At a glance.
- US Nuclear Security Administration breached via SharePoint zero-day.
- FBI warns of Interlock ransomware attacks.
- European healthcare network AMEOS Group hit by cyberattack.
- Cryptomining campaign targets vulnerable cloud environments.
US Nuclear Security Administration breached via SharePoint zero-day.
Bloomberg reports that the US Energy Department's National Nuclear Security Administration (NNSA) was one of dozens of organizations breached via a critical flaw (CVE-2025-53770) affecting Microsoft SharePoint. An anonymous source told Bloomberg that no sensitive or classified information is believed to have been accessed. The source noted that the threat actor also compromised other parts of the Energy Department.
The NNSA referred questions about the incident to the Energy Department, which said in a statement, “On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy,” an agency spokesman said in an email. “The department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems. A very small number of systems were impacted. All impacted systems are being restored."
Microsoft and multiple other security firms have attributed the initial wave of zero-day attacks to several Chinese APTs. Mandiant CTO Charles Carmakal says this early exploitation "primarily involved the theft of machine key material which could be used to access victim environments after the patch has been applied."
FBI warns of Interlock ransomware attacks.
The US FBI has issued a joint cybersecurity advisory warning of a wave of Interlock ransomware attacks targeting a wide range of sectors across North America and Europe, with a recent focus on the healthcare industry. The advisory notes, "FBI has observed Interlock actors obtaining initial access via drive-by download from compromised legitimate websites, an atypical method for ransomware actors. Interlock ransomware methods for initial access have previously disguised malicious payloads as fake Google Chrome or Microsoft Edge browser updates, though a cybersecurity company recently reported a shift to payload filenames masquerading as updates for common security software." The threat actor has also been using the ClickFix social engineering tactic to trick users into running malicious commands on their machines.
European healthcare network AMEOS Group hit by cyberattack.
AMEOS Group, a Swiss healthcare network that operates more than 100 healthcare providers across Switzerland, Austria, and Germany, has disclosed a cyberattack that occurred on July 7th and forced the organization to shut down all of its IT systems, Beyond Machines reports. The incident may have exposed patients' data, though AMEOS is still investigating the incident. The healthcare network said the attack did not disrupt patient care.
Cryptomining campaign targets vulnerable cloud environments.
Wiz has published a report on a cryptomining campaign dubbed "Soco404" that's spreading via various vulnerabilities and misconfigurations affecting cloud environments. The threat actor behind the campaign has previously been observed targeting Apache Tomcat services with weak credentials, as well as vulnerable Apache Struts and Atlassian Confluence servers. In the case observed by Wiz, the attacker "targets exposed PostgreSQL instances and leverages compromised Apache Tomcat servers to host payloads tailored for both Linux and Windows environments."
