CyberWire Daily - The SharePoint siege goes strategic.
Episode Date: July 22, 2025Confusion persists over the Microsoft Sharepoint zero-days. CrushFTP confirms a zero-day under active exploitation. The UK government proposes a public sector ban on ransomware payments. A new ransomw...are group is using an AI chatbot to handle victim negotiations. Australia’s financial regulator accuses a wealth management firm of failing to manage cybersecurity risks. Researchers uncover a WordPress attack that abuses Google Tag Manager. Arizona election officials question CISA following a state portal cyberattack. Hungarian police arrest a man accused of launching DDoS attacks on independent media outlets. On our Threat Vector segment guest host Michael Sikorski and Michael Daniel of the Cyber Threat Alliance (CTA) explore cybersecurity collaboration. A Spyware kingpin wants back in. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment On our Threat Vector segment, host David Moulton turns the mic over to guest host Michael Sikorski and his guest Michael Daniel of the Cyber Threat Alliance (CTA) for a deep dive into cybersecurity collaboration. You can hear Michael and Michael's full discussion on Threat Vector here and catch new episodes every Thursday on your favorite podcast app. Selected Reading ToolShell Zero-Day Attacks on SharePoint: First Wave Linked to China, Hit High-Value Targets (SecurityWeek) Microsoft: Windows Server KB5062557 causes cluster, VM issues (Bleeping Computer) File transfer company CrushFTP warns of zero-day exploit seen in the wild (The Record) UK to lead crackdown on cyber criminals with ransomware measures (GOV.UK) Ransomware Group Uses AI Chatbot to Intensify Pressure on Victims (Infosecurity Magazine) Australian Regulator Alleges Financial Firm Exposed Clients to Unacceptable Cyber Risks (Infosecurity Magazine) WordPress spam campaign abuses Google Tag Manager scripts (SC Media) After website hack, Arizona election officials unload on Trump’s CISA (CyberScoop) Hungarian police arrest suspect in cyberattacks on independent media (The Record) Serial spyware founder Scott Zuckerman wants the FTC to unban him from the surveillance industry (TechCrunch) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
CISOs and CIOs know machine identities now outnumber humans by more than 80 to 1, and
without securing them, trust, uptime, outages, and compliance are at risk.
CyberArk is leading the way with the only unified platform
purpose-built to secure every machine identity, certificates,
secrets, and workloads across all environments, all clouds,
and all AI agents.
Designed for scale, automation, and quantum readiness,
CyberArk helps modern enterprises
secure their machine future.
Visit cyberark.com slash machines to see how. Confusion persists over the Microsoft SharePoint zero days.
Crush FTP confirms a zero day under active exploitation.
The UK government proposes a public sector ban on ransomware payments.
A new ransomware group is using an AI chat bot to handle victim negotiations.
Australia's financial regulator accuses a wealth management firm of failing to manage cybersecurity risks.
Researchers uncover a WordPress attack that abuses Google Tag Manager.
Arizona election officials question CISA following a state portal cyber attack.
Hungarian police arrest a man accused of launching DDoS attacks on independent media outlets.
On our Threat Vector segment, guest hosts Michael Sikorski and Michael Daniel of the
Cyber Threat Alliance explore cybersecurity collaboration.
And a spyware kingpin wants back in. It's Tuesday, July 22nd, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us.
It's great to have you with us today.
As we reported yesterday,
a wave of zero-day attacks has hit Microsoft SharePoint servers,
exploiting flaws that researchers recently linked to
a remote code execution exploit chain called ToolShell.
The attacks began around July 17th, targeting strategic sectors like energy, tech consulting,
and government.
Two patched flaws were reportedly bypassed, prompting Microsoft to assign two new CVEs.
One allows unauthenticated code execution, the other enables spoofing.
Despite patches, confusion persists about which vulnerabilities were chained during
the attacks.
Sentinel-1 identified three attack clusters, including those by state-sponsored actors.
Reports indicate exfiltration of cryptographic secrets and circumvention of MFA and SSO protections.
Over 9,000 internet-facing SharePoint servers are at risk,
mainly in North America and Europe.
CISA has added one of the CVEs
to its known exploited vulnerabilities list
and advises immediate patching.
Microsoft also urges organizations
to rotate cryptographic keys post-remediation.
In other Microsoft news, Redmond is urging businesses to contact support to address a bug in the July 2024 Windows Server 2019 update
that disrupts cluster service operations.
The issue causes repeated restarts, node failures, and VM instability,
especially on systems using BitLocker with
cluster-shared volumes.
While a fix is in development, Microsoft has not yet released it publicly and recommends
reaching out for guided mitigation until a permanent update is available.
Crush FTP has confirmed a zero-day vulnerability is being actively exploited in older versions
of its file transfer software.
