At a glance.
- Chinese threat actors target SharePoint flaws.
- UK will ban public sector entities from paying ransomware gangs.
- Hungarian police arrest suspect accused of targeting news websites.
- Ransomware operation uses AI chatbot to conduct negotiations.
Chinese threat actors target SharePoint flaws.
The Washington Post reports that China-aligned threat actors were responsible for some of the attacks exploiting a critical SharePoint zero-day (CVE-2025-53770) that was patched by Microsoft this week. Mandiant CTO Charles Carmakal, as well as anonymous researchers from other firms, have attributed exploitation to Chinese threat actors. One source told the Post that "federal investigators have evidence of U.S.-based servers linked to compromised SharePoint systems connecting to internet protocol addresses inside China on Friday and Saturday."
Microsoft said this morning that it observed three Chinese state-sponsored actors targeting the flaws. Two of the threat actors, Linen Typhoon and Violet Typhoon, are known for conducting cyberespionage on behalf of the Chinese government. Researchers at Eye Security, who first discovered the zero-day attacks, told Reuters that the initial wave of attacks hit approximately 100 organizations, most of which were located in the US and Germany.
Now that the flaws are publicly known, they're likely being targeted by criminal threat actors as well. Palo Alto Networks' Unit 42 said in a threat brief, "Attackers are bypassing identity controls, including multi-factor authentication (MFA) and single sign-on (SSO), to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors and stealing cryptographic keys." Trend Micro has observed exploitation of the flaw across Asia, Europe, and the US, with a notable focus on the finance, education, energy, and healthcare industries.
UK will ban public sector entities from paying ransomware gangs.
The UK government is set to ban public sector entities and operators of critical national infrastructure from paying ransom demands following ransomware attacks, while private sector entities will need to notify the government if they intend to pay a ransom. The Home Office stated, "The ban would target the business model that fuels cyber criminals’ activities and makes the vital services the public rely on a less attractive target for ransomware groups."
The government is also developing a mandatory reporting framework, which the Home Office says "would equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities."
Hungarian police arrest suspect accused of targeting news websites.
Hungarian police have arrested a 23-year-old man suspected of launching DDoS attacks against at least six Hungarian news sites over the past two years, the Record reports. The suspect is also accused of targeting the website of the Vienna-based International Press Institute (IPI). The individual allegedly used DDoS-for-hire services to carry out the attacks.
The motive for the attacks is unclear, and the suspect has been released from custody while charges are pending.
Ransomware operation uses AI chatbot to conduct negotiations.
Researchers at Picus Security have published a report on the GLOBAL GROUP ransomware-as-a-service operation, noting that the group is using an AI chatbot to conduct ransom negotiations. Victims access the chatbot by following a Tor link in the ransom note. Picus states, "Once accessed, the victim is greeted by an AI-powered chatbot designed to automate communication and apply psychological pressure. The panel is built for non-technical users, with prompts to upload a sample encrypted file for free decryption verification. All correspondence occurs over a secure channel with a timer displayed to reinforce urgency."
The researchers add, "The integration of AI chat automation reduces the affiliate workload and ensures negotiations proceed even in the absence of human operators, enabling GLOBAL to scale victim engagement across time zones, languages, and organizational profiles."
