This week
- ToolShell: Hundreds of SharePoint sites compromised by Chinese actors
- UK to crack down on ransom payments, introduce mandatory reporting
- Clorox’s $380M lawsuit against Cognizant for poor password reset handling
- Home Office expected to back down over encryption-busting TCN
- UK VPN signups surge following age verifications became required under the Online Safety Act
Interesting stats
23% rise in ransomware attacks against education sector organisations in the first half of 2025, with $556,000 average ransom demand made across 130 incidents, according to Comparitech. LINK
Five things
-
ToolShell: A critical vulnerability in the on-premise version of Microsoft Sharepoint is being actively exploited by threat actors. CVE-2025-53770 (9.8/10) allows unauthenticated, remote users access to SharePoint servers exposed to the Internet. At least 400 organisations are believed to have been compromised, including the US agency responsible for maintaining its nuclear weapons, the National Nuclear Security Administration (NNSA). Microsoft has published a blog post providing further details and accusing two Chinese nation-state actors — Linen Typhoon and Violet Typhoon — of being behind the rapid exploitation. A third group, which Redmond calls Storm-2603, is also apparently exploiting the vulnerability and using it to deploy ransomware. Chinese actors have been known to quickly exploit zero-day, or recently published, vulnerabilities in a ‘smash and grab’ manner. Customers of Barracuda’s email security solution were instructed to replace them after Chinese exploitation of the hardware in August 2023. TOOLSHELL, ADVISORY, ORGS, CHINA, BARRACUDA
-
Ransom payments: The UK government will ban public bodies from paying ransoms to cybercriminals, and private companies will be obliged to report any payments to authorities. I think this is ultimately a good move: UK authorities are not known to pay ransoms, so this will formalise the position, and the reporting aspect will give better data to guide legislation and better target support for businesses. RANSOM PAYMENTS, MORE
-
Clorox is suing IT managed service provider Cognizant for $380 million in damages for performing password and MFA resets without properly verifying identities. The lapse in process led to a ransomware incident at the chemical company in September 2023. Clorox’s lawsuit claims Cognizant “failed to show even scant care” and that “The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox’s network, and Cognizant handed the credentials right over.” Transcripts of call recordings don’t look great, however, Cognizant’s PR agency told ArsTechnica that the firm “did not manage cybersecurity” and “reasonably performed” its “narrow scope of help desk services”. There probably is a case to be made here, though that doesn’t excuse Clorox of any responsibility either: obtaining a set of credentials shouldn’t be sufficient to bring down a whole company. CLOROX
-
UK Home Office vs Apple: Senior British officials have told the Financial Times that “The Home Office is basically going to have to back down” over a technical capability notice issued to Apple. The Home Office’s request, under the Investigatory Powers Act, reportedly requires Apple to break end-to-end encryption and share information on global users. The law prohibits Apple from acknowledging the notice; however, the tech company withdrew its most secure iCloud security offering from the UK market earlier this year. One official said the Home Office had mishandled the whole situation, with pressure coming from the US Vice President, and that the “encryption issue” is a “big red line” for the US administration. The order seemed pretty out there from the beginning, and I wonder if it was mishandled or seen as a legal test case. BACK DOWN, MORE
-
The UK’s Online Safety Act has spurred a massive spike in VPN purchases as consumers try to avoid new age verification and identity validation rules on social media sites like X/Twitter and Reddit, pornography, and other websites carrying “harmful” material. Popular VPN providers Proton and Nord say they have seen 1,800% and 1,000% increases in signups since the new law came into effect this week. Perhaps not the results lawmakers were hoping for. [VPN](https://www.ft.com/content/356674b0-9f1d-4f95-b1d5-f27570379a9b
In brief
-
⚠️ Incidents: AMEOS Group, a Zurich-headquartered healthcare operator, has reported a breach potentially exposing patient and employee data. AMEOS has 18,000 staff in over 100 hospitals across the DACH region. Allianz Life says it lost the personal information of the “majority” of its 1.4 million customers and employees during a July breach of its cloud-based CRM system, stemming from a social engineering attack. NASCAR says that personal data, including Social Security numbers, was stolen during an incident in March. AMEOS, ALLIANZ, NASCAR
-
🕵️ Threat Intel: CISA says that threat actors are exploiting vulnerabilities in SysAid’s IT service management (ITSM) software to compromise administrator accounts. The Lumma infostealer operators claim their main server was remotely wiped by law enforcement action, but that they have been rebuilding their operations. The FBI seized around 2,500 domains in May, but Trend Micro say that Lumma activities have returned to pre-takedown levels. Microsoft says that it “cannot guarantee” data sovereignty of customers in France, citing the Cloud Act that gives the US government authority to request data from US-based tech companies. SYSAID, LUMMA, SOVEREIGNTY
-
🪲 Vulnerabilities: Mitel has released a patch for a critical authentication bypass vulnerability in its MiVoice MX-ONE solution (currently no CVE). Veamm is advising customers who installed Veal Recovery Orchestrator 7.2.1.286 to contact technical support after the buggy update blocked users with multi-factor authentication from being able to log in. MITEL (ADVISORY), VEAMM
-
🛠️ Security engineering: Amazon published a version of its Q Developer Extension for Visual Studio Code that included commands to “clear a system to a near-factory state and delete file-system and cloud resources”. The malicious prompt was submitted to the project’s GitHub repository and appears to have been merged without Amazon giving it proper scrutiny. Both Gemini CLI and Replit’s AI coding tools caused incidents this week, too, deleting code and a production database, respectively. Gemini hallucinated a directory being created and moved files into a non-existent location; Replit ignored a prompt not to modify any code. <Insert Stack Overflow / Junior developer joke here>. AMAZON, GEMINI/REPLIT
-
📜 Policy & Regulation: Trump’s AI Plan calls for the establishment of an AI information sharing and analysis centre (ISAC). AI PLAN
-
👮 Law Enforcement: A 50-year-old woman has been sentenced to 102 months for running a so-called laptop farm used in a North Korean IT worker scheme. Christina Marie Chapman pleaded guilty to her part in the scheme that compromised 309 US companies. N. KOREA
And finally
- WhoFi: Researchers from La Sapienza University of Rome, Italy, say that they have developed a method to create biometric identifiers for people based on how their bodies interfere with Wi-Fi signals. The technique would allow people to be tracked as they pass through different Wi-Fi networks, because it’s based on the human body’s interaction with the signals; it doesn’t matter if the user is carrying a phone or other electronic device. The paper’s abstract starts with the problem that “Person Re-Identification is a key and challenging task in video surveillance.” The paper claims that the technique is “privacy-preserving,” but it certainly doesn’t seem like a significant stretch to imagine unique body ‘fingerprints’ being tied to identities. WHOFI, PAPER