The company's president said the flaw, patched in builds after July 1, was discovered after
hackers reverse-engineered their code.
Over 1,000 unpatched instances have been identified globally, with hundreds in the US and Europe.
Most attacks occurred around July 18.
Some attackers are disguising outdated vulnerable systems to appear current.
CrushFTP has issued guidance for affected users.
The identity of the attackers remains unknown, but groups like the Klopp Ransomware Gang
have a history of exploiting similar flaws in file transfer tools. This incident highlights
ongoing threats to file sharing platforms, which are prime targets for
stealing sensitive data from government, corporate, and academic users. CISA has
previously warned about crush FTP vulnerabilities and continues to monitor
related threats in the file transfer space.
The UK government is proposing new measures to combat ransomware,
focusing on protecting hospitals, businesses and critical services.
Under the plan, public sector bodies and operators of national infrastructure,
like the NHS and schools, would be banned from paying
ransoms. Nearly 75% of public consultation respondents supported the move. Private
businesses would need to notify the government if they intend to pay a ransom, ensuring such
actions don't violate sanctions. A mandatory reporting regime is also in development to help law enforcement
gather intelligence and disrupt ransomware networks. The proposals aim to break the financial
model driving cybercrime, especially attacks tied to Russian-based groups. Officials stress
the need for strong cybersecurity practices, including offline backups and recovery plans. Supporters, including the British Library and Co-op, welcome the effort to improve resilience.
These steps are part of the UK's broader plan for change to defend against evolving cyber threats.
A new ransomware-as-a-service group, Global Group, has emerged, rebranding older threats
Momona RIP and Blacklock.
While not highly innovative, the group's standout feature is using an AI chatbot to handle victim
negotiations.
This bot operates on a Tor-based panel, automating communication and psychological pressure to
scale operations across timezones.
Victims face steep ransom demands and threats of data leaks.
The ransomware uses a Golang-based payload compatible with Windows, Linux, Mac OS, and even ESXi systems,
favoring fast, concurrent encryption. Analysts also found poor operational security linking global to Russian infrastructure used
by Momona.
The builder allows affiliates to customize attacks, enhancing evasion and reach.
Pycus Security recommends multiple detection and mitigation strategies, including monitoring
go-based processes, restricting access to native utilities,
simulating attacks, and enforcing least-privileged policies to defend against this growing ransomware
threat.
Australia's financial regulator, ASIC, has taken legal action against Fortnum Private
Wealth for allegedly failing to manage cybersecurity risks, exposing clients to significant threats. The firm is accused of lacking proper
policies, training, and oversight, particularly for its authorized
representatives. One breach leaked over 200 gigabytes of sensitive data from
nearly 10,000 clients later found on the dark web. Despite implementing a cybersecurity policy in 2021,
ASIC claims it was inadequate.
Fortnum denies the allegations, but declined further comment
due to ongoing court proceedings.
Researchers at Sucuri have uncovered a WordPress attack
that abuses Google Tag Manager, GTM, to redirect site
visitors to spam pages without altering themes or plugin files. Instead, attackers inject
a malicious script directly into WordPress database tables. This script loaded a Google
Tag Manager container that triggered a redirection after five seconds.
The GTM tag likely came from a compromised admin account.
Over 200 sites were impacted, allowing attackers remote control of the payload via their GTM
account.
These redirects can harm site SEO, reputation, and visitor safety.
Securi advises inspecting for suspicious GTM tags, securing admin accounts with 2FA, and
keeping plugins updated.
GTM's trusted status makes such attacks hard to detect, similar to earlier GTM-based eSkimming
campaigns on e-commerce sites.
Arizona election officials revealed a cyberattack that defaced
candidate profiles on a state portal, replacing photos with images of the late
Ayatollah Khomeini. The breach, discovered on June 23rd, exploited a legacy system
to upload a malicious image containing a PowerShell script. While the threat was
quickly contained, officials criticized the Cybersecurity and Infrastructure
Security Agency for its lack of support, citing a breakdown in federal coordination since
the Trump administration's restructuring and budget cuts.
Arizona's Secretary of State Adrian Fontes accused CISA of becoming politicized and ineffective,
endangering national election security.
Arizona's chief information security officer
said key systems remained unaffected,
but emphasized that CISA's former collaborative role
has eroded.
This incident, following US action
against Iranian nuclear sites,
included pro-Iran messaging,
though attribution remains uncertain.
Experts warn that CIS's diminished role risks fragmenting the nation's cyber defense and
eroding trust between state and federal agencies.
Hungarian police have arrested a 23-year-old man from Budapest accused of launching DDoS
attacks on independent media outlets in Hungary and abroad.
Operating under the alias Hano, he allegedly used DDoS for hire services to disrupt access to sites like
Media One, Telex, and Vienna-based International Press Institute.
