Microsoft links Sharepoint ToolShell attacks to Chinese hackers
Microsoft formally attributed the widespread exploitation of a SharePoint zero-day chain—dubbed ToolShell—to Chinese state-linked hacking groups, including Linen Typhoon, Violet Typhoon, and Storm-2603. The attacks have targeted on-premise SharePoint servers across multiple sectors. Emergency patches have been released, but with a proof-of-concept exploit now public and active exploitation ongoing, CISA has issued urgent mitigation guidance for affected organizations.
Russian threat actors target NGOs with new OAuth phishing tactics
Russian-linked threat groups UTA0352 and UTA0355 are targeting NGOs and Ukraine-related individuals with OAuth phishing campaigns that exploit Microsoft 365 login flows. Volexity says the attackers impersonate diplomats via messaging apps, lure victims into providing OAuth codes, and use them to access Microsoft Graph data, including emails and files. These attacks bypass traditional defenses by abusing legitimate Microsoft infrastructure and tools like Visual Studio Code.
Silicon Valley engineer admits theft of US missile tech secrets
Engineer Chenguang Gong has pleaded guilty to stealing more than 3,600 trade secret files from two U.S. electronics firms, including sensitive missile defense and satellite surveillance tech. Gong transferred the files to personal drives shortly before taking a job with a direct competitor and had previously pitched similar technologies to Chinese “talent programs” aimed at acquiring foreign intellectual property. The FBI uncovered the theft during a post-employment audit; Gong now faces up to 10 years in prison.
Lumma infostealer malware returns after law enforcement disruption
The Lumma infostealer malware operation has resumed activity after a May 2025 law enforcement takedown that seized 2,300 domains. Despite the disruption, Lumma’s operators quickly rebuilt infrastructure and returned to near pre-takedown levels, now using Russian hosting provider Selectel instead of Cloudflare. Distribution methods include fake software cracks, malicious GitHub repos, fake CAPTCHA pages, and links shared via YouTube and Facebook—highlighting the resilience of malware-as-a-service operations when no arrests are made.
Huge thanks to our sponsor, Nudge Security
Start a free 14-day trial today at NudgeSecurity.com
Contract lapse leaves critical infrastructure cybersecurity sensor data unanalyzed at national lab
A critical contract supporting DHS’s CyberSentry program at Lawrence Livermore National Laboratory expired, leaving threat detection data from key infrastructure networks unanalyzed. The lapse, revealed during a House hearing on operational technology cybersecurity, hinders monitoring of emerging threats in OT environments. Experts warned that under-resourcing of OT security, compounded by recent federal budget cuts, poses a significant risk to national cybersecurity.
FBI urges vigilance against Interlock ransomware group behind recent healthcare attacks
The FBI and other federal agencies are warning about a ransomware group known as Interlock, which has recently targeted critical infrastructure and healthcare organizations in the U.S. and Europe. First observed in September 2024, Interlock uses tactics like drive-by downloads and fake browser updates to gain access to victims’ systems. The group has attacked DaVita and a major Ohio healthcare provider, among others. Ransom notes lack payment instructions, but demand Bitcoin. Authorities suspect ties to Rhysida ransomware.
Cisco confirms active exploitation of ISE and ISE-PIC flaws
Cisco confirmed that attackers are actively exploiting multiple critical vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The flaws allow unauthenticated, remote access with root-level control, making them especially dangerous for enterprises relying on ISE for network access policy enforcement. Cisco detected the exploitation in July 2025 and has since released patches, urging customers to update immediately. The company has not identified the attackers or shared technical details about how the flaws are being used.
UK to ban public sector orgs from paying ransomware gangs
The UK government plans to prohibit public sector and critical infrastructure organizations—including the NHS, schools, and local councils—from paying ransoms after cyberattacks. The move is meant to disrupt the ransomware business model and reduce the appeal of targeting essential public services. Businesses outside the public sector won’t be banned from paying, but they will be required to notify the government before doing so to avoid violating sanctions laws. A mandatory reporting system is also in development to help law enforcement trace attacks and better support victims.