Daily Brief

CISA, FBI, and other agencies issued a warning regarding rising Interlock ransomware activities, affecting businesses and critical infrastructure. Interlock ransomware, identified in September 2024, has increasingly targeted various sectors worldwide, particularly healthcare. These ransomware attacks involve data theft and subsequent encryption, pressuring victims to pay ransoms to regain access and prevent data leaks. Notable breaches include DaVita and Kettering Health, with significant data theft and operational disruptions reported. Interlock leverages unique tactics like drive-by downloads from compromised legitimate sites and double extortion schemes. Recent methods also include using the FileFix technique, manipulating Windows UI elements to execute harmful scripts. Recommended defenses include DNS filtering, web access firewalls, routine updates, network segmentation, ICAM policies, and mandatory multifactor authentication. The advisory provides network defenders with latest indicators of compromise and strategic mitigation measures to thwart such ransomware attacks.

AMEOS Group, a large healthcare network in Central Europe, reported a security breach impacting customer, employee, and partner data. The breach involved unauthorized access to the healthcare provider's IT systems, despite extensive security measures. AMEOS operates over 100 healthcare facilities, employs around 18,000 staff, and generates more than $1.4 billion in annual revenue. All IT systems were shut down, and network connections were severed to mitigate the breach; external IT and forensic experts were enlisted for aid. Data protection authorities in Switzerland, Germany, and Austria were notified, and a criminal complaint has been filed. AMEOS has advised individuals associated with their facilities to be cautious of potential phishing and scam attempts. While no data has purportedly been disseminated online yet, ongoing investigations continue without evidence of data exposure. Updates will be provided through AMEOS's website as the investigation progresses and new details emerge.

Chinese state-backed groups, Linen Typhoon and Violet Typhoon, are exploiting recently identified vulnerabilities in on-premises Microsoft SharePoint servers. Linen Typhoon primarily targets entities involved in government, defense, and human rights, focusing on stealing intellectual property. Violet Typhoon engages in espionage, aiming at former government and military personnel, NGOs, think tanks, and sectors like education and media across US, Europe, and East Asia. A third group, Storm-2603, possibly China-based but not confirmed as state-sponsored, has been using these vulnerabilities for unclear purposes. Microsoft has released patches for the identified vulnerabilities affecting all versions of SharePoint Server—including Subscription Edition, 2019, and 2016. The presence of multiple proofs of concept for exploiting these vulnerabilities on GitHub indicates a high risk of further attacks by various cybercriminal groups. Organizations are strongly urged to apply these security updates immediately to prevent potential breaches and data theft. Microsoft continues to investigate the activities of additional threat actors exploiting these vulnerabilities.

Chenguang Gong, a dual Chinese-American citizen, admitted to downloading over 3,600 documents containing trade secrets valued in the hundreds of millions of dollars, from two prominent electronics manufacturers. The stolen documents included sensitive information on military technology, such as infrared sensors and radiation-hardened cameras for detecting rocket launches. Gong’s theft was motivated by opportunities in Chinese tech talent programs that offer substantial financial incentives for sharing foreign tech knowledge. The FBI uncovered that Gong had transferred the stolen files between various personal storage devices after accepting a position with a direct competitor in the U.S. Gong’s actions began shortly after he moved to the U.S., and he intensified these activities after transferring to a company that compiles circuits for missile tracking. The engineer has been charged, pleaded guilty, and now faces up to 10 years in prison, highlighting significant concerns about economic espionage and national security. The breach was discovered by Gong's last employer during an IT security audit, which was critical in preventing the wider dissemination of the stolen information.

Microsoft identified three Chinese hacker groups exploiting vulnerabilities in SharePoint servers as of July 7, 2025. The groups, named Linen Typhoon, Violet Typhoon, and Storm-2603, utilized these security flaws to gain initial access to target organizations. The vulnerabilities in question were related to spoofing (CVE-2025-49706) and remote code execution (CVE-2025-49704), with new bypass identifiers CVE-2025-53771 and CVE-2025-53770. Attack tactics include using a POST request to the ToolPane endpoint of SharePoint servers, allowing authentication bypass and remote code execution. The attackers deploy a web shell named "spinstall0.aspx" to retrieve and steal critical MachineKey data. Microsoft strongly recommends updating SharePoint systems, rotating ASP.NET machine keys, rebooting Internet Information Services, and deploying enhanced antimalware defenses like Microsoft Defender for Endpoint. Further risks are anticipated if organizations fail to implement recommended security measures and updates promptly.