Authorities seized electronic evidence from the suspect's home though. He has not yet been formally charged
Investigators are probing the motive and whether any external coordination or funding was involved
Most targeted outlets were critical of Hungary's government while pro-government media were unaffected
The incident highlights growing cyber threats to independent journalism
Following similar politically linked attacks on media in Russia and Ukraine in recent months.
Coming up after the break on our Threat Vector segment, Mike Sikorsky and Michael
Daniel of the Cyber Threat Alliance explore cybersecurity collaboration and a spyware kingpin wants back in. Stay with us.
Bad actors don't break in, they log in.
Attackers use stolen credentials in nearly nine out of 10 data breaches.
Once inside, they're after one thing, your data.
Varonis's AI powered data security platform secures your data at scale.
Across LAS, SAS, and hybrid cloud environments,
join thousands of organizations who trust Vonis to keep their data safe.
Get a free data risk assessment at Veronis.com.
Krogel is AI built for the enterprise SOC. Fully private, schema-free, and capable of running in sensitive, air- context-aware, auditable decisions aligned
to your workflows.
Krogl empowers analysts to act faster and focus on critical threats, replacing repetitive
triage with intelligent automation to help your sock operate at scale with precision
and control.
Learn more at Krogl.com.
That's C-R-O-G-L dot com.
On this week's Threat Vector segment, guest host Michael Sikorski is joined by Michael
Daniel from the Cyber Threat Alliance, they explore cybersecurity collaboration.
Hi, I'm David Moulton, host of the Threat Vector Podcast, where we break down cybersecurity
threats, resilience, and the industry trends that matter most.
What you're about to hear is a snapshot from the No Holds Barred look at collaboration
in cybersecurity between guest host Michael Michael Sikorski,
and Michael Daniels from the Cyber Threat Alliance.
What really drives cooperation
in a world built on zero trust?
If you like this short segment,
you're going to love the full episode.
So Michael, welcome. Well, Thank you for having me.
Before we dive into the hard questions, you've been leading the CTA, Cyberthreat Alliance, for over eight years now.
Looking back, what moment stands out to you as the first time you felt, okay, this is working. Yeah, when I think about that,
to me, one of the early signs of that
was during the WannaCry incident,
that we were able to get a lot of different member companies
on a call simultaneously,
and have them talk about what they were seeing
and what they were not seeing.
And at the beginning of WannaCry, everybody thought that that was being spread by an email
vector.
And when we assembled the different CTA members on the call and everybody started seeing what
they were seeing and nobody was finding an email vector for WannaCry, and it was one
of those things that you could almost feel it
around the room of like, well, wait a minute,
if nobody among this set of people is seeing an email vector,
maybe there's not an email vector.
And so it really prompted everyone to go look
in a different direction.
And that was one of the first times that I realized
that like this model could actually work.
I also was thinking of how does the cyber threat alliance
and what we're doing, and specifically
our collective defense model, how does that relate
to some of these other sharing models
that we've seen out there, the ISACs,
JCDC for which we're a member,
with Homeland Security obviously,
like how does their model differ from ours
and how does that look?
And then also, what is one misconception people have
about the Cyber Threat Alliance's mission
as it pertains to those?
Yeah, a lot of times I would say,
well, CTA, if you think of us as an ISAC
for the cybersecurity industry,
that would not be too far off.
I always say that the Cyber Threat Alliance
is aimed at entities that are providing
cybersecurity services to others.
So cybersecurity companies like Palo Alto Networks, but also the cybersecurity arms
of telecommunication companies or platform providers, those sorts of things.
And really the reason for that is because that's a set of entities that really do need to be sharing lots of technical data with each other at very large volumes.
And that's really some of CTA's stock and trade, right, is focusing on that.
We are not focused on a particular industry vertical, which a lot of ISACs, well, we are, it's just the cybersecurity industry as opposed to like a critical infrastructure sector vertical like, you
know, financial services or energy. So really that's kind of our space in the
ecosystem as we try to occupy that space, which really nobody, no other entity was
really occupying before CTA, before
CTA came along. So that's really how I see, you know, what CTA is and what we, you know,
and what we do. We also try to work with, you know, how do you actually get that collaboration
built with the government? One of the things that we made a decision very early on for CTA was that we wanted it to be focused
on the private sector for what the private sector could do.
And the governments can't be direct members of CTA.
And that was deliberately designed
to give some space in there,
to make it so that it wasn't,
so that it didn't seem like governments had captured CTA
and that CTA was doing a government's bidding, right?
But obviously we have a lot of partnerships and work with responsible governments around the world.
And so that I think is an important part of the equation.
important part of the equation.
What do you see as the best way we could improve the US government's approach to cyber partnerships?
What is the thing, if you had a magic wand
and you were in charge of all partnerships
from the government to private across the US government,
what would be either one or two things
that you would quickly think about either one or two things that you would
quickly think about either changing or enacting?
