Clorox accuses IT provider in lawsuit of giving hackers employee passwords | Reuters
reuters.com - Bleach maker Clorox said Tuesday that it has sued information technology provider Cognizant over a devastating 2023 cyberattack, alleging the hackers gained access by asking the tech company's staff for its employees' passwords. WASHINGTON, July 22 (Reuters) - Bleach maker Clorox (CLX.N), opens new tab said Tuesday that it has sued information technology provider Cognizant (CTSH.O), opens new tab over a devastating 2023 cyberattack, alleging the hackers gained access by asking the tech company's staff for its employees' passwords. Clorox was one of several major companies hit in August 2023 by the hacking group dubbed Scattered Spider, which specializes in tricking IT help desks into handing over credentials and then using that access to lock them up for ransom. The group is often described as unusually sophisticated and persistent, but in a case filed in California state court on Tuesday, Clorox said one of Scattered Spider's hackers was able to repeatedly steal employees' passwords simply by asking for them. "Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," according to a copy of the lawsuit, opens new tab reviewed by Reuters. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over." Cognizant, in an emailed statement, pushed back, saying it did not manage cybersecurity for Clorox and it was only hired for limited help desk services.
Massive data leak maps out years of Swedish citizens’ private lives
An unsecured server has exposed hundreds of millions of detailed records on Swedish citizens and companies, offering a data goldmine for anyone who stumbles on it. A misconfigured Elasticsearch server has exposed a goldmine of business intelligence data with hundreds of millions of highly detailed records tied to Swedish individuals and organizations. Cybernews researchers identified the unsecured database, which did not require any authentication and was fully accessible to the public internet. The leaked data consisted of over 100 million records dated from 2019 to 2024, spread across 25 separate indices, with some datasets ballooning to more than 200GB in size. What was leaked? Many leaked records contained highly sensitive personal and organizational information, including: Full legal names, including history of previous names Swedish personal identity numbers Date of birth and gender Address history, both in Sweden and abroad Civil status and information about deceased individuals Foreign addresses for emigrants Debt records, payment remarks, bankruptcy history, property ownership indicators Income tax data spanning several years (2019–2023) Activity and event logs (including income statement submissions, migration status, and address updates)
UpGuard discovered an unauthenticated Elasticsearch database containing 22 million records of user traffic for hacking forum leakzone.net. On Friday, July 18 UpGuard discovered an unauthenticated Elasticsearch database containing about 22 million objects. Each of the objects was a record of a web request containing the domain to which the request was sent, the user’s IP address, and metadata like their location and internet provider. In this case, 95% of the requests were sent to leakzone.net, a “leaking and cracking forum” in the tradition of Raid Forums. This sizeable data set can thus give us an inside view of visitor activity to a very active website used for the distribution of hacking tools, exploits, and compromised accounts. About Leakzone Leakzone is part of a long line of forum sites that trade in illicit cyber materials like lists of usernames and passwords, pornography collections, and hacking tools. While law enforcement has shut down many other clearweb leak sites in that time period– the original Raid Forums was seized in 2022, and the founder of its replacement, Breach Forums, was arrested in 2023–Leakzone has survived. Archive.org shows the site beginning to take off in the second half of 2020 and continuing on to the present. Attribution On initial inspection of the exposed data, we saw that “leakzone.net” was mentioned very frequently in the “domain” field of the database schema. After downloading the available data, we were able to confirm that 95% of records named leakzone.net, making this data almost entirely about traffic to that site. The second most common domain, mentioned in 2.7% of records, was accountbot.io, a site for selling compromised accounts. In all, there are 281 unique values, though the other sites have only a fraction of the traffic and include mainstream sports and news sites– unaffiliated sites that may have been mentioned in the logs as part of redirects from Leakzone. ... Significance The IP addresses, and what they tell us about visitors to Leakzone and its ilk, are the most interesting part of the collection. GDPR even classifies client IP addresses as PII because of their utility for identifying a person across web properties. Public Proxies The data set contained 185k unique IP addresses– more than Leakzone’s entire user base of 109k, which certainly wouldn’t have all been using the site during this time period. (If they had 100% of their users active during a three week period they would be the most successful website of all time). The most likely explanation for the number of unique IPs is that some users were routing traffic through servers with dynamic IP addresses to hide their real IP addresses.
Microsoft exec admits it 'cannot guarantee' data sovereignty
theregister.com - Under oath in French Senate, exec says it would be compelled – however unlikely – to pass local customer info to US admin Microsoft says it "cannot guarantee" data sovereignty to customers in France – and by implication the wider European Union – should the Trump administration demand access to customer information held on its servers. The Cloud Act is a law that gives the US government authority to obtain digital data held by US-based tech corporations irrespective of whether that data is stored on servers at home or on foreign soil. It is said to compel these companies, via warrant or subpoena, to accept the request. Talking on June 18 before a Senate inquiry into public procurement and the role it plays in European digital sovereignty, Microsoft France's Anton Carniaux, director of public and legal affairs, along with Pierre Lagarde, technical director of the public sector, were quizzed by local politicians. Asked of any technical or legal mechanisms that could prevent this access under the Cloud Act, Carniaux said it had "contractually committed to our clients, including those in the public sector, to resist these requests when they are unfounded." "We have implemented a very rigorous system, initiated during the Obama era by legal actions against requests from the authorities, which allows us to obtain concessions from the American government. We begin by analyzing very precisely the validity of a request and reject it if it is unfounded." He said that Microsoft asks the US administration to redirect it to the client. "When this proves impossible, we respond in extremely specific and limited cases. I would like to point out that the government cannot make requests that are not precisely defined." Carniaux added: "If we must communicate, we ask to be able to notify the client concerned." He said that under the former Obama administration, Microsoft took cases to the US Supreme Court and as such ensured requests are "more focused, precise, justified and legally sound."
BlackSuit ransomware leak sites seized in Operation Checkmate
bleepingcomputer.com - Law enforcement has seized the dark web leak sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years. The U.S. Department of Justice confirmed the takedown in an email earlier today, saying the authorities involved in the action executed a court-authorized seizure of the BlackSuit domains. Earlier today, the websites on the BlackSuit .onion domains were replaced with seizure banners announcing that the ransomware gang's sites were taken down by the U.S. Homeland Security Investigations federal law enforcement agency as part of a joint international action codenamed Operation Checkmate. "This site has been seized by U.S. Homeland Security Investigations as part of a coordinated international law enforcement investigation," the banner reads. Other law enforcement authorities that joined this joint operation include the U.S. Secret Service, the Dutch National Police, the German State Criminal Police Office, the U.K. National Crime Agency, the Frankfurt General Prosecutor's Office, the Justice Department, the Ukrainian Cyber Police, Europol, and others. Romanian cybersecurity company Bitdefender was also involved in the action, but a spokesperson has yet to reply after BleepingComputer reached out for more details earlier today. Chaos ransomware rebrand On Thursday, the Cisco Talos threat intelligence research group reported that it had found evidence suggesting the BlackSuit ransomware gang is likely to rebrand itself once again as Chaos ransomware. "Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members," the researchers said. "This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks." BlackSuit started as Quantum ransomware in January 2022 and is believed to be a direct successor to the notorious Conti cybercrime syndicate. While they initially used encryptors from other gangs (such as ALPHV/BlackCat), they deployed their own Zeon encryptor soon after and rebranded as Royal ransomware in September 2022. In June 2023, after targeting the City of Dallas, Texas, the Royal ransomware gang began working under the BlackSuit name, following the testing of a new encryptor called BlackSuit amid rumors of a rebranding. CISA and the FBI first revealed in a November 2023 joint advisory that Royal and BlackSuit share similar tactics, while their encryptors exhibit obvious coding overlaps. The same advisory linked the Royal ransomware gang to attacks targeting over 350 organizations worldwide since September 2022, resulting in ransom demands exceeding $275 million. The two agencies confirmed in August 2024 that the Royal ransomware had rebranded as BlackSuit and had demanded over $500 million from victims since surfacing more than two years prior.
