Governance & Risk Management, Operational Technology (OT) Security Experts Advocate for Coordinated Autonomy Instead of Complete Integration Suparna Goswami (gsuparna) • August 4, 2025 Image: Shutterstock The divide between IT and OT teams can be likened to two groups speaking entirely different languages. While IT departments focus on data integrity…
Hackers Exploiting SharePoint Zero-Day Since July 7 to Steal Keys and Ensure Ongoing Access
July 22, 2025
Vulnerability / Threat Intelligence
A recently revealed critical vulnerability in Microsoft SharePoint has been actively exploited since July 7, 2025, according to Check Point Research. The cybersecurity firm detected initial attacks targeting a major unnamed Western government, with activities escalating on July 18 and 19 across government, telecommunications, and software sectors in North America and Western Europe. Check Point identified the exploitation efforts originating from three separate IP addresses—104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147—one of which was previously associated with the exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) appliances (CVE-2025-4427 and CVE-2025-4428). “We are witnessing an urgent and active threat: a critical zero-day vulnerability in SharePoint on-premises is being exploited globally, endangering thousands of organizations,” stated Lotem Finkelstein, Director of Threat Intelligence at Check Point.
Hackers Exploit SharePoint Zero-Day Vulnerability Since July 7 to Hijack Credentials and Ensure Ongoing Access July 22, 2025 Vulnerability / Threat Intelligence A critical vulnerability in Microsoft SharePoint has come to light, and reports indicate that it has been under active exploitation since July 7, 2025. Findings from Check Point…
Hackers Exploiting SharePoint Zero-Day Since July 7 to Steal Keys and Ensure Ongoing Access
July 22, 2025
Vulnerability / Threat Intelligence
A recently revealed critical vulnerability in Microsoft SharePoint has been actively exploited since July 7, 2025, according to Check Point Research. The cybersecurity firm detected initial attacks targeting a major unnamed Western government, with activities escalating on July 18 and 19 across government, telecommunications, and software sectors in North America and Western Europe. Check Point identified the exploitation efforts originating from three separate IP addresses—104.238.159[.]149, 107.191.58[.]76, and 96.9.125[.]147—one of which was previously associated with the exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) appliances (CVE-2025-4427 and CVE-2025-4428). “We are witnessing an urgent and active threat: a critical zero-day vulnerability in SharePoint on-premises is being exploited globally, endangering thousands of organizations,” stated Lotem Finkelstein, Director of Threat Intelligence at Check Point.
Date: July 22, 2025
Category: Vulnerability / Threat Intelligence
Microsoft has officially connected the exploitation of vulnerabilities in internet-facing SharePoint Server instances to two Chinese hacker groups, Linen Typhoon and Violet Typhoon, as early as July 7, 2025, confirming earlier claims. Additionally, the company has identified a third threat actor from China, tracked as Storm-2603, also leveraging these vulnerabilities to gain initial access to target organizations. Microsoft stated in a report released today that, “Given the swift adoption of these exploits, we are highly confident that threat actors will continue to incorporate them into their attacks on unpatched on-premises SharePoint systems.” Below is a brief overview of the threat activity clusters:
Microsoft Links Ongoing SharePoint Exploits to Three Chinese Hacking Groups July 22, 2025 In a recent announcement, Microsoft has officially connected the exploitation of vulnerabilities in SharePoint Server instances to two Chinese cybercriminal organizations known as Linen Typhoon and Violet Typhoon. This confirmation reinforces prior reports regarding the ongoing attacks,…
Date: July 22, 2025
Category: Vulnerability / Threat Intelligence
Microsoft has officially connected the exploitation of vulnerabilities in internet-facing SharePoint Server instances to two Chinese hacker groups, Linen Typhoon and Violet Typhoon, as early as July 7, 2025, confirming earlier claims. Additionally, the company has identified a third threat actor from China, tracked as Storm-2603, also leveraging these vulnerabilities to gain initial access to target organizations. Microsoft stated in a report released today that, “Given the swift adoption of these exploits, we are highly confident that threat actors will continue to incorporate them into their attacks on unpatched on-premises SharePoint systems.” Below is a brief overview of the threat activity clusters:
CISA Urges Immediate Patching of Microsoft SharePoint Vulnerabilities Amid Ongoing Attacks by Chinese Hackers On July 22, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) formally identified two critical Microsoft SharePoint vulnerabilities—CVE-2025-49704 and CVE-2025-49706—as part of its Known Exploited Vulnerabilities (KEV) catalog. This designation follows evidence indicating that these…
Jul 24, 2025
Vulnerability / Ransomware
Microsoft has disclosed that a threat actor, identified as Storm-2603, is actively exploiting vulnerabilities in SharePoint to deploy Warlock ransomware on targeted systems. In an update released Wednesday, the company noted that these insights stem from ongoing analysis and threat intelligence regarding Storm-2603’s exploitation activities. This financially motivated actor is suspected to be based in China and has previously been linked to the deployment of both Warlock and LockBit ransomware. The attack chain involves exploiting CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to facilitate the deployment of the spinstall0.aspx web shell. “This initial access enables command execution via the w3wp.exe process that supports SharePoint,” Microsoft stated. “Storm-2603 subsequently initiates a series of discovery commands, including…”
