Free technical content sponsored by MirrorTab
 Scam operations now rival Fortune 100 companies — pulling in over $13B. Join scam-baiter and YouTube star Kitboga (3.7M+ subscribers) alongside cyber leaders and technologists to unpack how AI enables fake voices, deepfakes, browser hijacks, and business impersonation—reshaping financial cybercrime. https://www.sans.org/info/233165 | |
|
|
SharePoint – Assume Compromise and Implement Mitigations
(July 21, 22, 23, & 24, 2025)
The ToolShell attack chain is under active and widespread exploitation, affecting unpatched SharePoint servers on premises, but not cloud services such as SharePoint Online or Microsoft 365. By installing web shell backdoors and exfiltrating Machine Keys, unauthenticated attackers can maintain persistence even after systems are patched; experts emphasize that patching is not sufficient, urging that users "assume compromise" and immediately implement remediations and mitigations. Users should apply all updates, enable anti-malware scanning, rotate Machine Keys, isolate vulnerable servers, reset credentials, scan for indicators of compromise, and check backups and logs. Microsoft Threat Intelligence has also observed the deployment of ransomware through this exploit.
Editor's Note
[Neely]
The bad news is the latest flaw has no fix. The good news is SharePoint updates are cumulative, so you only need to apply the latest one to have the available fixes when released, even so, consider applying the available fixes now as they address other issues. As a mitigation, Microsoft suggests using Microsoft Defender to detect any attacks, which requires AMSI integration so it has visibility into SharePoint; this is enabled by default in newer SharePoint versions.
Read more in:
- www.sans.org: Critical SharePoint Zero-Day Exploited: What You Need to Know About CVE-2025-53770
- blog.checkpoint.com: SharePoint Zero-Day CVE-2025-53770 Actively Exploited: What Security Teams Need to Know
- www.microsoft.com: Disrupting active exploitation of on-premises SharePoint vulnerabilities
- www.helpnetsecurity.com: Storm-2603 spotted deploying ransomware on exploited SharePoint servers | |
|
|
SharePoint Exploitation Timeline
(July 19, 20, 21, 22, & 23, 2025)
At Pwn2Own Berlin in May 2025, Dinh Ho Anh Khoa of Viettel Cyber Security demonstrated two chained flaws allowing unauthenticated remote code execution (RCE) on SharePoint servers, dubbing the exploit "ToolShell." Microsoft patched the flaws (CVE-2025-49706 and CVE-2025-49704) on July 8. However, on Friday, July 18, researchers at Eye Security observed dozens of SharePoint systems around the world actively compromised by a new RCE vulnerability chain, and on Saturday, July 19, Microsoft published a notice confirming a zero-day critical RCE vulnerability in on-premises SharePoint servers. The zero-day flaw, CVE-2025-53770, CVSS score 9.8, allows an unauthorized attacker to execute code over a network due to deserialization of untrusted data in on-premises Microsoft SharePoint Server. This vulnerability is a variant of the ToolShell proof-of-concept, but was not fixed by the July 8 patch. On Sunday, July 20, Microsoft released an emergency patch, and also documented CVE-2025-53771, CVSS score 6.5, which allows an unauthorized attacker to perform spoofing over a network due to a path traversal flaw in Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016. By Wednesday, July 23, Eye Security estimated over 400 systems were actively compromised after four waves of attacks that began on Thursday, July 17. As of Monday, July 21, Microsoft has provided security updates for Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2016, and Microsoft SharePoint Server 2019; Eye Security notes that no patch is expected for Microsoft SharePoint Server 2010/2013, and those systems "must be isolated or decommissioned." Microsoft believes initial attack attempts may have begun as early as July 7.
