Three Chinese threat groups exploited SharePoint flaws, Microsoft

A Special Request

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.

Security researchers report that hackers connected to the Chinese government were behind at least some of the widespread attacks in the past few days on organizations that use its SharePoint server software, with Microsoft itself citing three Chinese threat groups, Linen Typhoon, Violet Typhoon, and Storm-2603, as exploiting SharePoint vulnerabilities. 

Microsoft said it is investigating other actors also using these exploits as attacks are still ongoing.

“We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor,” said Charles Carmakal, Mandiant's chief technology officer.

Another researcher, who, like others, spoke on the condition of anonymity because the inquiry is still underway, said federal investigators have evidence of US-based servers linked to compromised SharePoint systems connecting to internet protocol addresses inside China on Friday and Saturday.

Two other responders working with the US government said they had identified early attacks from China as well.

The attacks allowed hackers to extract cryptographic keys from servers run by Microsoft clients. Those keys, in turn, would let them install anything, including back doors that they could use to return. Federal and state agencies were affected, researchers previously told The Washington Post, but it remains unclear which of them were vulnerable to follow-up attacks.

Only versions of SharePoint that the customer hosts, not those in the cloud, are vulnerable. Microsoft issued effective patches for the last of the exposed versions yesterday.

Widespread attacks started on July 18, days after researchers demonstrated how two recently patched vulnerabilities, CVE-2025-49706 and CVE-2025-49704, could be chained for unauthenticated remote code execution on SharePoint Server instances as part of an exploit chain they named ToolShell. 

Researchers at SentinelOne report seeing the first ToolShell attacks on July 17, before Microsoft and Eye Security issued their initial warnings, although they have yet to attribute it to a particular actor or nation-state. This was the first of three distinct activity clusters observed by the security firm.

The first attacks seen by SentinelOne were aimed at carefully selected targets, specifically organizations that appeared to have strategic value or elevated access. Victims were seen in sectors such as critical infrastructure, manufacturing, tech consulting, and professional services. 

The second and third activity clusters, seen by the company after news of ToolShell attacks broke, were opportunistic and likely not related to the first wave of attacks. SentinelOne has already seen state-sponsored actors conducting reconnaissance and early-stage exploitation activities.

Blog posts from Trend Micro, CrowdStrike, Palo Alto Networks, and SentinelOne suggest or state that both vulnerabilities have been exploited in the wild. (Joseph Menn and Ellen Nakashima / Washington Post and Eduard Kovacs / Security Week and Microsoft)

Related: Trend Micro, Palo Alto Networks, Sentinel One, CrowdStrike, BleepingComputer, Reuters, Engadget, The Boston Globe, TechCrunch, The Irish Times, Axios, PCMag, Mashable, Associated Press, UPI, CBS News, Cyber Security News, 9to5Mac, Business Standard, iTnews, Bloomberg

Businesses will have to notify the government if they plan on paying a ransom to cyber criminals under new UK Home Office proposals, which also aim to clamp down on ransom demands to the NHS, local councils, and schools.

The Home Office’s proposals come after Marks & Spencer has refused to say if it paid a ransom to hackers in a major attack earlier this year.

New measures would ban public sector bodies and operators of critical national infrastructure from paying ransom demands to hackers.

The Home Office said this would help “smash the cyber criminal business model” and make UK public services and businesses a less attractive target for ransomware groups. (Anna Wise / PA Business Reporter)

Related: Gov.uk, The Record

Arizona election officials blasted the US Cybersecurity and Infrastructure Security Agency for a lack of support regarding a hack targeting a statewide online portal for political candidates that resulted in the defacement and replacement of multiple candidate photos with the late Iranian Ayatollah Ruhollah Khomeini.

While officials say the threat is contained and the vulnerability has been fixed, they also blasted the lack of support they’ve received from the federal government, claiming the Cybersecurity and Infrastructure Security Agency is no longer a reliable partner in election security under the Trump administration.

