CyberWire Daily - SharePoint springs a leak.
Episode Date: July 23, 2025The National Nuclear Security Administration was among the organizations impacted by the SharePoint zero-day. Experts testify before congress that OT security still lags.The FBI warns healthcare and c...ritical infrastructure providers about Interlock ransomware. New York proposes new cybersecurity regulations for water and wastewater systems along with grants to fund them. Researchers uncover an active cryptomining campaign targeting cloud environments. A new variant of the Coyote banking trojan exploits Microsoft’s Windows UI Automation (UIA) framework for credential theft. The DoD pilots an agentic AI project aimed at helping military planners critique and enhance war plans. Clorox sues its former IT service provider for $380 million. Our guest is Tim Starks from CyberScoop discussing sanctions on Russian hackers and spies. Pirate Prime, do the time. CyberWire Guest Today we are joined by Tim Starks from CyberScoop discussing research on "UK sanctions Russian hackers, spies as US weighs its own punishments for Russia.” Selected Reading US nuclear weapons agency reportedly breached in Microsoft SharePoint attacks (The Verge) Fully Operational Stuxnet 15 Years Later & the Evolution of Cyber Threats to Critical Infrastructure (US House of Representatives Cybersecurity and Infrastructure Protection Subcommittee Hearing) European healthcare network AMEOS Group hit by cyberattack (Beyond Machines) FBI urges vigilance against Interlock ransomware group behind recent healthcare attacks (The Record) New York unveils new cyber regulations, $2.5 million grant program for water systems (The Record) Soco404: Multiplatform Cryptomining Campaign (Wiz) Coyote malware abuses Windows accessibility framework for data theft (Bleeping Computer) Thunderforge Brings AI Agents to Wargames (IEEE Spectrum) Clorox Sues Cognizant for Causing 2023 Cyber-Attack (Infosecurity Magazine) Operator of Jetflix illegal streaming service gets 7 years in prison (Bleeping Computer) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and
without securing them, trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform
purpose-built to secure every machine identity, certificates,
secrets, and workloads across all environments, all clouds,
and all AI agents.
Designed for scale, automation, and quantum readiness,
CyberArk helps modern enterprises
secure their machine future.
Visit cyberarc.com slash machines to see how.
The National Nuclear Security Administration was among the organizations impacted by the
SharePoint Zero Day.
Experts testify before Congress that OT security still lags.
The FBI warns health care and critical infrastructure providers about interlock ransomware.
New York proposes new cybersecurity regulations for water and wastewater systems, along with
grants to fund them.
Researchers uncover an active crypto mining campaign targeting cloud environments.
A new variant of the Coyote banking Trojan exploits Microsoft's Windows UI automation
framework for credential theft.
The DoD pilots an agentic AI project aimed at helping military planners critique and
enhance war plans.
Clorox sues its former IT service provider for $380 million.
Our guest is Tim Starks from Cyberscoop discussing sanctions on Russian hackers and spies.
And Pirate Prime?
Do the time. It's Wednesday, July 23rd, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It's great as always to have you with us.
Continuing our coverage of
the Microsoft SharePoint Zero-Day Exploit,
new reports reveal that
the National Nuclear Security Administration
was among the over
50 organizations impacted.
Bloomberg reports that the agency, which supplies nuclear reactors for U.S. Navy submarines,
was affected by the vulnerability, though no classified data appears to have leaked.
The Department of Energy credits its use of Microsoft 365 cloud services and strong cybersecurity
practices for limiting the breach's impact to just a few systems, which are now being
restored.
The exploit, tied to two bugs, revealed at May's Pwn to Own hacking contest allowed attackers
remote access to SharePoint servers.
Microsoft has since issued patches for all affected versions,
the breaches linked to Chinese state-affiliated actors,
adding to growing concerns over foreign targeting
of critical infrastructure.
And speaking of critical infrastructure,
a congressional hearing by the Homeland Security
Subcommittee on Cybersecurity reviewed the growing threat
to U. to US critical infrastructure
15 years after the discovery of the Stuxnet worm.
Journalist Kim Zetter, author of the book Stuxnet Countdown to Zero Day, shared her own insights.
Stuxnet was a first-of-its-kind attack, the first known case of malicious code designed to leap from the digital world
to the physical realm to cause disruption and destruction, not of the computers it infected, but of equipment
and processes these computers controlled, in this case the centrifuges at Natan.
The same techniques Stuxnet used can be used against critical infrastructure in the US
to disrupt services the public government and military rely on or to damage equipment
that can also cause death, either directly by causing passenger trains to collide
or indirectly by preventing patients from being treated
at hospitals because the electricity is out.
Stuxnet marked the beginning of cyber tools
causing real world physical damage
targeting Iran's nuclear program.