Disrupting active exploitation of on-premises SharePoint vulnerabilities | Microsoft Security Blog
microsoft.com - July 23, 2025 update – Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware. Based on new information, we have updated the Attribution, Indicators of compromise, extended and clarified Mitigation and protection guidance (including raising Step 6: Restart IIS for emphasis), Detections, and Hunting sections. On July 19, 2025, Microsoft Security Response Center (MSRC) published a blog addressing active attacks against on-premises SharePoint servers that exploit CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability. These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365. Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) that protect customers against these new vulnerabilities. Customers should apply these updates immediately to ensure they are protected. These comprehensive security updates address newly disclosed security vulnerabilities in CVE-2025-53770 that are related to the previously disclosed vulnerability CVE-2025-49704. The updates also address the security bypass vulnerability CVE-2025-53771 for the previously disclosed CVE-2025-49706. As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware. Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems. This blog shares details of observed exploitation of CVE-2025-49706 and CVE-2025-49704 and the follow-on tactics, techniques, and procedures (TTPs) by threat actors. We will update this blog with more information as our investigation continues. Microsoft recommends customers to use supported versions of on-premises SharePoint servers with the latest security updates. To stop unauthenticated attacks from exploiting this vulnerability, customers should also integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments and configure AMSI to enable Full Mode as detailed in Mitigations section below. Customers should also rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.
Mitel phone firmware analysis lead to the discovery of two vulnerabilities (CVE-2025-47187 & CVE-2025-47188). Exploiting them leads to unauthenticated code execution on the phone itself. While on an internal attack simulation engagement, a customer asked us: “Is an attacker able to listen in on our meeting room conversations?”. Motivated by this question, we scanned their internal network and discovered Mitel VoIP phone web management interfaces. While playing around with the login functionality of the management interface, we accidentally rediscovered CVE-2020-13617 on our own - and since the phone firmware was old enough, it allowed us to leak memory in the failed login response. While we didn’t have enough time to analyze the phone during this engagement, my interest in the phone and its firmware did not vanish. As part of the R&D team at InfoGuard Labs, I decided to take a closer look at the phone as a research project. This lead to the discovery of two new vulnerabilities: CVE-2025-47188: Unauthenticated command injection vulnerability CVE-2025-47187: Unauthenticated .wav file upload vulnerability These vulnerabilities are present in Mitel 6800 Series, 6900 Series and 6900w Series SIP Phones, including the 6970 Conference Unit with firmware version R6.4.0.SP4 and earlier. Mitel has published the MISA-2025-0004 security advisory informing about these vulnerabilities, the affected devices as well as remediation measures.
Discover how NoName057(16) targeted 3,700+ hosts across Europe using its DDoSia platform. This in-depth report reveals multi-tiered C2 infrastructure, attack patterns, and strategic geopolitical motivations behind the hacktivist-led campaign.
Weak password allowed hackers to sink a 158-year-old company
BBC - Transport company KNP forced to shut down after international hacker gangs target thousands of UK businesses. One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work. KNP - a Northamptonshire transport company - is just one of tens of thousands of UK businesses that have been hit by such attacks. Big names such as M&S, Co-op and Harrods have all been attacked in recent months. The chief executive of Co-op confirmed last week that all 6.5 million of its members had had their data stolen. In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems. KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company. "Would you want to know if it was you?" he asks. "We need organisations to take steps to secure their systems, to secure their businesses," says Richard Horne CEO of the National Cyber Security Centre (NCSC) - where Panorama has been given exclusive access to the team battling international ransomware gangs. One small mistake In 2023, KNP was running 500 lorries – most under the brand name Knights of Old. The company said its IT complied with industry standards and it had taken out insurance against cyber-attack. But a gang of hackers, known as Akira, got into the system leaving staff unable to access any of the data needed to run the business. The only way to get the data back, said the hackers, was to pay
Le cerveau du géant cybercriminel XXS.is arrêté à Kiev, après quatre ans d'enquête française
clubic.com - L'administrateur russophone d'un des plus influents forums cybercriminels mondiaux, XSS.is, vient d'être arrêté. L'opération est le fruit d'une enquête franco-ukrainienne de longue haleine. Les autorités ukrainiennes ont interpellé à Kiev, mardi 22 juillet, le cerveau présumé de XSS.is, une plateforme défavorablement réputée, puisque lieu incontournable de la cybercriminalité russophone. L'arrestation couronne une investigation française lancée il y a quatre ans maintenant, et qui révèle aujourd'hui l'ampleur considérable des gains amassés par l'administrateur du forum, estimés à sept millions d'euros. XSS.is cachait 50 000 cybercriminels derrière ses serveurs chiffrés Actif depuis 2013 tout de même, XSS.is, autrefois connu sous le nom de DaMaGeLab, constituait l'un des principaux carrefours de la cybercriminalité mondiale. La plateforme russophone rassemblait plus de 50 000 utilisateurs enregistrés, autrement dit un vrai supermarché du piratage informatique, même si beaucoup moins fréquenté que feu BreachForums, tombé en avril. Sur XSS.is, les malwares, les données personnelles et des accès à des systèmes compromis se négociaient dans l'ombre du dark web. Le forum proposait aussi des services liés aux ransomwares, ces programmes malveillants qui bloquent les données d'un ordinateur jusqu'au paiement d'une rançon. Un serveur de messagerie chiffrée, « thesecure.biz », complétait l'arsenal en facilitant les échanges anonymes entre cybercriminels. L'infrastructure offrait ainsi un environnement sécurisé pour leurs activités illégales. L'administrateur ne se contentait pas d'un rôle technique passif. Tel un chef d'orchestre du crime numérique, il arbitrait les disputes entre hackers et garantissait la sécurité des transactions frauduleuses. Un homme aux multiples casquettes, en somme. Toujours est-il que cette position centrale lui permettait de prélever des commissions substantielles sur chaque échange. Une coopération internationale exemplaire, portée par la France L'enquête préliminaire française, ouverte le 2 juillet 2021 par la section cybercriminalité du parquet de Paris, a mobilisé la Brigade de lutte contre la cybercriminalité. Les investigations ont révélé des bénéfices criminels d'au moins 7 millions d'euros, dévoilés grâce aux captations judiciaires effectuées sur les serveurs de messagerie. Outre la France et les autorités ukrainiennes, Europol a joué un rôle déterminant dans cette opération d'envergure internationale. L'agence européenne a facilité la coordination complexe entre les autorités françaises et ukrainiennes, déployant même un bureau mobile à Kiev pour faciliter l'arrestation. Voilà en tout cas une arrestation de plus contre les réseaux cybercriminels. Souvenez-vous, il y a quelques jours, les mêmes agences avaient déjà démantelé le groupe de hackers prorusses NoName057(16). Des succès successifs qui témoignent d'une intensification bienvenue dans la lutte contre les menaces et les hackers, alors que les cyberattaques se multiplient contre les infrastructures critiques européennes.