Incident responders determined that the attacker was using the candidate portal to upload an image file containing a Base 64-encoded PowerShell script that attempted to take over the server.

Moore described the affected candidate portal as an older, legacy system that wasn’t designed for security. Unlike many other statewide systems, the candidate portal was explicitly created to accept uploads from the public.

The substance and timing of the hack point to someone with pro-Iranian interests. The incident took place the day after the US bombed Iranian nuclear sites, and a Telegram message linked in the defacement promised revenge against Americans for President Donald Trump’s actions.

Arizona, through its state DHS, contacted multiple federal agencies about the hack, including the FBI. But CISA was not part of that outreach.

In a scathing statement, Secretary of State Adrian Fontes, a Democrat who has long focused on election security, said that this once-fruitful partnership between CISA and states had been damaged as the agency has been “weakened and politicized” under the Trump administration.

“Up until 2024, CISA was a strong and reliable partner in our shared mission of securing American digital infrastructure, but since then, the agency has been politicized and weakened by the current administration,” Fontes said.  

Fontes said he reached out in a letter to Homeland Security Secretary Kristi Noem months ago to establish a relationship but was “dismissed outright.” (Derek B. Johnson / CyberScoop)

Related: AZ Central, Arizona's Family

The Dutch Public Prosecution Service (OM) expects its internet connection to remain disconnected for weeks after disconnecting its systems following a suspected hack.

Employees can still email each other, but not with the outside world, Marthyne Kunst of the Public Prosecution Service crisis team told NOS. "That means we have to print a lot again and send out paper copies."

This includes documents for lawyers or contact with the probation service, the organization that supervises suspects. The Public Prosecution Service has to send letters by mail, or lawyers have to bring the paperwork for their cases. "So, unfortunately, it all takes more time." This can prevent cases from going ahead, says Kunst.

It's unclear exactly how often this has happened since the Public Prosecution Service disconnected its system from the internet. A spokesperson for the Judicial Council, the government agency that regulates the judiciary, said that hearings have been canceled "occasionally" since Friday, but could not provide a specific number. (NOS News)

Related: OM.nl, NL Times, Techzine

Chenguang Gong, a former engineer at a Southern California company, pleaded guilty to stealing the blueprints of missile tracking systems used by the US military.

Chenguang Gong admitted to transferring more than 3,600 files from the Los Angeles-area research and development company where he had briefly worked to his storage devices, according to the US Department of Justice.

He faces a maximum sentence of 10 years in federal prison. His sentencing hearing is scheduled for Sept. 29.

The Justice Department said the files included blueprints for space-based systems designed to detect nuclear missile launches and to track ballistic and hypersonic missiles. The files also included blueprints for sensors designed to enable U.S military aircraft to detect incoming missiles.

Federal prosecutors said the company hired Gong as a manager responsible for designing, developing, and verifying the sensors in January 2023. He began transferring files from his work laptop to his three personal hard drives on March 30, 2023, and continued until he was fired nearly a month later, according to the DOJ. About 1,800 files were downloaded after he had accepted a job with one of the company's competitors, according to federal prosecutors.

The files also included plans for sensors designed to detect "low observable targets," an industry term that provides for stealth aircraft, drones, and radar-evading cruise missiles.

Investigators also claimed that between 2014 and 2022, Gong submitted numerous proposals to "Talent Programs" created by the Chinese government. The Justice Department stated that some of the plans he submitted to the Chinese government included designs from defense contractors that employed him. (Matthew Rodriguez / KCAL News)

Related: Justice Department, MyNewsLA

The Australian Securities and Investments Commission (ASIC) filed suit in New South Wales Supreme Court, claiming more than 9,000 clients had their personal information exposed after a cyberattack on one of Fortnum's business partners.

The breach allegedly involved over 200 gigabytes of sensitive data being stolen and published online.

ASIC's court filing details how Fortnum allegedly left itself and its network of financial advisors vulnerable to cybercriminals between April 2021 and May 2023. The regulator says the Sydney-based wealth management firm didn't have proper safeguards in place, even as multiple cyber incidents hit its authorized representatives during that period.