Experts testified that operational technology,
the systems running critical services like
water, energy, and transportation, remains dangerously vulnerable.
Robert M. Lee, CEO of Dragos, shared this testimony.
Let me be blunt.
We are not prepared for a major attack on our critical infrastructure.
We know that such an attack would be part of any major conflict with an adversary, but
we are not doing enough to prepare, and the results of continued failure could be catastrophic, including the loss of life.
Witnesses emphasize that OT security still lags behind IT, leaving sectors exposed to
ransomware, malware, and state-sponsored threats, especially from Iran and China.
Calls were made to reauthorize key laws like the Cybersecurity Information Sharing Act and to boost funding for the state and local cybersecurity grant program.
Panelists urged clear federal guidance, public-private collaboration, and a shift from general IT approaches to OT-specific strategies. They warned that without decisive action, the U.S. risks catastrophic failures
in critical systems during future cyber conflicts.
Amios Group, a major private health care provider in central Europe, reported a July 7 breach
that forced a shutdown of its digital systems, disrupting communications and data transmission across clinics in Switzerland, Germany, and Austria.
Patient care and emergency services remained unaffected.
The nature of the attack is unknown, with an investigation underway by police.
Amios has notified data protection authorities and warned patients to watch for phishing and scams.
warned patients to watch for phishing and scams.
The FBI is warning healthcare and critical infrastructure providers about Interlock,
a ransomware group active since late 2024.
Interlock uses unusual initial access methods,
including drive-by downloads
and fake browser updates to infect systems.
It's targeted organizations in North America and Europe, including attacks
on DaVita and a major Ohio health care system. The group's ransom notes lack payment details,
requesting contact instead. Officials say Interlock targets victims opportunistically
and may be linked to the Riceida Group. Ransom demands are made in Bitcoin.
New York has proposed new cybersecurity regulations
for water and wastewater systems
alongside a $2.5 million grant program
to help fund compliance.
The rules would require systems serving over 3,300 residents
to implement cybersecurity programs,
conduct risk assessments,
report incidents within 24 hours, and train staff.
Larger systems must also appoint a cybersecurity executive.
While the grants aim to ease costs, expenses could reach up to $5 million annually for
major systems.
The regulations, aligned with EPA and CISA guidance,
follow growing threats from ransomware and state-backed attacks. Public comment is open
through September, with full compliance expected by 2027. Officials acknowledge costs may burden
taxpayers or ratepayers, but emphasize the need for proactive security amid federal retreat
from state-level support.
Researchers at WIS have uncovered an active crypto mining campaign dubbed SOCO 404 targeting
cloud environments via misconfigurations and vulnerabilities, especially in PostgreSQL. The attackers exploit exposed Linux and Windows systems using fake 404 pages, compromised
servers and process masquerading to deliver and hide malware.
Persistence is achieved through cron jobs and shell scripts.
Payloads are hosted on legitimate but compromised infrastructure and fraudulent crypto trading
websites.
Once inside, the malware removes competitors, hides traces, and mines cryptocurrency using
pools.
The Windows variant uses built-in tools like CertUtil and PowerShell to deliver payloads
and embeds a driver to boost mining performance.
The campaign is linked to a broader crypto scam network,
showing signs of long-term automated and opportunistic operations.
Nearly 90% of cloud environments self-host post-gresql,
making this a high-risk attack vector.
The campaign remains active.
A new variant of the Coyote banking trojan is actively exploiting Microsoft's Windows
UI Automation Framework, UIA, to identify banking and cryptocurrency websites for credential
theft.
UIA, designed for accessibility, allows apps to inspect and interact with UI elements,
features now being abused to evade detection.
First observed in February of this year, this marks the first real-world attack using UIA
for data theft.
Coyote is hard-coded to target 75 specific financial services, mostly in Brazil, and
uses UIA to detect URLs in browser tabs when traditional methods fail.
The U.S. DoD's Defense Innovation Unit is piloting ThunderForge,
an agentic AI project aimed at helping military planners critique and enhance war plans.
ThunderForge uses multiple AI agents to analyze plans across domains like logistics, cyber,
and intelligence, flagging potential weaknesses.
The system integrates with DoD simulations like DARPA's SafeSim and is backed by ScaleAI,
Microsoft, and Andoril.
Tested in June by IndoPACOM, ThunderFge is designed to shift human users from micromanaging
tasks to strategic oversight.
However, experts warn of risks, including opaque decision-making, hallucinated outputs,
and over-reliance on flawed models.
Researchers emphasize the need for explainability, continuous adversarial testing, and human oversight.
Benchmarking studies show LLMs vary in bias and escalation tendencies, underscoring the importance of model selection.