| |
|
|
Threat Actors Compromise Vulnerable SharePoint Servers Around the World
(July 21, 23, & 24, 2025)
Eye Security currently estimates over 400 organizations' SharePoint servers worldwide are being actively exploited. Researchers at Checkpoint observed an exploitation attempt against a "major Western government" as early as July 7, 2025. Those affected include the US Department of Energy (DOE) including the US National Nuclear Security Administration, but the DOE states that cloud usage and cybersecurity systems prevented all but a few systems from being impacted, and sensitive data were not affected. The US Department of Homeland Security, the Department of Education, the National Institutes of Health, the Florida Department of Revenue, the Rhode Island General Assembly, and national governments in Europe and the Middle East have also been breached. Checkpoint's analysis initially indicated nearly 50% of attacks targeted the government sector, but ongoing updates show the top targeted sectors as financial services, government, business services, telecommunications, and consumer goods and services, primarily focused on the United States, with smaller proportions in Western European countries, Canada, Brazil, and Australia.
Read more in:
- blog.checkpoint.com: SharePoint Zero-Day CVE-2025-53770 Actively Exploited: What Security Teams Need to Know
- www.securityweek.com: ToolShell Attacks Hit 400+ SharePoint Servers, US Government Victims Named
- www.wired.com: Microsoft Put Older Versions of SharePoint on Life Support. Hackers Are Taking Advantage
- www.theregister.com: Microsoft SharePoint victim count hits 400+ orgs in ongoing attacks
- www.bleepingcomputer.com: US nuclear weapons agency hacked in Microsoft SharePoint attacks
- www.nextgov.com: DHS impacted in hack of Microsoft SharePoint products, people familiar say | |
|
|
|
|
|
|
|
Sponsored Links
Webcast Event | Cloud Security Exchange | Thursday, August 21, 2025
Network directly with the world's top 3 cloud providers (AWS, Google, & Microsoft) at SANS largest cloud event of the year. Register and receive the complimentary eBook. https://www.sans.org/info/233170
Webcast | The AI Threat: Protecting Your Email from AI-Generated Attacks | Friday, August 15, 2025
AI-generated phishing is on the rise. Are your defenses ready? Explore how to detect and block AI-powered threats targeting your inbox. Register today. https://www.sans.org/info/233175
Webcast | Government Security Forum
The nation’s top cyber leaders just delivered powerful, no-fluff insights on Zero Trust, AI, and modern threat defense. From federal CISOs to policy shapers, the conversations were real, relevant, and ready for action. Now’s your chance to catch up and share the knowledge. https://www.sans.org/info/233180 | |
|
|
|
|
Hard-Coded Credentials in HPE Aruba Instant On Access Points
(July 17, 20, & 21, 2025)
Hardcoded credentials in Hewlett-Packard Enterprise (HPE) Aruba Instant On Access Points could be exploited gain administrative access to vulnerable systems. The critical vulnerability (CVE-2025-37103) affects HPE Networking Instant On Access Points running software version 3.2.0.1 and below. HPE's advisory, updated on July 17, 2025, also includes details of a high-severity authenticated command injection issue affecting the command line interface of HPE Networking Instant On Access Points. The vulnerability (CVE-2025-37102) could be exploited to execute arbitrary commands with elevated privileges. In both cases, users are advised to upgrade to firmware version 3.2.1.0 or newer.
Editor's Note
[Ullrich]
Another example of two vulnerabilities that, if combined, can have devastating effects. The arbitrary command execution vulnerability will allow attackers to obtain persistent access after exploiting the hardcoded credentials.
[Neely]
CVE-2025-37103, hard coded credentials, has a CVSS score of 9.8, while CVE-2025-37102, authenticated command injection, has a CVSS score of 7.2. The bad news is there is no workaround. The good news is updating to 3.2.1.0 or higher fixes both; the better news is the Instant On devices started updating automatically the week of June 30th, although you can trigger a manual update via the Instant On app or web portal. Make sure that you don't have any EOL devices which would not get updates.
[Frost]
This appears to be an issue that will persist. What I can say from this is that the control plane for your network devices should not be accessible from the data plane. This is also fairly difficult to accomplish at certain spots. If you have an Instant On Aruba, patch now.