The case centers on Fortnum's handling of cybersecurity after it rolled out what ASIC considers an inadequate policy in April 2021. Court documents show the company's first cybersecurity framework had significant gaps; it didn't require advisor firms actually to fix problems they identified in self-assessments, and it allowed them to consult outside IT experts without any oversight from Fortnum.

Only 44% of Fortnum's advisor network completed required cybersecurity self-assessments by the September 2021 deadline, according to ASIC's filing. Even fewer, just 11%, finished the required attestation forms confirming they'd implemented proper security measures. (Damian Chmiel / Finance Magnates)

Related: ASIC.gov.au, Professional Planner, Financial Newswire, Infosecurity Magazine, Information Age, Business News Australia

Amazon-owned home surveillance system Ring is warning that a backend update bug is responsible for customers seeing a surge in unauthorized devices logged into their account on May 28th.

On May 28th, many Ring customers reported seeing unusual devices logged into their accounts from various locations worldwide, leading them to believe their accounts had been hacked.

Last week, Ring posted to Facebook stating that they are aware "of a bug that incorrectly displays prior login dates as May 28, 2025."

Ring also updated its status page to say that these unauthorized logins are caused by a bug in a backend update that was released.

However, customers are not buying Ring's explanation, reporting that they saw unknown devices, strange IP addresses, and countries that they never visited listed in their Authorized Client Devices list.

An Amazon spokesperson responded, "We are aware of an issue where information is displaying inaccurately in Control Center. This is the result of a backend update, and we’re deploying a fix. We have no reason to believe this is the result of unauthorized access to customer accounts." (Bill Toulas / Bleeping Computer)

Related: Ring, Tom's Guide, PC World, Snopes

Researchers from Lookout say hackers believed to be affiliated with an Iranian intelligence agency are using a newly-discovered strain of the DCHSpy malware to snoop on adversaries.

They detected the latest version of DCHSpy one week after Israel’s June bombing campaign targeting Iran’s nuclear program began. DCHSpy was first detected in 2024, but has since evolved and can now exfiltrate data from WhatsApp and files stored on devices, Lookout said.

The malware also collects contacts, SMS messages, location, and call logs, and is able to use device cameras and microphones to take photos and record audio.

The new versions of the malware, which are believed to be tied to the Iranian cyber espionage group MuddyWater, rely on political lures and use websites containing links to malicious VPN and banking apps, Lookout says.

One lure involved in the campaign centers on Starlink, which provided Iranians with web access after the country’s government imposed an internet blackout following Israel’s attacks. (Suzanne Smalley / The Record)

Related: Lookout, Infosecurity Magazine, Security Week

One password is believed to have been all it took for a ransomware gang to destroy KNP, a 158-year-old Northamptonshire, UK transport company, and put 700 people out of work.

In 2023, hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems.

KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company. "Would you want to know if it was you?" he asks. (Richard Bilton / BBC Panorama)

Related: Motor Transport, WebProNews, NDTV, Greater Kashmir

Researchers at Kaspersky report that threat actors associated with China's APT41 cyber-espionage operations recently targeted a provider of government IT services in Africa with information stealers and credential harvesting tools, suggesting an unusual branching out for the state-sponsored advanced persistent threat (APT), which usually goes after other targets aligned with Beijing's interests, like Taiwanese organizations or US companies.

One notable aspect of the attack was the adversary's use of malware that had specific details like the names and IP addresses of internal services, and proxy services built into the code, suggesting a high level of familiarity with the victim's infrastructure.

Even one of the command-and-control (C2) servers the attackers used was a SharePoint server that was part of the victim's own network, making the attack more challenging to detect.