While promising, Thunderforge must prove resilient in wartime conditions, where systems face degraded information and adversarial interference.
Human commanders retain final authority in all operational decisions.
Clorox is suing its former IT service provider Cognizant for $380 million, claiming the firm's
negligence enabled a devastating August 2023 cyberattack.
Filed in California Superior Court, the lawsuit alleges Cognizant failed to verify the identity
of a caller before granting access to Clorox's network, violating established password and
authentication protocols.
The attacker, linked to a known cybercriminal group, used the credentials to disrupt Clorox's
operations, causing weeks-long outages and at least $49 million in damages.
Call recordings reportedly confirm Cognizant handed over access without security checks.
Clorox's legal counsel described the failure as indefensible.
The breach halted production, strained supply
chains, and forced Clorox to scale back its 2030 sustainability goals. Cognizant had served
Clorox for over a decade under a long-standing IT services agreement. Coming up after the break, Tim Starks from Cyberscoop discusses the latest sanctions
on Russian hackers and spies, and pirate crime?
Do the time.
Stay with us. Bad actors don't break in, they log in.
Attackers use stolen credentials in nearly 9 out of 10 data breaches, and once inside,
thereafter one thing, your data. Varonis' AI-powered data security platform secures your data at scale.
Across LAS, SaaS, and hybrid cloud environments,
join thousands of organizations who trust Varonis to keep their data safe.
Get a free data risk assessment at Varonis.com. Krogel is AI built for the enterprise SOC.
Fully private, schema-free, and capable of running in sensitive, air-gapped environments,
Krogel autonomously investigates thousands of alerts weekly, correlating insights across
your tools without data leaving your perimeter.
Designed for high availability across geographies, it delivers context-aware, auditable decisions
aligned to your workflows.
Krogl empowers analysts to act faster and focus on critical threats, replacing repetitive
triage with intelligent automation to help your SO sock operate at scale with precision and control.
Learn more at Krogl.com. That's C-R-O-G-L.com.
And it is always my pleasure to welcome back to the show Tim Starks.
He is a senior reporter at CyberScoop.
So we touched last week here at the Cyberwire on these sanctions from the UK against some
of the GRU's cyber operators here.
You have an article in CyberScoop that really digs into some of the details quite a bit here.
Can we start with the basics? What are we talking about here, Tim?
Sure, yeah. The UK sanctioned 18 military officers from Russia and three military units.
Some of these were hackers, some of them were just regular kinds of spies without a hacking angle.
But there were a couple different reasons that the UK decided to do this that related
to the cyber front.
One was the use of hacking as a way to support military operations in Ukraine and the Ukraine
War.
Another was a little bit more interesting to me.
I mean, nothing against the interestingness of Ukraine and what's going on there, but
just we've seen that before.
The other thing that was interesting is that they went back to 2013 on something, essentially,
where there was a person, a double agent for the British government working in Russia,
who came over to the UK with his daughter.
And they found that in 2013, five years before that happened, and then there was a subsequent
assassination attempt on UK soil,
that the phone of the daughter, Julia Skripal, if I believe I'm saying the name right,
that they found malware on that.
And so this was actually trying to punish them for that.
Yeah, I mean, I remember those stories of the poisonings, you know, back then.
It's interesting that they've gone all the way back to loop that in with this.
It is.
And, you know, for a domestic audience, if you're talking about just the US audience
that I have, not that we don't welcome people from all countries, but a largely domestic
audience for our publication, the malware that they specifically targeted in the UK
that was used by these Russian hackers was called X-Agent,
which if you go back to our 2016 election, that malware was used against
the DCCC and the DNC to interfere with the 2016 race.
Wow. So I mean, sanctions like these are often seen as symbolic. How effective do
you think this will ultimately be?
You know, it doesn't seem like it's dissuaded Russia from doing what it's been doing.
So that's the ultimate test, right?
That's the ultimate evaluation.
Have they stopped doing it?
No.
They have not stopped the war in Ukraine.
They're still doing all the hacking that we talked about.
The Russian military units in particular that they went after
are involved in some of the most infamous incidents
in cybersecurity history.
Things like the NotPetya attack or the successful turning out of the lights in Ukraine way,
way, way, way back.
Hacking of elections all over the country, all over the world.
And so if you're just going by that judgment, then yeah, no, they're not working.
But if you think that each additional twist of the dial or turn of the dial leads to more pressure,
and there's pressure coming from other directions as well,
this is part of the toolkit,
and I think if something does happen where it ends,
and this leads to yet more sanctions from the United States,
which is another thing that's on the table here,
then you can say, yeah,
that was actually a factor in doing that.
But now, no, not yet.
say, yeah, that was actually a factor in doing that. But now, no, not yet.