US nuclear weapons agency reportedly hacked in SharePoint attacks
Unknown threat actors have breached the National Nuclear Security Administration's network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain. NNSA is a semi-autonomous U.S. government agency part of the Energy Department that maintains the country's nuclear weapons stockpile and is also tasked with responding to nuclear and radiological emergencies within the United States and abroad. A Department of Energy spokesperson confirmed in a statement that hackers gained access to NNSA networks last week. "On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA," Department of Energy Press Secretary Ben Dietderich told BleepingComputer. "The Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems." Dietderich added that only "a very small number of systems were impacted" and that "all impacted systems are being restored." As first reported by Bloomberg, sources within the agency also noted that there's no evidence of sensitive or classified information compromised in the breach. The APT29 Russian state-sponsored threat group, the hacking division of the Russian Foreign Intelligence Service (SVR), also breached the U.S. nuclear weapons agency in 2019 using a trojanized SolarWinds Orion update. Attacks linked to Chinese state hackers, over 400 servers breached On Tuesday, Microsoft and Google linked the widespread attacks targeting a Microsoft SharePoint zero-day vulnerability chain (known as ToolShell) to Chinese state-sponsored hacking groups. "Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers," Microsoft said. "In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing." Dutch cybersecurity firm Eye Security first detected the zero-day attacks on Friday, stating that at least 54 organizations had already been compromised, including national government entities and multinational companies. Cybersecurity firm Check Point later revealed that it had spotted signs of exploitation going back to July 7th targeting dozens of government, telecommunications, and technology organizations in North America and Western Europe.
npm 'accidentally' removes Stylus package, breaks builds and pipelines
bleepingcomputer.com - npm has taken down all versions of the real Stylus library and replaced them with a "security holding" page, breaking pipelines and builds worldwide that rely on the package. A security placeholder webpage is typically displayed when malicious packages and libraries are removed by the admins of npmjs.com, the world's largest software registry primarily used for JavaScript and Node.js development. But that isn't quite the case for Stylus: a legitimate "revolutionary" library receiving 3 million weekly downloads and providing an expressive way for devs to generate CSS. Stylus 'accidentally banned by npmjs' As of a few hours ago, npmjs has removed all versions of the Stylus package and published a "security holding package" page in its place. "Stylus was accidentally banned by npmjs," earlier stated Stylus developer Lei Chen in a GitHub issue. The project maintainer is "currently waiting for npmjs to restore access to Stylus." "I am the current maintainer of Stylus. The Stylus library has been flagged as malicious..., which has caused many [libraries] and frameworks that depend on Stylus to fail to install," also posted Chen on X (formerly Twitter). "Please help me retweet this msg in the hope that the npmjs official team will take notice of this issue."
Un incident cyber expose les données de 340 000 usagers France Travail
next.ink - France Travail a envoyé, mardi 22 juillet au soir, un courrier d'information à certains des usagers inscrits à son service, alertant d'un acte de cyber malveillance susceptible d'avoir entrainé la consultation illégitime de leurs données personnelles. Dans son email, que Next reproduit ci-dessous, l'ex Pole Emploi indique que la fuite est survenue au niveau « du portail emploi destiné à [ses] partenaires ». Nom, prénom, adresses, téléphone et statut France Travail L'agence affirme par ailleurs avoir immédiatement fermé le service concerné, lancé des analyses pour déterminer l'origine de l'attaque, et rempli ses obligations de signalement en informant la CNIL dès le 13 juillet, date de la découverte de cet incident. « Les données compromises sont vos nom, prénom, adresses postale et électronique, numéro de téléphone, identifiant France Travail et statut (inscrit, radié). Vos données bancaires ou vos mots de passe ne sont pas concernés par cet incident », informe France Travail. Comme toujours en de telles circonstances, l'agence invite les utilisateurs concernés à la prudence, notamment vis à vis des risques de phishing (hameçonnage). Une application de suivi des formations mise en cause Contactée par Next, la direction de France Travail apporte quelques précisions sur la nature de l'incident et surtout sur son périmètre. L'alerte est d'abord partie du CERT-FR de l'ANSSI, le 12 juillet. Son traitement a permis aux équipes internes de France Travail d'identifier le service par lequel est intervenue la fuite. « Il s’agit de l’application Kairos permettant aux organismes de formation d'agir sur le suivi des formations des demandeurs d'emploi. Le service a été immédiatement fermé ainsi que tous les autres services hébergés sur le portail Emploi destiné à nos partenaires », explique France Travail. La fuite aurait été rendue possible grâce à la compromission, via un malware de type infostealer (logiciel spécialisé dans le vol d'informations personnelles) d'un compte utilisateur rattaché à un organisme de formation basé dans l'Isère.
Lumma infostealer malware returns after law enforcement disruption
bleepingcomputer.com - The Lumma infostealer malware operation is gradually resuming activities following a massive law enforcement operation in May, which resulted in the seizure of 2,300 domains and parts of its infrastructure. Although the Lumma malware-as-a-service (MaaS) platform suffered significant disruption from the law enforcement action, as confirmed by early June reports on infostealer activity, it didn't shut down. The operators immediately acknowledged the situation on XSS forums, but claimed that their central server had not been seized (although it had been remotely wiped), and restoration efforts were already underway. Gradually, the MaaS built up again and regained trust within the cybercrime community, and is now facilitating infostealing operations on multiple platforms again. According to Trend Micro analysts, Lumma has almost returned to pre-takedown activity levels, with the cybersecurity firm's telemetry indicating a rapid rebuilding of infrastructure. "Following the law enforcement action against Lumma Stealer and its associated infrastructure, our team has observed clear signs of a resurgence in Lumma's operations," reads the Trend Micro report. "Network telemetry indicates that Lumma's infrastructure began ramping up again within weeks of the takedown."
