At a glance.
- Threat actors target critical SharePoint flaws.
- US cracks down on North Korean IT worker fraud.
- Suspected Chinese cyberespionage campaign targets hypervisors.
- UK will ban public sector entities from paying ransomware gangs.
- European healthcare network AMEOS Group hit by cyberattack.
- Dior discloses breach of customer data.
Threat actors target critical SharePoint flaws.
Microsoft last weekend released emergency patches for two actively exploited SharePoint zero-days (CVE-2025-53770 and CVE-2025-53771) that allow attackers to bypass a recent patch for a critical remote code execution exploit dubbed "ToolShell." The flaws only apply to on-premises SharePoint Servers; SharePoint Online in Microsoft 365 is unaffected.
Microsoft and other security firms have attributed the initial wave of zero-day attacks to several Chinese APTs. Mandiant CTO Charles Carmakal says this early exploitation "primarily involved the theft of machine key material which could be used to access victim environments after the patch has been applied."
The Washington Post says the hackers exploited the flaw to compromise "U.S. federal and state agencies, universities, energy companies, and an Asian telecommunications company." Bloomberg reports that the US Energy Department's National Nuclear Security Administration (NNSA) was one of the breached organizations, though the threat actors don't appear to have gained access to any classified material. Nextgov cites a source as saying the Department of Homeland Security was also impacted.
Now that the flaws are publicly known, they're being targeted by criminal threat actors as well. Microsoft has observed at least one ransomware group exploiting the vulnerability. Palo Alto Networks' Unit 42 said in a threat brief, "Attackers are bypassing identity controls, including multi-factor authentication (MFA) and single sign-on (SSO), to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors and stealing cryptographic keys."
Researchers at SOCRadar explain, "[E]xploitation begins with deserialization of malicious input. Attackers then extract ASP.NET MachineKeys from the server, specifically the ValidationKey and DecryptionKey, and use them to craft forged __VIEWSTATE payloads. These payloads are accepted as legitimate by SharePoint, allowing attackers to maintain access and run arbitrary commands without detection."
Users of on-prem SharePoint instances are urged to apply the patches as soon as possible and rotate their ASP.NET machine keys to prevent attackers from maintaining a foothold.
US cracks down on North Korean IT worker fraud.
The US Treasury Department has sanctioned a North Korean company and three North Korean individuals for their alleged roles in supporting Pyongyang's fraudulent IT worker schemes, BleepingComputer reports. Treasury says the sanctioned firm, Korea Sobaeksu Trading Company, "is a DPRK-based trading company that operates as a front company for the U.S.-designated Munitions Industry Department, which oversees the DPRK’s nuclear program and is involved in the development of ballistic missiles."
The US Justice Department also sentenced a 50-year-old Arizona woman to eight years in prison for helping North Korean IT workers obtain remote positions at over 300 US companies, generating more than $17 million in revenue. The DOJ says Christina Marie Chapman "operated a 'laptop farm' where she received and hosted computers from the US companies in her home, so that the companies would believe the workers were in the United States."
The FBI issued guidance on Wednesday to help companies avoid falling for these schemes.
Suspected Chinese cyberespionage campaign targets hypervisors.
Sygnia has published a report on a cyberespionage actor dubbed "Fire Ant" that's targeting VMware ESXi, vCenter, and network appliances for "initial access, lateral movement, and long-term persistence." Sygnia observed the threat actor using the following approach:
- "vCenter Initial Compromise: They exploited CVE-2023-34048 to achieve unauthenticated remote code execution on vCenter, gaining control over the virtualization management layer.
- "Lateral Movement to ESXi hosts and Persistence: From vCenter, they extracted the ‘vpxuser’ service account credentials and used them to access connected ESXi hosts. They deployed multiple persistent backdoors on both ESXi hosts and the vCenter to maintain access across reboots.
- "Guest VM Access and Exploitation: With control over the hypervisor, the attacker interacted directly with guest virtual machines. They manipulated VMX processes and used CVE-2023-20867 to execute commands via PowerCLI without in-guest credentials, tampered with security tools, and extracted credentials from memory snapshots, including domain controllers."
While Sygnia refrains from conclusive attribution, the researchers note that the TTPs "strongly align" with previous activity by the China-nexus threat actor UNC3886. Singapore's OT-ISAC warned this week that UNC3886 was exploiting zero-days in Fortinet, VMware, and Juniper products in order to infiltrate the country's critical infrastructure. Sygnia told the Record that the campaign observed by Singapore "definitely correlate[s]" with Sygnia's research on Fire Ant.
UK will ban public sector entities from paying ransomware gangs.
The UK government is set to ban public sector entities and operators of critical national infrastructure from paying ransom demands following ransomware attacks, while private sector entities will need to notify the government if they intend to pay a ransom. The Home Office stated, "The ban would target the business model that fuels cyber criminals’ activities and makes the vital services the public rely on a less attractive target for ransomware groups."
The government is also developing a mandatory reporting framework, which the Home Office says "would equip law enforcement with essential intelligence to hunt down perpetrators and disrupt their activities."
European healthcare network AMEOS Group hit by cyberattack.
AMEOS Group, a Swiss healthcare network that operates more than 100 healthcare providers across Switzerland, Austria, and Germany, has disclosed a cyberattack that occurred on July 7th and forced the organization to shut down all of its IT systems, Beyond Machines reports. The incident may have exposed patients' data, though AMEOS is still investigating the incident. The healthcare network said the attack did not disrupt patient care.
Dior discloses breach of customer data.
LVMH-owned luxury goods giant Dior has disclosed a data breach involving customers' names, contact information, addresses, dates of birth, and in some cases, passport or government ID numbers and Social Security numbers. The breach occurred in January 2025, and the company discovered it in May.
The Register says the ShinyHunters extortion group is believed to be responsible for the attack. BleepingComputer notes that the same group was likely behind the recent breach of Louis Vuitton (also owned by LVMH).