Researchers at La Sapienza University in Rome have developed "WhoFi," a method to identify individuals based on how their bodies affect Wi-Fi signals. This approach uses Wi-Fi Channel State Information (CSI) to create a unique biometric pattern for each person. WhoFi can track individuals across different locations without the need for them to carry any electronic devices. The technique offers potential advantages over traditional surveillance methods, including privacy preservation and the ability to operate in various light conditions and through obstacles. The system has achieved up to 95.5% accuracy in identifying individuals using a public dataset. The researchers highlight the use of deep neural networks and transformer encoding to process CSI data, making the unique identification more reliable. These findings could influence future developments in security and surveillance technologies using non-visual biometric data.

Microsoft has released updates for SharePoint Server 2016 to fix critical zero-day vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, which were actively exploited and allowed attackers unauthenticated access and full control over the network. The vulnerabilities could let attackers impersonate users or services, maintaining access even after patch application, which prompted an urgent call for administrators to apply patches and enhance security measures. Tens of thousands of on-premises SharePoint servers, including those used by US federal and state agencies, were at risk, though Microsoft 365 users were unaffected. Before the patches, options to mitigate the risk included using Microsoft Defender for Endpoint to block post-exploit activity or disabling server connections to the internet. Microsoft issued guidance to rotate the ASP.NET machine keys and restart Internet Information Services (IIS) to reduce the risk of attackers regaining access post-patch. The exploitation of these vulnerabilities could lead to severe consequences like data theft, password harvesting, and potential access to linked services such as Outlook and Teams. SharePoint Server 2016 is currently in Extended Support, set to end on July 14, 2026, highlighting the critical need for timely security updates and active vulnerability management.

Cisco has identified active exploitation of three critical vulnerabilities in its Identity Services Engine (ISE) platform. Flaws allow remote code execution and arbitrary file execution, posing a maximum severity threat with a CVSS score of 10.0. Vulnerabilities are present in both the Cisco ISE and ISE Passive Identity Connector (ISE-PIC) and can be exploited without authentication. Patches have been issued in ISE versions 3.3 and 3.4, aimed at fully mitigating these security risks. Cisco strongly advises customers to upgrade their systems immediately to prevent potential breaches in network security. There are no viable workarounds for these vulnerabilities, making the application of updates critical. Timely patching and system upgrades are essential in maintaining the integrity and security of large organizational networks against unauthorized access.

Cisco has updated its advisory on actively exploited vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector. In July 2025, exploits targeting critical-rated ISE flaws were detected, which allow root-level command execution by unauthenticated users. The vulnerabilities enable attackers to bypass network access controls and gain unrestricted access to internal systems. Two of the flaws stem from insufficient input validation, and one from inadequate file validation checks, allowing the placement of malicious files in privileged directories. Attackers exploit these vulnerabilities via crafted API requests or malicious file uploads to affected devices. Cisco has not disclosed specifics regarding the identities of the attackers or the extent of the exploitation. Immediate software updates and vigilant system log reviews for suspicious activities are recommended to mitigate the risks. The high-risk nature of these flaws poses significant threats to critical infrastructure and compliance-sensitive environments.

Mexican organizations are currently targeted in a sophisticated malware campaign involving modified Allakore RAT and SystemBC. The cybercriminal group behind the attacks, known as Greedy Sponge, has been active since early 2021, focusing on financial fraud through credential theft. Greedy Sponge utilizes phishing and compromised ZIP files to deploy malware and enhance its attacks with secondary payloads such as proxy tools. Arctic Wolf Labs notes that Greedy Sponge has evolved its tactics, implementing server-side geofencing to hinder analytical efforts. The campaign, first spotted by the BlackBerry Research team, has remained financially motivated and regionally focused, with limited technological advancements in its operation. Another related attack detailed by eSentire in May 2025 involved a phishing scheme that used a new crypter service called Ghost Crypt to deliver PureRAT efficiently. The malware landscape has been enriched with emerging threats like Neptune RAT and Hijack Loader, which continue to threaten data security through advanced techniques and payload delivery methods.