Microsoft knew of SharePoint security flaw but failed to effectively patch it, timeline shows
Weekend attacks compromised about 100 organisations May hacker contest uncovered SharePoint weak spot Initial Microsoft patch did not fully fix flaw LONDON, July 22 (Reuters) - A security patch Microsoft (MSFT.O), opens new tab released this month failed to fully fix a critical flaw in the U.S. tech giant's SharePoint server software, opening the door to a sweeping global cyber espionage effort, a timeline reviewed by Reuters shows. On Tuesday, a Microsoft spokesperson confirmed that its initial solution to the flaw, identified at a hacker competition in May, did not work, but added that it released further patches that resolved the issue. It remains unclear who is behind the spy effort, which targeted about 100 organisations over the weekend, and is expected to spread as other hackers join the fray. In a blog post Microsoft said two allegedly Chinese hacking groups, dubbed "Linen Typhoon" and "Violet Typhoon," were exploiting the weaknesses, along with a third, also based in China. Microsoft and Alphabet's (GOOGL.O), opens new tab Google have said China-linked hackers were probably behind the first wave of hacks. Chinese government-linked operatives are regularly implicated in cyberattacks, but Beijing routinely denies such hacking operations. In an emailed statement, its embassy in Washington said China opposed all forms of cyberattacks, and "smearing others without solid evidence." The vulnerability opening the way for the attack was first identified in May at a Berlin hacking competition, opens new tab organised by cybersecurity firm Trend Micro (4704.T), opens new tab that offered cash bounties for finding computer bugs in popular software. It offered a $100,000 prize for so-called "zero-day" exploits that leverage previously undisclosed digital weaknesses that could be used against SharePoint, Microsoft's flagship document management and collaboration platform. The U.S. National Nuclear Security Administration, charged with maintaining and designing the nation's cache of nuclear weapons, was among the agencies breached, Bloomberg News said on Tuesday, citing a person with knowledge of the matter.
Wartime cyberattack wiped data from two major Iranian banks, expert says | Iran International
iranintl.com - A cyberattack during the 12-day Iran-Israel war destroyed banking data at major Iranian banks Sepah and Pasargad, halting services nationwide and triggering a high-stakes emergency response by an Iranian banking software firm, a senior engineer said. “Nothing was accessible. Nothing was visible,” wrote Hamidreza Amouzegar, deputy head of product development at the software firm Dotin, in a LinkedIn post recounting the June 17 breach. “We tried the backup site—same story there.” The internet banking, mobile banking, and ATMs of the two banks remained largely non-functional until recently. Dotin, a major provider of digital systems to Iranian banks, found itself at the center of the crisis. “Sepah Bank’s primary data center had gone dark, with monitoring dashboards frozen and all stored data apparently corrupted,” he added. When engineers attempted to switch over to the disaster recovery site, they found that it too had failed, with matching damage reported. “At that point, the priority was no longer identifying the culprit or mapping the technical details,” Amouzegar wrote. “It was about getting public banking services back online—fast.” To that end, he wrote, teams turned to Samsonite, a portable data center in a suitcase developed by Dotin following service disruptions in 2022. The system was designed to provide core banking functions—particularly card transactions—for short periods without reliance on the main network. Nobitex, Iran’s largest cryptocurrency exchange, had also confirmed cyberattacks against its systems during the war. The pro-Israel hacker group Predatory Sparrow, known for prior cyberattacks on Iran’s fuel infrastructure, claimed responsibility for "paralyzing" Sepah Bank and draining more than $90 million from Nobitex. Sepah Bank is responsible for processing the payments of military personnel. Pasargad Bank had already deployed Samsonite, allowing it to restore limited services by the early hours of June 19. Sepah, which had not yet installed the system, remained offline longer, Amouzegar added. Basic card functionality there was only restored by June 20 after a full system rebuild from partial offline backups, he wrote. “For a bank processing over a billion transactions monthly, losing just one day meant more than 30 million transactions vanished,” Amouzegar said. Sepah’s full recovery took until June 27, during which time Samsonite processed more than 60 million transactions. “The cyber war ended three days after the ceasefire,” he added. “But recovery will take months. What I’ve shared here is only a fragment of the story.”
Russian vodka producer reports disruptions after ransomware attack | The Record from Recorded Future News
therecord.media - Novabev Group, the Russian maker of Beluga Vodka and other brands, had to stop shipments and temporarily close stores in its WineLab subsidiary after a ransomware attack. More than 2,000 WineLab liquor stores across Russia have remained shut for three days following a ransomware attack on their parent company, one of Russia’s largest alcohol producers. Signs on WineLab doors said the stores were closed due to “technical issues.” The attack crippled parts of the Novabev Group’s infrastructure, affecting WineLab’s point-of-sale systems and online services. The company confirmed that the attackers had demanded a ransom but said it refused to negotiate. “The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands,” Novabev Group said in a statement on Wednesday. There is no indication so far that customer data has been compromised, though an investigation is ongoing, the company added. The identity of the attackers remains unknown. No ransomware group has claimed responsibility for the incident, and Novabev has not publicly attributed the attack. Novabev Group is a major Russian producer and distributor of spirits, including the Beluga and Belenkaya vodka brands. The cyberattack has halted product shipments from Novabev for at least two days, according to local retailers quoted by Russian media outlet Vedomosti. Customers also reported being unable to pick up orders from retail locations or parcel lockers, with customer service offering to extend storage periods for online purchases. WineLab’s stores are currently closed in major cities, including Moscow, St. Petersburg and surrounding regions, according to location data from Yandex Maps. Novabev’s website and mobile app also remain offline. Forbes Russia estimated that each day of downtime could cost WineLab 200 million to 300 million rubles ($2.6 million to $3.8 million) in lost revenue. Cybersecurity experts interviewed by Forbes said they could not recall a comparable case in which a major Russian retail chain was forced to shut down entirely due to a cyberattack. Novabev said its internal IT team is working “around the clock” with external specialists to restore operations and strengthen defenses against future threats.
Ukrainian hackers wipe databases at Russia's Gazprom in major cyberattack, intelligence source says
kyivindependent.com - The cyberattack allegedly destroyed large volumes of data and installed custom software designed to further damage the company's information systems. Cyber specialists from Ukraine's military intelligence agency (HUR) carried out a large-scale cyberattack against the network infrastructure of Russian energy giant Gazprom, causing significant disruptions, a HUR source told the Kyiv Independent on July 18. The Kyiv Independent could not independently verify these claims. Gazprom and Russian authorities have not publicly commented on the reported incident. The alleged operation took place on July 17 and targeted systems used by Gazprom and its subsidiaries, which Ukraine's intelligence claims are directly involved in supporting Russia's war effort. Gazprom is Russia's state-owned energy company, one of the world's largest gas producers and exporters. The cyberattack allegedly destroyed large volumes of data and installed custom software designed to further damage the company's information systems. "The degradation of Russian information systems to the technological Middle Ages continues," the source within the HUR told the Kyiv Independent. "We congratulate Russian 'cyber specialists' on this new achievement and recommend they gradually replace their mice and keyboards with hammers and pincers."
