Did China Get an Inside Look at ToolShell?

Every week, Information Security Media Group compiles notable cybersecurity incidents from around the globe. This week’s report dives into claims that the Chinese government may have accessed ToolShell vulnerabilities. Additionally, significant cyber attacks in South Africa utilizing ToolShell have been documented, and Cisco has alerted users about critical vulnerabilities. U.S. authorities have implicated an Arizona woman in aiding North Korean IT personnel to infiltrate American firms, while a recent survey indicates a troubling prevalence of online fraud affecting Americans. Data breaches are also affecting NASCAR, and there are ongoing investigations into alleged data leaks affecting France’s Naval Group. Lastly, disruption at French telecom Orange results from a cyberattack, and dating app Tea has experienced a security breach that compromised user data.

Microsoft is currently probing if vulnerabilities in ToolShell were disclosed to Chinese hackers, potentially aiding their exploitation of zero-day flaws in the widely used SharePoint platform. Under the Microsoft Active Protections Program, the company provides select security vendors, including some Chinese firms, with advance insights on patches. This raises concerns about whether sensitive information has been compromised, as highlighted by a report from Bloomberg on July 25.

Initial evidence suggests that the vulnerabilities have been exploited by multiple Chinese nation-state groups, including Linen Typhoon and Storm-2603, which have targeted U.S. government entities like the Department of Energy. Cybersecurity researchers have warned about the significant pressure on Chinese technology firms to report disclosed zero-days, indicating systemic vulnerabilities in how these firms manage sensitive information.

In late June, a series of cyberattacks leveraging ToolShell vulnerabilities struck at least six institutions across South Africa, including the National Treasury. Similar incidents were reported in Mauritius and Jordan, prompting cybersecurity experts to note a broader trend of digital vulnerability across African nations. The exploited CVEs were first identified during the Pwn2Own Berlin competition in May 2025 and became active shortly after Microsoft patched them in July 2025, showcasing the rapid transition from discovery to exploitation.

This breach highlights regional concerns about the prevalence of on-premises SharePoint installations, particularly where cloud services remain economically unfeasible. Microsoft has extended its support to the affected South African institutions to mitigate damage.

The U.S. Cybersecurity and Infrastructure Security Agency has added critical vulnerabilities in Cisco’s Identity Services Engine to its catalog. The flaws, identified in specific APIs, allow attackers to exploit the system remotely and execute root-level commands without authentication. Cisco confirmed attempts to exploit these vulnerabilities in the wild and has urged federal agencies to address them by August 18. The potential MITRE ATT&CK tactics related to this incident include initial access and exploitation of remote services, emphasizing the importance of immediate patching procedures.

A federal judge sentenced Arizona resident Christina Marie Chapman to 102 months in prison for facilitating North Korean IT personnel in fraudulently acquiring remote employment in over 300 American companies, including pivotal defense and technology organizations. Chapman’s actions generated illicit revenue exceeding $17 million. During the ongoing investigation, authorities seized more than 90 laptops from her residence, highlighting a sophisticated operation that utilized misleading credentials to infiltrate U.S. networks.

A recent report from the Pew Research Center reveals alarming trends, with nearly 75% of Americans reporting experiences with online fraud or cyberattacks. The most prevalent form of fraudulent activity involved unauthorized charges on payment cards, while a significant proportion of individuals indicated that their online accounts had been compromised. Despite an awareness of these risks, many victims are reluctant to report incidents to law enforcement, raising questions about public trust in government and technology firms regarding cybersecurity measures.

Following a cyberattack, NASCAR disclosed that sensitive personal data, including Social Security numbers, was compromised during unauthorized access from March 31 to April 3. While the Medusa ransomware group has claimed responsibility for the attack, NASCAR has not publicly verified the extent of the breach or the number of affected individuals, underscoring the challenges organizations face in rapidly responding to cyber threats.

Naval Group, a French defense contractor, is currently examining a serious data leak after a hacking forum disseminated one terabyte of purportedly stolen data. The leaked information includes sensitive documents related to military assets. The company has described the incident as a targeted attack on its reputation and has initiated legal proceedings while stating that they have not detected any internal breaches).

French telecom company Orange reported significant service interruptions due to a cyberattack detected on July 25. Operational systems were isolated to manage the breach, causing temporary issues for millions of customers across Europe, Africa, and the Middle East. This incident highlights the ongoing challenges facing telecommunications providers in securing their infrastructure against sophisticated cyber threats.

Tea, a dating application designed with a focus on women’s safety, confirmed a data breach exposing over 72,000 images, including critical user verification documents. The company has initiated a complete investigation and disabled affected systems while addressing potential concerns regarding the misuse of personal data. Although there is no evidence connecting the breach directly to identifiable user accounts, the incident has raised serious implications about data management practices in mobile applications.

Recent Developments in Cybersecurity

Reporting contributed by Information Security Media Group’s Gregory Sirico and David Perera.