly healthcare, using unusual initial access methods like drive-by downloads from compromised sites and fake browser updates.
- Russian cybersecurity researchers disrupted NyashTeam, a Russian-speaking group operating a malware-as-a-service scheme (DCRat, WebRat) since 2022, by dismantling over 110 domains and removing associated Telegram channels and instructional videos.
- A new variant of the Coyote banking trojan is abusing Microsoft's UI Automation (UIA) framework to identify banking and cryptocurrency exchange sites, a technique that evades Endpoint Detection and Response (EDR) and marks the first real-world case of UIA abuse for data theft.
- Arch Linux removed three malicious packages ("librewolf-fix-bin", "firefox-patch-bin", "zen-browser-patched-bin") from its Arch User Repository (AUR) that were installing the CHAOS Remote Access Trojan (RAT), highlighting the risks of community-maintained repositories.

The Record | https://therecord.media/russia-hacker-group-disrupted-local-researchers
Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-and-fbi-warn-of-escalating-interlock-ransomware-attacks/
The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/22/arch_aur_browsers_compromised/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/coyote-malware-abuses-windows-accessibility-framework-for-data-theft/
The Record | https://therecord.media/fbi-vigilance-interlock-ransomware

UK Government's Ransomware Policy Shift
- The UK government is proposing a ban on ransomware payments by public sector organisations and critical national infrastructure (CNI) to disrupt the criminal business model and make these entities less attractive targets.
- New measures, part of the Cyber Resilience Bill, will also mandate reporting of all ransomware incidents to law enforcement and require private businesses to notify the government before making any ransom payments.
- While aiming to improve visibility and resilience, concerns remain about the effectiveness of a payment ban on opportunistic attackers and whether law enforcement will have sufficient resources to utilise the increased intelligence.

The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/22/uk_to_ban_ransomware_payments/
The Record | https://therecord.media/mandatory-reporting-ransomware-attacks-uk-proposal
Bleeping Computer | https://www.bleepingcomputer.com/news/security/uk-to-ban-public-sector-orgs-from-paying-ransomware-gangs/
CyberScoop | https://cyberscoop.com/uk-ransomware-payment-ban-public-sector-private-business-reporting/

New Wi-Fi Tracking Raises Privacy Concerns
- Researchers in Italy have developed "WhoFi," a technique that creates a unique biometric identifier for individuals based on how their bodies interfere with Wi-Fi signals (Channel State Information - CSI).
- This method allows for re-identification and tracking of people across different Wi-Fi networks with high accuracy (up to 95.5%), even if they are not carrying a device.
- The research raises significant privacy concerns, as it enables pervasive surveillance without traditional visual or device-based tracking.

The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/22/whofi_wifi_identifier/

CISA CyberSentry Program Funding Lapses
- Funding for CISA's CyberSentry Program, a critical public-private partnership that monitors US critical infrastructure (IT/OT) for nation-state threats, expired on Sunday.
- This lapse has forced Lawrence Livermore National Laboratory to stop monitoring networks, creating a significant gap in visibility into potential cyberattacks on essential services.
- The incident highlights ongoing instability and funding challenges within CISA and the broader federal government, impacting vital cybersecurity initiatives.

The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/22/lapsed_cisa_funding_cybersentry/

Open Source Security: Eyeballs and Trust
- An opinion piece highlights that while open source software benefits from "many eyes" for security, this doesn't come for free; trust is built through clear communication and defensive coding.
- Automated scanners can misidentify benign, low-level system utilities as malware, as demonstrated by John Hammond's analysis of the "Talon" Windows de-bloater.
- Developers of open source tools that perform system-wide modifications should provide thorough documentation and and comments to clarify their intent and avoid triggering suspicion.

The Register | https://go.theregister.com/feed/www.theregister.com/2025/07/22/open_source_windows_security_opinion_column/

Windows Server Update Issues
- Microsoft has acknowledged a known issue where the July 8th Windows Server 2019 security update (KB5062557) causes the Cluster service to repeatedly stop and restart.
- This bug can prevent nodes from rejoining clusters, lead to virtual machine restarts, and trigger Event ID 7031 errors, especially on systems with BitLocker enabled on Cluster Shared Volumes (CSV) drives.
- While a mitigation is available, Microsoft has not yet rolled it out publicly and is advising affected organisations to contact business support for assistance.

Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-server-kb5062557-causes-cluster-vm-issues/