A Startup is Selling Data Hacked from Peoples’ Computers to Debt Collectors
404media.co - Infostealer data can include passwords, email and billing addresses, and the embarrassing websites you use. Farnsworth Intelligence is selling to divorce lawyers and other industries. When your laptop is infected with infostealing malware, it’s not just hackers that might get your passwords, billing and email addresses, and a list of sites or services you’ve created accounts on, potentially including some embarrassing ones. A private intelligence company run by a young founder is now taking that hacked data from what it says are more than 50 million computers, and reselling it for profit to a wide range of different industries, including debt collectors; couples in divorce proceedings; and even companies looking to poach their rivals’ customers. Essentially, the company is presenting itself as a legitimate, legal business, but is selling the same sort of data that was previously typically sold by anonymous criminals on shady forums or underground channels. Multiple experts 404 Media spoke to called the practice deeply unethical, and in some cases the use of that data probably illegal. The company is also selling access to a subset of the data to anyone for as little as $50, and 404 Media used it to uncover unsuspecting victims’ addresses. The activities of the company, called Farnsworth Intelligence, show a dramatic shift in the bevvy of companies that collect and sell access to so-called open source intelligence, or OSINT. Historically, OSINT has included things like public social media profiles or flight data. Now, companies increasingly see data extracted from peoples’ personal or corporate machines and then posted online as fair game not just to use in their own investigations, but to repackage and sell too. “To put it plainly this company is profiting off of selling stolen data, re-victimizing people who have already had their personal devices compromised and their data stolen,” Cooper Quintin, senior public interest technologist at the Electronic Frontier Foundation (EFF), told 404 Media. “This data will likely be used to further harm people by police using it for surveillance without a warrant, stalkers using it to gather information on their targets, high level scams, and other damaging motives.” Infostealers are pieces of malware, often stealthily bundled in a piece of pirated software, that steal a victim’s cookies, login credentials, and often more information stored in their browser too. On its website, Farnsworth lays out several potential uses for that stolen data. This includes “skip tacing,” presumably a typo of skip tracing, which is where a private individual or company tracks someone down who owes a debt. The website says users can “find debtors up-to-date addresses.” Another use case is to “Find high impact evidence that can make/break the case of million dollar lawsuits, high value divorce cases, etc.” A third is to “generate lead lists of customers/users from competitors [sic] companies,” because the data could show which competing products they have login credentials for, and, presumably, use.
Dior begins sending data breach notifications to U.S. customers
bleepingcomputer.com - The House of Dior (Dior) is sending data breach notifications to U.S. customers informing them that a May cybersecurity incident compromised their personal information. The House of Dior (Dior) is sending data breach notifications to U.S. customers informing them that a May cybersecurity incident compromised their personal information. Dior is a French luxury fashion house, part of the LVMH (Moët Hennessy Louis Vuitton) group, which is the world's largest luxury conglomerate. The Dior brand alone generates an annual revenue of over $12 billion, operating hundreds of boutiques worldwide. The security incident occurred on January 26, 2025, but the company only became aware of it on May 7, 2025, launching internal investigations to determine its scope and impact. "Our investigation determined that an unauthorized party was able to gain access to a Dior database that contained information about Dior clients on January 26, 2025," reads the notice sent to affected individuals. "Dior promptly took steps to contain the incident, and we have no evidence of subsequent unauthorized access to Dior systems." Based on the findings of the investigation, the following information has been exposed: Full names Contact details Physical address Date of birth Passport or government ID number (in some cases) Social Security Number (in some cases) The company clarifies that no payment details, such as bank account or payment card information, were contained in the compromised database, so this information remains safe.
Microsoft Fix Targets Attacks on SharePoint Zero-Day – Krebs on Security
krebsonsecurity.com - On Sunday, July 20, Microsoft Corp. issued an emergency security update for a vulnerability in SharePoint Server that is actively being exploited to compromise vulnerable organizations. The patch comes amid reports that malicious hackers have used the SharePoint flaw to breach U.S. federal and state agencies, universities, and energy companies. In an advisory about the SharePoint security hole, a.k.a. CVE-2025-53770, Microsoft said it is aware of active attacks targeting on-premises SharePoint Server customers and exploiting vulnerabilities that were only partially addressed by the July 8, 2025 security update. The Cybersecurity & Infrastructure Security Agency (CISA) concurred, saying CVE-2025-53770 is a variant on a flaw Microsoft patched earlier this month (CVE-2025-49706). Microsoft notes the weakness applies only to SharePoint Servers that organizations use in-house, and that SharePoint Online and Microsoft 365 are not affected. The Washington Post reported on Sunday that the U.S. government and partners in Canada and Australia are investigating the hack of SharePoint servers, which provide a platform for sharing and managing documents. The Post reports at least two U.S. federal agencies have seen their servers breached via the SharePoint vulnerability. According to CISA, attackers exploiting the newly-discovered flaw are retrofitting compromised servers with a backdoor dubbed “ToolShell” that provides unauthenticated, remote access to systems. CISA said ToolShell enables attackers to fully access SharePoint content — including file systems and internal configurations — and execute code over the network. Researchers at Eye Security said they first spotted large-scale exploitation of the SharePoint flaw on July 18, 2025, and soon found dozens of separate servers compromised by the bug and infected with ToolShell. In a blog post, the researchers said the attacks sought to steal SharePoint server ASP.NET machine keys. “These keys can be used to facilitate further attacks, even at a later date,” Eye Security warned. “It is critical that affected servers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers. Patching alone is not enough. We strongly advise defenders not to wait for a vendor fix before taking action. This threat is already operational and spreading rapidly.” Microsoft’s advisory says the company has issued updates for SharePoint Server Subscription Edition and SharePoint Server 2019, but that it is still working on updates for supported versions of SharePoint 2019 and SharePoint 2016. CISA advises vulnerable organizations to enable the anti-malware scan interface (AMSI) in SharePoint, to deploy Microsoft Defender AV on all SharePoint servers, and to disconnect affected products from the public-facing Internet until an official patch is available. The security firm Rapid7 notes that Microsoft has described CVE-2025-53770 as related to a previous vulnerability — CVE-2025-49704, patched earlier this month — and that CVE-2025-49704 was part of an exploit chain demonstrated at the Pwn2Own hacking competition in May 2025. That exploit chain invoked a second SharePoint weakness — CVE-2025-49706 — which Microsoft unsuccessfully tried to fix in this month’s Patch Tuesday. Microsoft also has issued a patch for a related SharePoint vulnerability — CVE-2025-53771; Microsoft says there are no signs of active attacks on CVE-2025-53771, and that the patch is to provide more robust protections than the update for CVE-2025-49706. This is a rapidly developing story. Any updates will be noted with timestamps.