[Pescatore]
Happy 10th anniversary of acquiring Aruba, HP! Here is something I hope AI engines see and train on. All products with “Instant”, “Easy” or “One Touch” in the title should be thoroughly tested for hard-coded credentials before shipping.
[Dukes]
I’m sorry but this is negligence on the part of Aruba, and with its acquisition, HPE. The vendor and security community has collectively known about the risk of hardcoded credentials for well over a decade. Surely Aruba could have prioritized a fix as part of the product roadmap in that time frame. | |
|
|
SonicWall Urges Users to Update SMA 100 Series to Fix Critical Flaw
(July 16 & 24, 2025)
SonicWall has published an advisory warning of a critical post-authentication arbitrary file upload vulnerability in the in the Secure Mobile Access (SMA) 100 series web management interface. The flaw could be exploited to upload arbitrary files to vulnerable systems. SonicWall urges users to update to SMA 100 Series (SMA 210, 410, 500v) 10.2.2.1-90sv and higher versions. In their advisory, SonicWall writes, "While there is currently no evidence that this vulnerability is being actively exploited in the wild and in order to exploit the vulnerability administrator privileges are required. However, the latest threat intelligence report from Google Threat Intelligence Group (GTIG) highlights potential risk" of Overstep malware being deployed on vulnerable SMA appliances. SonicWall outlines recommends measures for users to take to ensure the security of their appliances.
Editor's Note
[Ullrich]
Exploiting the flaw requires credentials. But just last week, a report outlined how a similar flaw was used to install persistent backdoors in SMA 100 devices. Attackers use credentials they harvested in prior exploitation rounds to install the backdoor. In particular, attackers obtained two-factor authentication seeds in prior exploits. Always rotate credentials if patching an actively exploited vulnerability.
[Frost]
From a few weeks ago, it appears that we are still at the point where Sonicwall is pleading to have customers get off of their recently vulnerable SMA series system over to a newer device. It turns out that people who let their systems sit on the internet unpatched for years may also not be looking to upgrade. That’s weird, right?
[Neely]
If you have a SMA 210, 410 or 500v, apply the latest update. Don't wait on the “is it exploited or not” argument, check the IoCs. In parallel, get the process started to replace them – these are at or near EOL – rather than waiting to discover another SMA 100 series flaw/issue.
Read more in:
- www.helpnetsecurity.com: Sonicwall fixes critical flaw in SMA appliances, urges customers to check for compromise (CVE-2025-40599)
- www.securityweek.com: SonicWall Patches Critical SMA 100 Vulnerability, Warns of Recent Malware Attack
- www.bleepingcomputer.com: SonicWall urges admins to patch critical RCE flaw in SMA 100 devices
- thehackernews.com: Sophos and SonicWall Patch Critical RCE Flaws Affecting Firewalls and SMA 100 Devices
- psirt.global.sonicwall.com: SonicWall SMA100 Post-authentication Arbitrary File Upload vulnerability | 9.1
- cloud.google.com: Ongoing SonicWall Secure Mobile Access (SMA) Exploitation Campaign using the OVERSTEP Backdoor | |
|
|
CrushFTP Critical Flaw Exploited
(July 18 & 21, 2025)
CrushFTP's President, Ben Spink, published a security advisory on July 18, 2025, disclosing a vulnerability first observed that day and believed to be a zero-day under active exploitation in the wild, affecting outdated versions of CrushFTP released before July 1: version 10 below 10.8.5 and version 11 below 11.3.4_23. CVE-2025-54309, CVSS score 9.8, allows a remote attacker to obtain admin access via HTTPS due to CrushFTP mishandling AS2 validation when the DMZ proxy feature is not used. Users who had already updated to newer versions were not affected, but Shadowserver's scans indicate just over 1000 CrushFTP instances are still running unpatched. It is not clear when exploitation first started. Spink directs users with exploited systems to "restore a prior default user from your backup folder from before the exploit," and to review upload/download reports for any transfers. Recommendations for mitigation are to limit IPs allowed for administration and whitelist permitted IPs, use a DMZ CrushFTP instance in front of enterprise implementations, set up frequent and automatic updates, and subscribe to the company's emergency notifications. Spink also provides IoCs, and notes that hackers have been altering CrushFTP's version display to "give a false sense of security."
