The SharePoint siege goes strategic.
Confusion persists over the Microsoft Sharepoint zero-days. CrushFTP confirms a zero-day under active exploitation. The UK government proposes a public sector ban on ransomware payments. A new ransomware group is using an AI chatbot to handle victim negotiations. Australia’s financial regulator accuses a wealth management firm of failing to manage cybersecurity risks. Researchers uncover a WordPress attack that abuses Google Tag Manager. Arizona election officials question CISA following a state portal cyberattack. Hungarian police arrest a man accused of launching DDoS attacks on independent media outlets. On our Threat Vector segment guest host Michael Sikorski and Michael Daniel of the Cyber Threat Alliance (CTA) explore cybersecurity collaboration. A Spyware kingpin wants back in.
Today is Tuesday July 22nd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Confusion persists over the Microsoft Sharepoint zero-days.
As we reported yesterday, a wave of zero-day attacks has hit Microsoft SharePoint servers, exploiting flaws that researchers recently linked to a remote code execution exploit chain called ToolShell. The attacks began around July 17, targeting strategic sectors like energy, tech consulting, and government. Two patched flaws, CVE-2025-49706 and CVE-2025-49704, were reportedly bypassed, prompting Microsoft to assign new CVEs: CVE-2025-53770 and CVE-2025-53771. The former allows unauthenticated code execution, while the latter enables spoofing.
Despite patches, confusion persists about which vulnerabilities were chained during the attacks. SentinelOne identified three attack clusters, including those by state-sponsored actors. Reports indicate exfiltration of cryptographic secrets and circumvention of MFA and SSO protections.
Over 9,000 internet-facing SharePoint servers are at risk, mainly in North America and Europe. CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities list and advised immediate patching. Microsoft also urges organizations to rotate cryptographic keys post-remediation.
In other Microsoft news, Redmond is urging businesses to contact support to address a bug in the July 2024 Windows Server 2019 update (KB5062557) that disrupts Cluster service operations. The issue causes repeated restarts, node failures, and VM instability, especially on systems using BitLocker with Cluster Shared Volumes. While a fix is in development, Microsoft has not yet released it publicly and recommends reaching out for guided mitigation until a permanent update is available.
CrushFTP confirms a zero-day under active exploitation.
CrushFTP has confirmed a zero-day vulnerability is being actively exploited in older versions of its file transfer software. The company’s president said the flaw, patched in builds after July 1, was discovered after hackers reverse-engineered their code. Over 1,000 unpatched instances have been identified globally, with hundreds in the U.S. and Europe. Most attacks occurred around July 18. Some attackers are disguising outdated, vulnerable systems to appear current. CrushFTP has issued guidance for affected users. The identity of the attackers remains unknown, but groups like the Clop ransomware gang have a history of exploiting similar flaws in file transfer tools. This incident highlights ongoing threats to file-sharing platforms, which are prime targets for stealing sensitive data from government, corporate, and academic users. CISA had previously warned about CrushFTP vulnerabilities and continues to monitor related threats in the file transfer space.
The UK government proposes a public sector ban on ransomware payments.
The UK government is proposing new measures to combat ransomware, focusing on protecting hospitals, businesses, and critical services. Under the plan, public sector bodies and operators of national infrastructure, like the NHS and schools, would be banned from paying ransoms. Nearly 75% of public consultation respondents supported the move. Private businesses would need to notify the government if they intend to pay a ransom, ensuring such actions don’t violate sanctions. A mandatory reporting regime is also in development to help law enforcement gather intelligence and disrupt ransomware networks. The proposals aim to break the financial model driving cybercrime, especially attacks tied to Russian-based groups. Officials stress the need for strong cybersecurity practices, including offline backups and recovery plans. Supporters, including the British Library and Co-op, welcome the effort to improve resilience. These steps are part of the UK’s broader “Plan for Change” to defend against evolving cyber threats.
A new ransomware group is using an AI chatbot to handle victim negotiations.
A new ransomware-as-a-service group, GLOBAL GROUP, has emerged, rebranding older threats Mamona RIP and Black Lock. While not highly innovative, the group’s standout feature is using an AI chatbot to handle victim negotiations. This bot operates on a Tor-based panel, automating communication and psychological pressure to scale operations across time zones. Victims face steep ransom demands and threats of data leaks. The ransomware uses a Golang-based payload compatible with Windows, Linux, macOS, and even ESXi systems, favoring fast, concurrent encryption with ChaCha20-Poly1305. Analysts also found poor operational security, linking GLOBAL to Russian infrastructure used by Mamona. The builder allows affiliates to customize attacks, enhancing evasion and reach. Picus Security recommends multiple detection and mitigation strategies, including monitoring Go-based processes, restricting access to native utilities, simulating attacks, and enforcing least-privilege policies to defend against this growing ransomware threat.