Storm-2603 Exploits SharePoint Vulnerabilities to Deploy Warlock Ransomware on Unpatched Systems On July 24, 2025, Microsoft disclosed that the cyber group known as Storm-2603 is actively exploiting vulnerabilities in SharePoint software to deploy Warlock ransomware on targeted systems. This revelation is based on an extensive analysis and threat intelligence from…
Jul 24, 2025
Vulnerability / Ransomware
Microsoft has disclosed that a threat actor, identified as Storm-2603, is actively exploiting vulnerabilities in SharePoint to deploy Warlock ransomware on targeted systems. In an update released Wednesday, the company noted that these insights stem from ongoing analysis and threat intelligence regarding Storm-2603’s exploitation activities. This financially motivated actor is suspected to be based in China and has previously been linked to the deployment of both Warlock and LockBit ransomware. The attack chain involves exploiting CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to facilitate the deployment of the spinstall0.aspx web shell. “This initial access enables command execution via the w3wp.exe process that supports SharePoint,” Microsoft stated. “Storm-2603 subsequently initiates a series of discovery commands, including…”
Title: Trump Administration Axes DHS Advisory Committee Memberships, Impacting Cybersecurity Oversight
January 23, 2025
Cybersecurity / National Security
The new Trump administration has dissolved all memberships of advisory committees under the Department of Homeland Security (DHS). In a memo dated January 20, 2025, Acting Secretary Benjamine C. Huffman stated, “In line with DHS’s commitment to resource efficiency and prioritizing national security, I am directing the immediate termination of all existing advisory committee memberships. Future committee initiatives will be solely focused on enhancing our mission to safeguard the homeland and align with DHS’s strategic objectives.” This decision affects members of the Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Safety Review Board (CSRB), which recently criticized Microsoft for a series of preventable mistakes that allowed its infrastructure to be exploited by a China-based threat actor.
Trump Terminates DHS Advisory Committee Memberships, Impacting Cybersecurity Review January 23, 2025 Cybersecurity / National Security In a significant move, the Trump administration has dissolved all advisory committee memberships associated with the Department of Homeland Security (DHS). Acting Secretary Benjamine C. Huffman announced in a memo dated January 20, 2025,…
Title: Trump Administration Axes DHS Advisory Committee Memberships, Impacting Cybersecurity Oversight
January 23, 2025
Cybersecurity / National Security
The new Trump administration has dissolved all memberships of advisory committees under the Department of Homeland Security (DHS). In a memo dated January 20, 2025, Acting Secretary Benjamine C. Huffman stated, “In line with DHS’s commitment to resource efficiency and prioritizing national security, I am directing the immediate termination of all existing advisory committee memberships. Future committee initiatives will be solely focused on enhancing our mission to safeguard the homeland and align with DHS’s strategic objectives.” This decision affects members of the Cybersecurity and Infrastructure Security Agency’s (CISA) Cyber Safety Review Board (CSRB), which recently criticized Microsoft for a series of preventable mistakes that allowed its infrastructure to be exploited by a China-based threat actor.
February 14, 2025
Enterprise Security / Cyber Attack
Microsoft has highlighted a new threat group known as Storm-2372, linked to a series of cyberattacks that have targeted multiple sectors since August 2024. The attacks focus on government entities, NGOs, IT services, defense, telecommunications, healthcare, higher education, and the energy sector across Europe, North America, Africa, and the Middle East.
Evaluated with medium confidence to align with Russian interests, the threat actors utilize messaging platforms such as WhatsApp, Signal, and Microsoft Teams. They impersonate notable figures relevant to their targets to gain trust. The attacks employ a phishing method known as ‘device code phishing,’ which deceives users into logging into productivity applications, allowing the actors to capture the login tokens for malicious use.
Microsoft Warns of Russian-Linked Cyber Attack Group Utilizing ‘Device Code Phishing’ Tactics February 14, 2025 Enterprise Security / Cyber Attack Microsoft has issued an urgent advisory regarding a rising threat actor, designated as Storm-2372, which is reportedly linked to Russian cyber interests. Since August 2024, this group has launched a…
February 14, 2025
Enterprise Security / Cyber Attack
Microsoft has highlighted a new threat group known as Storm-2372, linked to a series of cyberattacks that have targeted multiple sectors since August 2024. The attacks focus on government entities, NGOs, IT services, defense, telecommunications, healthcare, higher education, and the energy sector across Europe, North America, Africa, and the Middle East.
Evaluated with medium confidence to align with Russian interests, the threat actors utilize messaging platforms such as WhatsApp, Signal, and Microsoft Teams. They impersonate notable figures relevant to their targets to gain trust. The attacks employ a phishing method known as ‘device code phishing,’ which deceives users into logging into productivity applications, allowing the actors to capture the login tokens for malicious use.
New Malware Exploit: ApolloShadow Targets Vulnerable Networks In a recent cybersecurity breach, researchers have identified a new malware strain dubbed ApolloShadow that exploits captive portal mechanisms to gain unauthorized access to systems. This sophisticated malware primarily targets Windows devices, taking advantage of their connectivity routines to execute its malicious agenda.…
The Russian hacker group Turla, known for their advanced cyberespionage techniques, has been linked to a new spying method that demonstrates their sophisticated approach to cyber operations. This group has made headlines for utilizing unorthodox methods, such as embedding malware communications in satellite connections or commandeering other hackers’ operations to…