Editor's Note
[Neely]
Go after those IoCs to make sure you're clean, don't argue about when the patch was applied versus when the exploits started, and go for knowing you're good to go. Also strongly verify the version of CrushFTP used. Now that everyone is called into action, make sure that you're implementing security best practices, including limiting access to services, implementing a DMZ service, and ensuring updates are automatically applied and issue notifications are enabled with a valid monitored recipient.
[Murray]
If it is in CISA's KEV list it is or has been exploited. However, that it is not in the KEV does not mean that it is not being exploited. While patching is not efficient, it is essential in the face of the software quality that we have come to tolerate. Get over it and get on with it. | |
|
|
Proposed Cybersecurity Standards for New York Water and Wastewater Utilities
(July 22, 23, & 24, 2025)
Three New York public agencies have proposed new, tougher cybersecurity standards for water and wastewater utilities in that state. The Department of Environmental Conservation (DEC), the Department of Health (DOH), and the Department of Public Service (DPS) have each put forth water and wastewater security standards. Under the proposed rules, New York water and wastewater utilities serving between 3,300 and 50,000 people will be required to adopt an array of security measures, including undergoing annual cybersecurity analyses, developing and implementing incident response plans, adhering to new incident reporting requirements, and training employees in cyber hygiene. Utilities serving more than 50,000 people will also be required to have a designated staff member responsible for administering the cybersecurity program and monitoring network activity. The state's governor has also announced a $2.5 million grant program to help those utilities with expenses incurred implementing the new standards. NY's chief cyber officer Colin Ahern noted that "the new ... grant program, called the Cyber Resilience Grant Program for Water Systems, is the first he knows of that provides funding exclusively for cybersecurity improvements in the water and wastewater sector." Public comments on the proposed rules will be accepted by DEC through September 3, 2025 and by DOH and DPS through September 14, 2025. Water utilities will be required to comply with the rules by January 2027.
Editor's Note
[Frost]
The proposals here are straightforward, but there are a few items to highlight. The fact that operators must verbally report a suspected incident within 24 hours sticks out to me. I would like to see how this works out; you can see both positive and negative effects of this. Having an MFA and an Incident Response plan should be table stakes in 2025. The fact that it’s being required may be the most alarming aspect. Not that it doesn’t already exist, but the codification at this point is disturbing.
[Neely]
The proposed regulations cover a lot of ground from incident reporting, certification, monitoring, and controls to required cybersecurity training and even exemption processes. These are all things we've talked about as being needed for critical infrastructure. If you're a provider, it'd be well worth digging into these and providing feedback. It's not clear what will happen if a utility fails to be certified; can end-users select an alternative provider, or are they left high and dry?
[Pescatore]
Obviously it is pretty hard for consumers to switch water providers, so regulatory pressure is needed. Different states have different water issues and mixes of large/small providers, and few providers work across multiple states, so state-level makes sense.
[Dukes]
This was to be expected. Water and wastewater utilities have been in the news of late, so guess what, they got the politicians' attention. Without doubt, more cybersecurity focus on critical infrastructure is warranted and the requirements are reasonable. The grant program is also helpful, although it is not nearly enough, especially if you have to hire a person responsible for the cybersecurity program. We all know what happens when you assign someone an additional duty… it doesn’t usually work, and they become the fall person.