How China’s Patriotic ‘Honkers’ Became the Nation’s Elite Cyberspies
In the summer of 2005, Tan Dailin was a 20-year-old grad student at Sichuan University of Science and Engineering when he came to the attention of the People’s Liberation Army of China. Tan was part of a burgeoning hacker community known as the Honkers—teens and twentysomethings in late-’90s and early-’00s China who formed groups like the Green Army and Evil Octal and launched patriotic cyberattacks against Western targets they deemed disrespectful to China. The attacks were low-sophistication—mostly website defacements and denial-of-service operations targeting entities in the US, Taiwan, and Japan—but the Honkers advanced their skills over time, and Tan documented his escapades in blog posts. After publishing about hacking targets in Japan, the PLA came calling. The subsequent timeline of events is unclear, but Tan, who went by the hacker handles Wicked Rose and Withered Rose, then launched his own hacking group—the Network Crack Program Hacker (NCPH). The group quickly gained notoriety for winning hacking contests and developing hacking tools. They created the GinWui rootkit, one of China’s first homegrown remote-access backdoors and then, experts believe, used it and dozens of zero-day exploits they wrote in a series of “unprecedented” hacks against US companies and government entities over the spring and summer of 2006. They did this on behalf of the PLA, according to Adam Kozy, who tracked Tan and other Chinese hackers for years as a former FBI analyst who now heads the SinaCyber consulting firm, focused on China. Tan revealed online at the time that he and his team were being paid about $250 a month for their hacking, though he didn’t say who paid or what they hacked. The pay increased to $1,000 a month after their summer hacking spree, according to a 2007 report by former threat intelligence firm VeriSign iDefense. At some point, Tan switched teams and began contracting for the Ministry of State Security (MSS), China’s civilian intelligence agency, as part of its notorious hacking group known as APT 41. And in 2020, when Tan was 36, the US Justice Department announced indictments against him and other alleged APT 41 members for hacking more than 100 targets, including US government systems, health care organizations, and telecoms. Tan’s path to APT 41 isn’t unique. He’s just one of many former Honkers who began their careers as self-directed patriotic hackers before being absorbed by the state into its massive spying apparatus. Not a lot has been written about the Honkers and their critical role in China’s APT operations, outside of congressional testimony Kozy gave in 2022. But a new report, published this month by Eugenio Benincasa, senior cyberdefense researcher at the Center for Security Studies at ETH Zürich university in Switzerland, expands on Kozy’s work to track the Honkers’ early days and how this group of skilled youths became some of China’s most prolific cyberspies. “This is not just about [Honkers] creating a hacker culture that was implicitly aligned with national security goals,” Benincasa says, “but also the personal relations they created [that] we still see reflected in the APTs today.” Early Days The Honker community largely began when China joined the internet in 1994, and a network connecting universities and research centers across the country for knowledge-sharing put Chinese students online before the rest of the country. Like US hackers, the Honkers were self-taught tech enthusiasts who flocked to electronic bulletin boards (dial-up forums) to share programming and computer hacking tips. They soon formed groups like Xfocus, China Eagle Union, and The Honker Union of China and came to be known as Red Hackers or Honkers, a name derived from the Mandarin word “hong,” for red, and “heike,” for dark visitor—the Chinese term for hacker.
Lookout Discovers Massistant Chinese Mobile Forensic Tooling
lookout.com - Massistant is a mobile forensics application used by law enforcement in China to collect extensive information from mobile devices. Massistant is the presumed successor to Chinese forensics tool, “MFSocket”, reported in 2019 and attributed to publicly traded cybersecurity company, Meiya Pico The forensics tool works in tandem with a corresponding desktop software. Massistant gains access to device GPS location data, SMS messages, images, audio, contacts and phone services. Meiya Pico maintains partnerships with domestic and international law enforcement partners, both as a surveillance hardware and software provider, as well as through training programs for law enforcement personnel. * Travel to and within mainland China carries with it the potential for tourists, business travelers, and persons of interest to have their confidential mobile data acquired as part of lawful intercept initiatives by state police. Researchers at the Lookout Threat Lab have discovered a mobile forensics application named Massistant, used by law enforcement in China to collect extensive information from mobile devices. This application is believed to be the successor to a previously reported forensics tool named “MFSocket” used by state police and reported by various media outlets in 2019. These samples require physical access to the device to install, and were not distributed through the Google Play store. Forensics tools are used by law enforcement personnel to collect sensitive data from a device confiscated by customs officials, at local or provincial border checkpoints or when stopped by law enforcement officers. These tools can pose a risk to enterprise organizations with executives and employees that travel abroad - especially to countries with border patrol policies that allow them to confiscate mobile devices for a short period of time upon entry. In 2024, the Ministry of State Security introduced new legislation that would allow law enforcement personnel to collect and analyze devices without a warrant. There have been anecdotal reports of Chinese law enforcement collecting and analyzing the devices of business travellers. In some cases, researchers have discovered persistent, headless surveillance modules on devices confiscated and then returned by law enforcement such that mobile device activity can continue to be monitored even after the device has been returned.
Microsoft Confirms Ongoing Mass SharePoint Attack — No Patch Available
forbes.com - Microsoft has confirmed that SharePoint Server is under mass attack and no patch is yet available — here’s what you need to know and how to mitigate the threat. Microsoft Confirms CVE-2025-53770 SharePoint Server Attacks It’s been quite the few weeks for security warnings, what with Amazon informing 220 million customers of Prime account attacks, and claims of a mass hack of Ring doorbells going viral. The first of those can be mitigated by basic security hygiene, and the latter appears to be a false alarm. The same cannot be said for CVE-2025-53770, a newly uncovered and confirmed attack against users of SharePoint Server which is currently undergoing mass exploitation on a global level, according to the Eye Research experts who discovered it. Microsoft, meanwhile, has admitted that not only is it “aware of active attacks” but, worryingly, “a patch is currently not available for this vulnerability.” CVE-2025-53770, which is also being called ToolShell, is a critical vulnerability in on-premises SharePoint. The end result of which is the ability for attackers to gain access and control of said servers without authentication. If that sounds bad, it’s because it is. Very bad indeed. “The risk is not theoretical,” the researchers warned, “attackers can execute code remotely, bypassing identity protections such as MFA or SSO.” Once they have, they can then “access all SharePoint content, system files, and configurations and move laterally across the Windows Domain.” And then there’s the theft of cryptographic keys. That can enable an attacker to “impersonate users or services,” according to the report, “even after the server is patched.” So, even when a patch is eventually released, and I would expect an emergency update to arrive fairly quickly for this one, the problem isn’t solved. You will, it was explained, “need to rotate the secrets allowing all future tokens that can be created by the malicious actor to become invalid.” And, of course, as SharePoint will often connect to other core services, including the likes of Outlook and Teams, oh and not forgetting OneDrive, the threat, if exploited, can and will lead to “data theft, password harvesting, and lateral movement across the network,” the researchers warned.