Your reporting points out that the UK warned that the GRU may shift their cyber tactics
in response to this.
Any speculation of what type of scenarios we could be looking at if this threat spills
over beyond Ukraine?
No, they didn't talk much about it in terms of details about the kinds of scenarios that
they saw, but just that it was a possibility.
I think you can obviously look at the warning that they put out because there were two things
they announced on Friday.
One was that they were issuing these sanctions and another was an alert about the hybrid
cyber threats, the UK and others, detailing the specifics of these incidents and saying,
hey, look, the Russian threat is going to keep morphing the more pressure we put on them, essentially.
So be on the lookout for these kinds of things is what the alerts have.
What kind of message does this send to the international community about hybrid warfare?
You know, one of the things I thought was interesting about this is that they didn't
wait for the United States.
There's been an awful lot of coordinated action in the past administration, certainly.
I think even some in the first Trump administration, where the sanctions were UK, US, Five Eyes
countries, the occasional other partner. This was the UK saying, let's get going
on this, I think. I think that's the message they were trying to send is,
we're not going to wait for anybody else, we think this is important enough, we
feel like we need to protect Ukraine, we feel like we need to protect ourselves,
we think we need to protect Europe. And there was a sort of a call to others to join in on this,
that they said, they didn't call the United States specifically, but the
language was to the extent of, hey, we've got to do this together. So I think with
the fact that Congress is looking at some more sanctions on Russia, Trump
himself, who has been very generous to Vladimir Putin on his intentions, has
actually been more outspoken of late about being impatient with Vladimir Putin on his intentions, has actually been more outspoken of late
about being impatient with Vladimir Putin.
He has talked about more sanctions.
I think that this might be just,
you know, you're talking about, again,
that sort of twist of the turn of the dial.
This is another thing that could maybe put
a little bit more pressure on the United States
and other allies of the UK to say,
look, we really need to keep going harder at Russia.
They're not stopping doing what we want them to stop doing.
We've got to go after them.
This was a little bit of a, let's get started.
And what response, if any, have we seen from the US to this move by the UK?
Nothing yet.
I think that because Congress had already kind of been talking about this, there's some
bipartisan interest in doing this.
Trump had said just the day before,
I'm giving him 50 days.
I don't think we're going to see much in the way of
actual response from the United States
until some of those things start to coalesce.
All right. Well, Tim Starks
is senior reporter at CyberScoop.
Tim, thanks so much for joining us.
Thank you, Dave.
Compliance regulations, third-party risk, and customer security demands are all growing and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right.
GRC can be so much easier, and it can strengthen your security posture while actually driving revenue for your business.
You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program.
Their trust management platform automates those key areas – compliance, internal and third-party risk, and even customer trust –
so you're not buried under spreadsheets and endless manual tasks.
Vanta really streamlines the way you gather and manage information across your entire
business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters, like strengthening
your security posture and scaling your business.
Vanta, GRC, just imagine how much easier trust can be.
Visit vanta.com slash cyber to sign up today for a free demo.
That's vanta.com slash cyber.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
DeleteMe also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. And finally, Christopher Lee Dollman, founder of the pirated streaming empire JetFlix has earned himself a seven-year federal sentence.
Less binge-worthy, perhaps, than the 183,000 TV episodes his platform once offered, but
certainly more exclusive.
JetFlix, which operated from 2007 to 2019, was essentially Netflix without the licensing
fees or moral overhead.
Dahlman and his colleagues automated the theft of shows from legitimate sources
like Hulu and Amazon, repackaging them for tens of thousands of paying subscribers,
and called it all innovation.
The Justice Department estimates the operation caused $37.5 million in damages,
roughly the cost of a mid-tier prestige drama, minus the Emmy Awards, estimates the operation caused $37.5 million in damages,
roughly the cost of a mid-tier prestige drama,
minus the Emmy Awards.
Dahlman was convicted of money laundering
and various flavors of copyright infringement.
His setup delivered shows faster than most legal platforms,
which is impressive in a way, if entirely illegal.
Prosecutors say the scheme eroded creative
industries and flouted the rule of law. Dahlman, for his part, has now secured a much more
confined viewing experience. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August.
There's a link in the show notes. Please take a moment and check it out.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltsman. Our
executive producer is Jennifer Iben. Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. And now, a word from our sponsor ThreatLocker, the powerful Zero Trust enterprise solution
that stops ransomware in its tracks.
AllowListing is a deny-by-default software
that makes application control simple and fast.
Ring-fencing is an application containment strategy,
ensuring apps can only access the files, registry keys,
network resources, and other applications
they truly need to function.
Shut out cybercriminals with world-class endpoint protection
from ThreatLocker.