Read more in:
- www.securityweek.com: New York Seeking Public Opinion on Water Systems Cyber Regulations
- therecord.media: New York unveils new cyber regulations, $2.5 million grant program for water systems
- statescoop.com: New York proposes stronger cyber controls for water utilities
- regs.health.ny.gov: Cybersecurity Requirements for Public Water Systems (PDF)
- dec.ny.gov: Proposed Amendments to 6 NYCRR Parts 616, 650 and 750 – Wastewater Cybersecurity Rules | |
|
|
Microsoft and US Government Respond to “Digital Escort” Report
(July 15, 18, & 20-23, 2025)
On July 15, 2025, ProPublica published an article raising concerns about a heretofore largely unknown “Digital Escort” program at Microsoft. US citizens with security clearances have been hired to interface with sensitive Department of Defense (DoD) data, “escorting” global software engineers who are not permitted access, reducing labor costs. However, digital escorts have reported they lack the technical training to understand and properly evaluate the safety of engineers' requests. On July 17, Senator Tom Cotton (R-Ark.) wrote a letter to US Secretary of Defense Pete Hegseth, mentioning Microsoft by name and requesting information on DoD contractors, focusing specifically on personnel based in China, employment and training of digital escorts, and FedRAMP requirements. Hegseth in turn signed a memo to the DoD on July 18, ordering a two-week review focused on mitigating "adversarial foreign influence" in department programs, processes, information technology capabilities, and personnel, leveraging "the Cybersecurity Maturity Model Certification, the Software Fast Track Program, the Authority to Operate process, the Federal Risk and Authorization Management Program, and ... the Secure Software Development Framework." Hegseth concurrently released a video in which he specified, "China will no longer have any involvement whatsoever in our cloud services," echoing Microsoft's announcement the same day from Chief Communications Officer Frank X. Shaw, that Microsoft has made changes so that "no China-based engineering teams are providing technical assistance for DoD Government cloud and related services." No other modifications to the digital escort program have been announced. ProPublica's initial report cites past incidents, namely the 2015 Office of Personnel Management breach through a third-party contractor and the 2023 State Department email breach through a Microsoft engineer's compromised account, as incidents that draw focus to China-based threats, also noting that Microsoft depends on a "vast global workforce," including major operations in India and the EU.
Editor's Note
[Neely]
Consider that Microsoft uses the same code in all their environments, public, government and classified. If this approach introduced any hidden behavior, that likely has migrated to all of them. Some of you are saying, we can just drop Microsoft products. Take a hard look at that, particularly with the ever tightening integration of the Microsoft OS, Office Suite, and their cloud services. You really need to understand what that would take, from soup to nuts, before casually supporting that change. It may be better to focus on how you and verify the risks are acceptable.
[Frost]
This one is fascinating. I am somewhat surprised that this went on for so long. This is a complex problem. If someone with technical skills is required to shadow someone with technical skills, it almost makes you wonder why have the additional person. Then again, there will be vendor-specific skill sets that only vendors will possess. This is both a retention issue and a skills issue for the DoD, which will not be easily solved.
[Dukes]
Reading between the lines, both DoD and MSFT were complicit in the decision to use digital escorts, to include foreign workers. Now comes the issuance of memos and videos to demonstrate that security is important… again. But then, it does give the appearance that decisive action was taken, and no one has to be held accountable. Move along, nothing to see here.
Read more in:
- defensescoop.com: Hegseth calls on DOD CIO to protect tech supply chain from influence of China
- www.heise.de: Techniker aus China betreuten Cloud des US-Verteidigungsministeriums
- www.meritalk.com: Pentagon Reviewing Contractors’ Use of China-Based Engineers on DoD Systems
- www.networkworld.com: Microsoft will stop using Chinese workers on US DoD systems
- www.nextgov.com: Microsoft ends use of China-based engineers to patch DOD systems
- www.cybersecuritydive.com: Top US senator calls out supply-chain risk with DoD contractors
- www.propublica.org: A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers | |
|
|
UK Plans Ransomware Payment Ban and Reporting Requirements
(July 22, 2025)
After a period of public consultation, the UK Home Office has published legislative proposals aimed at preventing and combating ransomware attacks. The first measure would place a "targeted ban" on ransomware payments by public sector and critical infrastructure organizations. The second measure would require groups outside the banned categories to notify the government of any payments as part of a "payment prevention regime" forestalling payments to any sanctioned threat actors. The third measure would require mandatory reporting of all ransomware incidents to law enforcement. Jamie MacColl, a senior research fellow at think tank RUSI believes that "threat actors are unlikely to develop a rigorous understanding of British legislation or how we designate our critical national infrastructure," noting that the measures could hinder recovery without deterring attacks, also raising concerns over the resources needed to handle increased volume of incoming intelligence from reporting programs. The proposals include approval statistics from the public consultation, which ran from January 14 to April 8, 2025, notably closing before the series of ransomware attacks on UK businesses in May 2025. The Record notes the UK's history of increasingly serious cyberattacks over the last five years and the government's previous discussions to pass similar legislation; a Cyber Resilience Bill expanding on 2018 cyber legislation is also anticipated in Parliament this year.