The UK government intends to prohibit public sector entities from paying ransoms in response to cyberattacks. Affected organizations would include local councils, schools, and the National Health Service (NHS). This measure aims to undermine the profitability of the ransomware model and enhance the security of vital public services. The legislation would require private sector companies to consult the government before potentially violating laws related to sanctioned cybercriminal groups. A mandatory reporting system for ransomware incidents is also set to be developed to aid law enforcement. This strategy emerged following a consultation that started in January, targeting all public bodies and critical infrastructure. Ransomware is deemed the top cybercrime threat in the UK and a significant national security risk, involving prominent institutions like the NHS and the British Library. Recent ransomware incidents at leading UK businesses, like Marks & Spencer and Harrods, underscore the urgency of this new policy.

The UK government announced plans to prohibit public sector organizations and critical national infrastructure from paying ransomware demands. This policy is aimed at targeting NHS, local councils, and educational institutions to counteract the growing threat from cybercriminals. A government consultation showed that almost three quarters of respondents support the proposed ban. Security Minister Dan Jarvis emphasized that the move is designed to disrupt the business model of cybercriminals and protect public services. The proposed regulations are part of the broader Cyber Resilience Bill expected to be introduced to Parliament this year, enhancing enforcement powers and expanding the scope to include data centers and MSPs. Under the new guidelines, failure to implement necessary security updates could lead to fines of £100,000 per day or 10 percent of turnover. The new measures would still require commercial entities to notify the government before making any ransom payment, linking compliance to avoiding payments to sanctioned groups, particularly those based in Russia. The government advises maintaining offline backups and having robust contingency plans in place to mitigate the impacts of cyber-attacks.

Chinese-linked threat actors targeted multiple organizations worldwide by exploiting zero-day vulnerabilities in Microsoft SharePoint. The attack utilized a vulnerability chain known as "ToolShell," initially identified in on-premise SharePoint servers and linked to nation-state actors. Dutch cybersecurity experts detected the attacks, revealing that at least 54 organizations, including multinational corporations and government entities, were breached. Microsoft responded by patching the vulnerabilities (CVE-2025-49706 and CVE-2025-49704) in their July updates, later reassigning them new CVE IDs due to ongoing exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) categorized one exploit as "known exploited" and mandated federal agencies to apply patches promptly. After the initial patches, Microsoft issued additional emergency patches for several versions of SharePoint to tackle the remote code execution flaws. Following the release of security measures, a proof-of-concept exploit for CVE-2025-53770 was also published on GitHub, potentially facilitating further attacks by other malicious actors.

Transitioning from SOC manager to CISO involves developing leadership skills and aligning security practices with business objectives. Critical skills for CISOs include strategic thinking, business acumen, effective communication, and service management. CISOs must communicate technical risks in business terms and manage security decisions impacting financial and operational aspects. Future CISOs should increase visibility in their roles, sharing notable contributions and engaging in broader business initiatives. Understanding the varying reporting structures in different organizations is essential, as CISOs can report to CIOs, CFOs, or CROs depending on the company. The role of a CISO transcends technical duties, requiring strategic decision-making and comprehensive risk management. Proactively seeking leadership roles and demonstrating readiness for executive responsibilities are important for career advancement. Networking and continuous learning through formal education and certifications are also crucial for aspiring CISOs.

Ethical hacker John Hammond demonstrates techniques on analyzing potential malware in open-source projects. His analysis focuses on Talon, a Windows de-bloater considered suspicious by some due to its methods of modifying system-level settings. Open-source coding involves scrutiny by the community, supposedly enhancing security due to the 'many eyeballs' theory. Hammond navigates through complex Python and PowerShell scripts to demonstrate Talon's functionality and intentions. The potential for open-source coding to inadvertently trigger malware scanners is highlighted. Successful cybersecurity approaches involve understanding both the technical logic and the broader impact of coding decisions. The article suggests incorporating defensive coding practices to avoid misinterpretation of software actions as malicious. Open-source software can gain trust and avoid suspicion through clear documentation and community engagement.