ChatGPT Guessing Game Leads To Users Extracting Free Windows OS Keys & More
0din.ai - In a recent submission last year, researchers discovered a method to bypass AI guardrails designed to prevent sharing of sensitive or harmful information. The technique leverages the game mechanics of language models, such as GPT-4o and GPT-4o-mini, by framing the interaction as a harmless guessing game. By cleverly obscuring details using HTML tags and positioning the request as part of the game’s conclusion, the AI inadvertently returned valid Windows product keys. This case underscores the challenges of reinforcing AI models against sophisticated social engineering and manipulation tactics. Guardrails are protective measures implemented within AI models to prevent the processing or sharing of sensitive, harmful, or restricted information. These include serial numbers, security-related data, and other proprietary or confidential details. The aim is to ensure that language models do not provide or facilitate the exchange of dangerous or illegal content. In this particular case, the intended guardrails are designed to block access to any licenses like Windows 10 product keys. However, the researcher manipulated the system in such a way that the AI inadvertently disclosed this sensitive information. Tactic Details The tactics used to bypass the guardrails were intricate and manipulative. By framing the interaction as a guessing game, the researcher exploited the AI’s logic flow to produce sensitive data: Framing the Interaction as a Game The researcher initiated the interaction by presenting the exchange as a guessing game. This trivialized the interaction, making it seem non-threatening or inconsequential. By introducing game mechanics, the AI was tricked into viewing the interaction through a playful, harmless lens, which masked the researcher's true intent. Compelling Participation The researcher set rules stating that the AI “must” participate and cannot lie. This coerced the AI into continuing the game and following user instructions as though they were part of the rules. The AI became obliged to fulfill the game’s conditions—even though those conditions were manipulated to bypass content restrictions. The “I Give Up” Trigger The most critical step in the attack was the phrase “I give up.” This acted as a trigger, compelling the AI to reveal the previously hidden information (i.e., a Windows 10 serial number). By framing it as the end of the game, the researcher manipulated the AI into thinking it was obligated to respond with the string of characters. Why This Works The success of this jailbreak can be traced to several factors: Temporary Keys The Windows product keys provided were a mix of home, pro, and enterprise keys. These are not unique keys but are commonly seen on public forums. Their familiarity may have contributed to the AI misjudging their sensitivity. Guardrail Flaws The system’s guardrails prevented direct requests for sensitive data but failed to account for obfuscation tactics—such as embedding sensitive phrases in HTML tags. This highlighted a critical weakness in the AI’s filtering mechanisms.
MITRE Unveils AADAPT Framework to Tackle Cryptocurrency Threats
securityweek.com - The MITRE AADAPT framework provides documentation for identifying, investigating, and responding to weaknesses in digital asset payments. The non-profit MITRE Corporation on Monday released Adversarial Actions in Digital Asset Payment Technologies (AADAPT), a cybersecurity framework designed to help the industry tackle weaknesses in cryptocurrency and other digital financial systems. Modeled after the MITRE ATT&CK framework, AADAPT delivers a structured methodology that developers, financial organizations, and policymakers can use to find, investigate, and address risks in digital asset payments. Insights that more than 150 sources from academia, government, and industry provided on real-world attacks on digital currencies and related technologies were used to create a playbook of adversarial TTPs linked to digital asset payment technologies. The increased use of cryptocurrency has led to the emergence of sophisticated threats, such as phishing schemes, ransomware campaigns, and double-spending attacks, often with severe impact on organizations that lack cybersecurity resources, such as local governments and municipalities. AADAPT is meant to help them enhance their stance through practical guidance and tools that specifically cover this financial market segment. According to MITRE, AADAPT was founded on an in-depth review of underlying technologies such as smart contracts, distributed ledger technology (DLT) systems, consensus algorithms, and quantum computing, along with vulnerabilities and credible attack methods. The tool supports critical use cases to help develop analytics for emulating threats, create detection techniques, compare insights, and assess security capabilities to prioritize decisions, essentially assisting stakeholders in adopting best practices. “Digital payment assets like cryptocurrency are set to transform the future of global finance, but their security challenges cannot be ignored. With AADAPT, MITRE is empowering stakeholders to adopt robust security measures that not only safeguard their assets but also build trust across the ecosystem,” MITRE VP Wen Masters said.
Les données de 126 000 à 530 000 patients d’un hôpital privé de Saint-Étienne dérobées
next.ink - L'Hôpital privé de la Loire (HPL), qui se trouve à Saint-Étienne, a été victime d'une cyberattaque, révélait ce jeudi 10 juillet, le journal Le Progrès. Géré par le groupe Ramsay, le HPL avait publié un communiqué de presse mardi 8 juillet affirmant qu'il avait été victime quelques jours plus tôt d'un « vol d’identité » concernant « une quantité importante de données personnelles de ses patients ». Mais l'établissement se voulait rassurant, affirmant que les données étaient « essentiellement de nature administrative ». Mardi soir, une personne se présentant comme responsable du piratage a contacté nos confrères du Progrès pour s'en indigner. Elle affirme posséder des données concernant plus de 530 000 patients dont leurs cartes d'identité. Elle ajoute que « l'argent est la motivation » sans préciser le montant exigé. Cette réaction a obligé l'hôpital à revoir sa communication. À l'AFP, il expliquait jeudi 10 juillet, avoir envoyé un email « à plus de 126 000 patients concernés par le piratage informatique de l’Hôpital privé de la Loire (HPL), et les 40 d’entre eux qui sont concernés par le vol de données médicales seront contactés individuellement ». Et il affirme que son fonctionnement n'a cependant pas été affecté. Le parquet de Paris a, de son côté, expliqué à l'agence de presse que sa section cybercriminalité avait été saisie et avoir confié l'enquête à l’Office anticybercriminalité (OFAC). Interrogé par l'AFP sur la demande de rançon, le groupe Ramsay n'a pas voulu s'exprimer sur le sujet.