The APT41 attacks come against the backdrop of an overall spike in cybercrime in Africa. A recent Interpol study found online scams targeting consumers in the region soaring 30-fold in recent times, even as organized cybercrime has begun exploding in multiple African nations, including Ghana, Senegal, and Nigeria. (Jai Vijayan / Dark Reading)

Related: Securelist, IT Web

Researchers from Lab 1 report that Emails, bank statements, IBANs, and HR records are among the sensitive documents most commonly found in breaches, with financial documents found in 93% of all breaches.

After investigating more than 141 million leaked files from almost 1,300 breached datasets, data intelligence platform Lab 1 discovered that nearly all included financial, HR, and customer data across emails, spreadsheets, code files, and unstructured files, like PDFs.

Using AI agents to scrape and analyse every file exposed, Lab 1 discovered that sensitive financial documents appeared in almost every incident, and account for 41% of all files.

Bank statements, which could allow fraudsters to commit identity fraud, were present in 49% of incidents, while IBANs, which can be used for mandate scams and payment redirection, were included in 36% of breached datasets. (Tom Quinn / Digit)

Related: Lab 1, Personnel Today, Globe Newswire, City AM

Researchers at Picus Security report that in June 2025, a ransomware actor known by the alias $$$ publicly introduced a new RaaS brand, GLOBAL GROUP, on the Russian Anonymous Market Place (RAMP or Ramp4u) cybercrime forum, but has now concluded that GLOBAl is a rebranding of the Mamona RIP and Black Lock ransomware families.

One innovation the GLOBAL group has introduced is the use of an AI chatbot to kick off the negotiation process.

The ransomware group offers a dual-portal model, directing victims to a Tor-based data leak site and a separate negotiation panel – a structure reminiscent of LockBit’s compartmentalized backend, suggesting that GLOBAL employs a double-extortion approach.

Once on the negotiation panel, the victim is greeted by an AI-powered chatbot designed to automate communication and apply psychological pressure.

The panel is designed for non-technical users, featuring prompts to upload a sample encrypted file for free decryption verification. All correspondence takes place over a secure channel, with a timer displayed to reinforce the urgency. (Kevin Poireault / Infosecurity Magazine)

Related: Picus Security, Cyber Security News

An airline employee who allegedly sold the flight information of BTS and other celebrities to brokers is now facing indictment, the K-pop boy band's agency HYBE said.

According to the agency’s public relations manager, the Seoul Metropolitan Police Agency's cybercrime unit apprehended three people, including one airline crew member, in February and March on suspicion of selling the group members’ flight details to brokers, a violation of the Personal Information Protection Act.

During the investigation, police reportedly traced the suspects’ history of illegally acquiring information and financial records, confirming the structure of the profit-making operation. The case was transferred to the prosecution over the weekend. (Kim Se-jeong / Korea Times)

Related: The Korea Herald, Filmfare, Be Korea-savvy, Korea Bizwire, Korea JoongAng Daily, Financial Express, K-Vibe

The FBI believes thousands of North Koreans have infiltrated the US workforce by assuming the identities of Americans to secure remote jobs, with many defining characteristics including an obsession with Minions, the cuddly yellow agents of evil from “Despicable Me.”

The North Koreans’ love of the animated movie franchise has become a recurring, if slightly baffling, joke among the security researchers who investigate them.

Many of these fake workers use Minions and other “Despicable Me” characters in social-media profiles and email addresses. Some investigators initially thought their use of “Gru” was a reference to Russia’s famed GRU, Russia’s military intelligence agency. Instead, it was a tribute to the Minions overlord, Felonious Gru Sr., the Steve Carell-voiced animated character who tries to steal the moon.

Allusions to Minions and other characters are so ubiquitous that investigators pursuing suspected North Koreans view Despicable references as a sign they might be on the right track. (Robert McMillan / Wall Street Journal)

Farnsworth Intelligence, a private intelligence company founded by a 23-year-old named Aidan Raney, is now taking that hacked data from what it says are more than 50 million computers, and reselling it for profit to a wide range of different industries, including debt collectors; couples in divorce proceedings; and even companies looking to poach their rivals’ customers.