Yeah.
I mean, I think one of the things that I would say is one of the struggles that the federal
government has is that we have worked very hard over decades to make sure that there
are a lot of rules inside the federal government for
how it treats the private sector and to treat the private sector equitably.
And what this is translated to is that if you are working with one entity in the private
sector, you've got to work with all of them equally.
And the truth is that in cybersecurity, not all companies are created equal.
And some parts, some entities in the ecosystem are more important in certain situations than others.
And so...
Yeah, based on the technology they have deployed worldwide, based on their visibility, based on their expertise.
Absolutely. Yes, these are based on very, what I would almost say are objective factors, right?
This is not about preference, you know, based on who's friends with who, but it's based
on the technology, the infrastructure, the capabilities, right?
And the federal government needs to be able to have a better ability to say, look, I'm
going to collaborate with this set of entities in this case for this reason.
And no, we're not going to have to let everybody
and their cousin into this collaboration
because they don't bring enough to the table, right?
And that's really hard on the federal government side
right now.
And we need-
Because it can feel like you're picking favorites,
is that why?
Yeah, that's right.
And it's seen as picking favorites.
And it's like, no, we're not picking favorites.
We're picking the entities that can actually do something to make a meaningful difference. And if you've ever been in any
sort of collaborative exercise, then you know that as you get bigger, it gets harder and
harder to do the collaboration. And you reach a certain point and it becomes almost impossible.
And so that to me is really one of the key sort of factors that we have
to take into account and that the government needs to have a better ability to process.
I think on the private sector side, there needs to be a better understanding of the
fact that the government operates under certain constraints that a private sector company will never operate under, and that
not all of this is just about bureaucracy, that it's about very real
reasons for why we want the government to not be picking favorites in those
situations, right? And that we want the government to operate in certain ways.
And so that imposes some constraints on how the government operates
that private sector companies don't have to follow. And it means that it's not because
the government is stupid or because they're incompetent or lazy, it's because they operate
under a different set of rules. And so we need to bring a lot more of that understanding
to the collaborations and have respect for the
constraints.
And again, and that also works, the government also needs to understand that in many of these
cases when a private sector company is collaborating and working with them, every minute that they're
spending working on this thing with the government, they're not making money.
If that got your attention, don't wait.
Listen to the full episode now in your ThreatVector podcast feed.
It's called Frenemies with Benefits and it's live now.
You don't want to miss what could be the most eye opening take on cybersecurity teamwork this year. you get your favorite podcasts. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you're thinking there has to be something more efficient than spreadsheets, screenshots
and all those manual processes, you're right.
GRC can be so much easier and it can strengthen your security posture while actually driving
revenue for your business. You know one of the things I really like about Vanta
is how it takes the heavy lifting out of your GRC program. Their trust management
platform automates those key areas compliance internal and third-party risk
and even customer trust so you're not buried under spreadsheets and endless
manual tasks.
Vanta really streamlines the way you gather and manage information across your entire
business.
And this isn't just theoretical.
A recent IDC analysis found that compliance teams using Vanta are 129% more productive.
It's a pretty impressive number.
So what does it mean for you?
It means you get back more time and energy to focus on what actually matters, like
strengthening your security posture and scaling your business. Vanta, GRC, just
imagine how much easier trust can be. Visit vanta.com slash cyber to sign up
today for a free demo. That's vanta.com slash cyber.
Music
Music
Music Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it
because it still works. It's been a few months before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports, so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The Delete Me team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
Delete Me also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k code n2k.
And finally, Scott Zuckerman, the spyware entrepreneur, perhaps best known for leaking
private user data like a sieve, is asking
the FTC to lift the 2021 ban that barred him from the surveillance industry.
The ban followed a spectacular privacy faceplant in which his app, Spyphone, helpfully exposed
thousands of users' texts, photos, and locations, turning stealth surveillance into public spectacle.
Zuckerman now argues the order is a financial burden, claiming it hinders his growth in
other ventures.
Critics are not swayed.
Eva Galperin of the EFF noted, with forensic precision, that burdens are the point when
you've repeatedly flouted federal orders and still dabble in spyware-adjacent projects,
as Zuckerman allegedly did in 2022.
The public can comment until August 19th.
Surveillance, after all, is everyone's business. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through August 31st.
There's a link in the show notes.
Please take a moment and check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher and I'm Gabe Vietner. Thanks for listening. We'll see you back
here tomorrow. And now, a word from our sponsor ThreatLocker, the powerful zero-trust enterprise solution
that stops ransomware in its tracks.
AllowListing is a deny-by-default software that makes application control simple and
fast.
Ring-fencing is an application containment strategy, ensuring apps can only access the
files, registry keys, network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from ThreatLocker.