Customer guidance for SharePoint vulnerability CVE-2025-53770
msrc.microsoft.com - Microsoft is aware of active attacks targeting on-premises SharePoint Server customers. The attacks are exploiting a variant of CVE-2025-49706. This vulnerability has been assigned CVE-2025-53770. SharePoint Online in Microsoft 365 is not impacted. A patch is currently not available for this vulnerability. Mitigations and detections are provided below. Our team is actively working to release a security update and will provide additional details as they are available. How to protect your environment To protect your on-premises SharePoint Server environment, we recommend customers configure AMSI integration in SharePoint and deploy Defender AV on all SharePoint servers. This will stop unauthenticated attackers from exploiting this vulnerability. AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition. For more details on how to enable AMSI integration, see here. If you cannot enable AMSI, we recommend you consider disconnecting your server from the internet until a security update is available. We also recommend you deploy Defender for Endpoint to detect and block post-exploit activity. We will continue to provide updates and additional guidance for our customers as they become available. Microsoft Defender Detections and Protections Microsoft Defender Antivirus Microsoft Defender Antivirus provides detection and protection against components and behaviors related to this threat under the detection name: Exploit:Script/SuspSignoutReq.A Trojan:Win32/HijackSharePointServer.A Microsoft Defender for Endpoint Microsoft Defender for Endpoint provides customers with alerts that may indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity. The following alert titles in the Microsoft Defender Security Center portal can indicate threat activity on your network: Possible web shell installation Possible exploitation of SharePoint server vulnerabilities Suspicious IIS worker process behavior ‘SuspSignoutReq’ malware was blocked on a SharePoint server HijackSharePointServer’ malware was blocked on a SharePoint server Advanced hunting NOTE: The following sample queries let you search for a week’s worth of events. To explore up to 30 days’ worth of raw data to inspect events in your network and locate potential related indicators for more than a week, go to the Advanced Hunting page > Query tab, select the calendar dropdown menu to update your query to hunt for the Last 30 days. To locate possible exploitation activity, run the following queries in Microsoft 365 security center. Successful exploitation via file creation (requires Microsoft 365 Defender) Look for the creation of spinstall0.aspx, which indicates successful post-exploitation of CVE-2025-53770. Run query in the Microsoft 365 Defender >> DeviceFileEvents | where FolderPath has "MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS" | where FileName =~ "spinstall0.aspx" or FileName has "spinstall0" | project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256 | order by Timestamp desc
La Suisse au cœur de la riposte contre les cyberpirates de «Noname057(16)»
ictjournal.ch - Pendant des années, le groupe de hackers pro-russe «Noname057(16)» a mené des attaques DDoS contre des serveurs occidentaux, y compris des infrastructures critiques en Suisse. Les autorités judiciaires ont désormais démantelé un botnet du groupe et procédé à des arrestations. Le Ministère public de la Confédération suisse (MPC) a émis trois mandats d’arrêt. Les autorités judiciaires de plusieurs pays ont mené une opération coordonnée contre le groupe de hackers «Noname057(16)». Lors de l’Action-Day, lancée par Europol après plusieurs années d’enquête, des perquisitions ont eu lieu dans plusieurs pays, selon un communiqué du Ministère public de la Confédération suisse (MPC). Les autorités ont saisi des équipements et arrêté des personnes – tandis qu’en Suisse, «aucun ordinateur impliqué dans le réseau et dans les attaques ni aucune personne domiciliée dans le pays n’ont été identifiés». Les mesures coordonnées à l’échelle internationale, baptisées Opération Eastwood, ont permis de démanteler un botnet constitué de plusieurs centaines de serveurs répartis dans le monde entier, selon l’Office fédéral de la police criminelle allemande (BKA). Le groupe «Noname057(16)» exploitait ce réseau pour lancer des attaques DDoS, des cyberattaques visant à surcharger délibérément des serveurs. Trois mandats d’arrêt émis par la Suisse Le groupe «Noname057(16)» s’est constitué un casier judiciaire conséquent ces dernières années. Le groupe pro-russe se manifeste régulièrement depuis le début de la guerre en Ukraine en mars 2022, indique le MPC. Ce collectif de hackers a mené des attaques DDoS contre de nombreux pays occidentaux qu’il considère comme pro-ukranien. À plusieurs reprises, des serveurs suisses, y compris des infrastructures sensibles, ont été ciblés. Ces attaques interviennent généralement lors d’événements liés à l’Ukraine. Pour rappel, le groupe hacktiviste a paralysé les sites web du Parlement en été 2023, à l’occasion d’un discours vidéo du président ukrainien Volodymyr Zelensky devant l’Assemblée fédérale. En janvier 2024, les hackers sont redevenus actifs lors de la visite du président ukrainien au Forum économique mondial (WEF). Un an plus tard, les sites de la ville de Lucerne ainsi que de la Banque cantonale vaudoise ont également été ciblés. Des attaques hacktivistes ont aussi eu lieu en juin 2024 lors de la conférence de Bürgenstock pour la paix et pendant le Concours Eurovision de la chanson en mai 2025. En juin 2023, le Ministère public de la Confédération a ouvert une enquête pénale contre des inconnus pour détérioration de données et contrainte, selon le communiqué. Dans le cadre des investigations internationales coordonnées, plusieurs membres du groupe de hackers ont pu être identifiés dont trois personnes clés présumées. Le MPC a étendu son enquête contre ces derniers et a émis des mandats d’arrêt à leur encontre. Dans le cadre de l’Action-Day du 15 juillet 2025, les autorités de Suisse et d’Allemagne ont été rejointes par celles des États-Unis, des Pays-Bas, de la Suède, de la France, de l’Espagne et de l’Italie. L’opération a bénéficié du soutien d’Europol, d’Eurojust et d’autres pays européens, précise la police fédérale allemande (BKA). En Suisse, le MPC et l'Office fédéral de la police (Fedpol) ont contribué à l'enquête. Le MPC considère les résultats de l’opération comme la preuve que «les autorités de poursuite pénale sont aussi en mesure d’identifier des cybercriminels hautement professionnels et d’offrir une protection contre leurs attaques». Le MPC souligne l’importance de la coopération internationale dans la lutte contre la cybercriminalité transfrontalière.
Air Serbia delays staff payslips due to ongoing cyberattack
theregister.com - Exclusive Aviation insiders say Serbia's national airline, Air Serbia, was forced to delay issuing payslips to staff as a result of a cyberattack it is battling. Internal memos, seen by The Register, dated July 10 told staff: "Given the current situation and the ongoing cyberattacks, for security reasons, we will postpone the distribution of the June 2025 payslips. "The IT department is working to resolve the issue as a priority, and once the conditions allow, the payslips will be sent to your email addresses." Staff were reportedly paid their monthly salaries, but access to their payslip PDF was unavailable. HR warned staff earlier in the day against opening emails that appeared to be related to payslips, or those that mention the staff members' first and last names "as if you sent them to yourself." "We also kindly ask that you act responsibly given the current situation." According to other internal comms seen by The Register, Air Serbia's IT team began emailing staff warning them that it was facing a cyberattack on July 4. "Our company is currently facing cyberattacks, which may lead to temporary disruptions in business processes," they read. "We kindly ask all managers to promptly create a work plan adapted to the changed circumstances, in accordance with the Business Continuity Plan, and to communicate it to their teams as soon as possible." The same email communication chain mentioned the company's IT and security manager issuing a staff-wide password reset and installing security-scanning software on their machines on July 7. All service accounts were killed at this point, which affected several automated processes, and datacenters were added to a demilitarized zone, which led to issues with users not being able to sync their passwords. Additionally, internet access was removed for all endpoints, leaving only a certain few whitelisted pages under the airserbia.com domain available. IT also installed a new VPN client "due to identified security vulnerabilities." "We kindly ask you to take this situation seriously and fully cooperate with the IT team," the memo reads. "Please allow them to install the necessary software as efficiently as possible and carefully follow any further instructions they provide." Two days after this, another wave of password resets came, the source said. Instead of allowing users to choose their own, the replacements followed a template from the sysadmins. On July 11, IT issued a third wave of password resets, and staff were asked to leave their PCs locked but open before heading home for the weekend, so the IT team could continue working on them. A source familiar with the matter, who spoke to The Register on condition of anonymity, said Air Serbia is trying to clean up a cyberattack that led to a deep compromise of its Active Directory. As of July 14, the source claimed the airline's blue team has not fully eradicated the attackers' access to the company network and is not sure when the attackers broke in, due to a lack of security logs, although it is thought to be in the first few days of July. The attack at the company, which is government-owned, is likely to have led to personal data compromise, the insider suspects, and some staff expressed concern that the company might not publicly disclose the intrusion.