Essentially, the company is presenting itself as a legitimate, legal business, but is selling the same sort of data that was previously typically sold by anonymous criminals on shady forums or underground channels.

Farnsworth offers two infostealer-related products. The first is Farnsworth’s “Infostealer Data Platform,” which lists those above use cases. This can display hacking victims’ full text passwords, and requires potential users to contact Farnsworth for access. The company asks applicants to explain their use case, and can include “private investigations, intelligence, journalism, law enforcement, cyber security, compliance, IP/brand protection,” and several others, according to its website.

The second product is infostealers.info, a publicly available service that requires no due diligence to enter. It only asks for a minimum of $50 to search through the results. These don’t include victims’ full passwords, but the platform still consists of a wide range of sensitive information. Recently, infostealers.info introduced the ability to search for data stored in a hacking victim’s autofill. That is, data stored in the browser for convenience that can automatically populate when filling out a form, such as a billing address.

“To put it plainly this company is profiting off of selling stolen data, re-victimizing people who have already had their personal devices compromised and their data stolen,” Cooper Quintin, senior public interest technologist at the Electronic Frontier Foundation (EFF), told 404 Media.

“This data will likely be used to further harm people by police using it for surveillance without a warrant, stalkers using it to gather information on their targets, high level scams, and other damaging motives.” (Joseph Cox / 404 Media)

Related: PC World

According to sources, Donald Trump plans to sign three AI-focused executive orders in the runup to the release of the administration’s sweeping AI Action Plan, anticipated Wednesday.

The orders are expected to be signed either on Tuesday or before the White House’s AI Action Plan event kicks off on Wednesday, said the people, who requested anonymity to discuss details of the plans candidly. Each order focuses on one of three aspects of artificial intelligence regulation and policy that the administration has prioritized: spearheading AI-ready infrastructure; establishing and promoting a US technology export regime; and ensuring large language models are not generating “woke” or otherwise biased information.

Each order builds off established Trump administration policy in each of its specific arenas. The AI Infrastructure directive, for instance, would address energy and permitting issues associated with data centers and the computational demands of running AI applications. It stipulates that the Department of Energy issue requests for proposals for new data centers at three Department of Energy sites.

The second order is set to help accelerate the export of US-made AI technologies alongside the US International Development Finance Corporation and Export–Import Bank of the United States, seeking further to enable global diffusion of the US-made AI software buildouts.

The third directive will focus on removing “woke AI” and ideological bias from large language models, particularly within AI tools procured by the federal government. Two industry sources said that the primary architects behind the “woke AI” order are David Sacks, the White House AI and crypto czar, and Sriram Krishnan, the White House’s senior policy advisor for AI. (Alexandra Kelley and David DiMolfetta / NextGov/FCW)

Related: E&E News by Politico, Just Security

Former top senior executive at NSA and CyberCommand, Morgan Adamski, has joined PwC as a US leader in the firm’s Cyber, Data & Technology Risk business.

Before joining PwC, Morgan served as the highest-ranking civilian and third in Command at United States Cyber Command.

In this role, she led Department of Defense initiatives focused on rapidly integrating technology for operational outcomes, adoption of artificial intelligence for offensive and defensive cyber operations, and building strong public-private partnerships to protect against cyber threats. (PwC Press Release)

Best Thing of the Day: Man Versus Machine Story Where Man Wins

Polish programmer Przemysław Dębiak (known as "Psyho") beat an advanced AI model from OpenAI in a head-to-head ten-hour marathon coding competition.

Bonus Best Thing of the Day: Beefing Up Cyber Insurance in Russia

The Russian National Reinsurance Company (RNRC) has decided to add risks of equipment failure and interruption of production due to cyber incidents to property reinsurance.

Worst Thing of the Day: Let's Make the UK Worse Again

OpenAI, the firm behind ChatGPT, has signed a deal to use artificial intelligence (AI) to increase productivity in the UK's public services.

Closing Thought