Australia’s financial regulator accuses a wealth management firm of failing to manage cybersecurity risks.
Australia’s financial regulator, ASIC, has taken legal action against Fortnum Private Wealth for allegedly failing to manage cybersecurity risks, exposing clients to significant threats. The firm is accused of lacking proper policies, training, and oversight, particularly for its authorized representatives (ARs). One breach leaked over 200GB of sensitive data from nearly 10,000 clients, later found on the dark web. Despite implementing a cybersecurity policy in 2021, ASIC claims it was inadequate. Fortnum denies the allegations but declined further comment due to ongoing court proceedings.
Researchers uncover a WordPress attack that abuses Google Tag Manager.
Researchers at Sucuri have uncovered a WordPress attack that abuses Google Tag Manager (GTM) to redirect site visitors to spam pages without altering themes or plugin files. Instead, attackers injected a malicious script directly into WordPress database tables, including wp_options, under the option name ihaf_insert_body. This script loaded a GTM container that triggered a redirection to spelletjes[.]nl after five seconds. The GTM tag likely came from a compromised admin account. Over 200 sites were impacted, allowing attackers remote control of the payload via their GTM account. These redirects can harm site SEO, reputation, and visitor safety. Sucuri advises inspecting for suspicious GTM tags, securing admin accounts with 2FA, and keeping plugins updated. GTM’s trusted status makes such attacks hard to detect, similar to earlier GTM-based e-skimming campaigns on e-commerce sites.
Arizona election officials question CISA following a state portal cyberattack.
Arizona election officials revealed a cyberattack that defaced candidate profiles on a state portal, replacing photos with images of the late Ayatollah Khomeini. The breach, discovered on June 23, exploited a legacy system to upload a malicious image containing a PowerShell script. While the threat was quickly contained, officials criticized the Cybersecurity and Infrastructure Security Agency (CISA) for its lack of support, citing a breakdown in federal coordination since the Trump administration’s restructuring and budget cuts. Arizona Secretary of State Adrian Fontes accused CISA of becoming politicized and ineffective, endangering national election security. Arizona’s Chief Information Security Officer said key systems remained unaffected, but emphasized that CISA’s former collaborative role has eroded. This incident, following U.S. action against Iranian nuclear sites, included pro-Iran messaging, though attribution remains uncertain. Experts warn that CISA’s diminished role risks fragmenting the nation’s cyber defense and eroding trust between state and federal agencies.
Hungarian police arrest a man accused of launching DDoS attacks on independent media outlets.
Hungarian police have arrested a 23-year-old man from Budapest accused of launching DDoS attacks on independent media outlets in Hungary and abroad. Operating under the alias “Hano,” he allegedly used DDoS-for-hire services to disrupt access to sites like Media1.hu, Telex, and Vienna-based International Press Institute (IPI). The IPI was targeted shortly after publishing a report on similar attacks, with its site offline for three days. Authorities seized electronic evidence from the suspect’s home, though he has not yet been formally charged. Investigators are probing the motive and whether any external coordination or funding was involved. Most targeted outlets were critical of Hungary’s government, while pro-government media were unaffected. The IPI and digital rights groups are calling for a transparent investigation. The incident highlights growing cyber threats to independent journalism, following similar politically linked attacks on media in Russia and Ukraine in recent months.
We’ve got our Threat Vector segment next from Palo Alto Networks. We’ll be right back
Welcome back. You can find links in the show notes to hear the full conversation that was featured today, and find new episodes of Threat Vector every Thursday in your favorite podcast app.
A Spyware kingpin wants back in.
Scott Zuckerman, the spyware entrepreneur best known for leaking private user data like a sieve, is asking the FTC to lift the 2021 ban that barred him from the surveillance industry. The ban followed a spectacular privacy faceplant in which his app, SpyFone, helpfully exposed thousands of users’ texts, photos, and locations, turning stealth surveillance into public spectacle. Zuckerman now argues the order is a financial burden, claiming it hinders his growth in other ventures (presumably ones with fewer subpoenas).
Critics, however, aren’t swayed. Eva Galperin of the EFF noted, with forensic precision, that burdens are the point when you’ve repeatedly flouted federal orders and still dabble in spyware adjacent projects, as Zuckerman allegedly did in 2022. The public can comment until August 19. Surveillance, after all, is everyone’s business.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
And that’s the CyberWire Daily, brought to you by N2K CyberWire.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