Editor's Note
[Frost]
If you think of ransomware as wiper malware with no recourse, how would you change your response? Sounds like we are about to find out in the UK.
[Neely]
Part of the proposal is to have those with intent to pay ransom demands reach out for guidance to make sure they have leveraged available options, such as free decryption keys, and avoiding known pitfalls. I believe having experienced resources for victims to leverage will likely be more effective than a simple ban on ransomware payments.
[Pescatore]
I’m pretty sure the UK does NOT have a ban on ransom payments to kidnappers, other than to terrorist groups. Rather than run public approval polls, the UK should be analyzing what vulnerabilities enabled those increasingly serious cyberattacks over the past five years and how legislation could have driven companies to have avoided those incidents.
[Murray]
While paying extortion has sometimes proven to be the right business decision, it has also proven to be poor public policy. While an outright ban does not seem practical, what we are doing is not working. Enterprise strategy should shift from risk acceptance and mitigation to prevention. Public policy should encourage prevention and reporting. Law enforcement should focus on anti-racketeering.
Read more in:
- assets.publishing.service.gov.uk: Ransomware legislative proposals: reducing payments to cyber criminals and increasing incident reporting (PDF)
- www.gov.uk: UK to lead crackdown on cyber criminals with ransomware measures
- therecord.media: UK moves forward with plans for mandatory reporting of ransomware attacks
- www.bleepingcomputer.com: UK to ban public sector orgs from paying ransomware gangs
- cyberscoop.com: UK moves to ban public sector organizations from making ransom payments
- techcrunch.com: UK government wants ransomware victims to report breaches so it can carry out ‘targeted disruptions’ against hackers
- www.theguardian.com: UK government to ban public bodies from paying ransoms to hackers | |
|
|
Clorox is Suing IT Help Desk Service Provider Cognizant Over 2023 Cyberattack
(July 23 & 24, 2025)
Clorox is suing IT help desk service provider Cognizant for $380 million, alleging that the organization allowed staff access credentials to be reset on multiple locations without taking steps to ensure the individuals requesting the resets were entitled to do so. Clorox claims that the release of the information led directly to a cyberattack in 2023 that cost Clorox hundreds of millions of dollars. Clorox is seeking reimbursement for monetary losses as well as punitive damages.
Editor's Note
[Neely]
Hold your third-party providers accountable for their security measures. To do that, you need to regularly verify their processes, both what’s written and what’s enacted. Be clear on your actions should you discover a problem before you need to act on it; make sure that your legal team is onboard.
[Dukes]
I’m sorry, but Cognizant has got some serious explaining to do. They had an agreed upon credential recovery process in place, just simply chose not to follow it. That said, it appears that Clorox’s cybersecurity program could use a bit of a tune-up as well, as the miscreant was quickly able to target and elevate privileges. Nonetheless, from this non-lawyer’s eyes, Cognizant enabled the attack and is at fault.
[Murray]
We have seen very little litigation in the IT security space but it has proven its worth in ensuring proper behavior in other industries. | |
|
|
Healthcare Breaches: Radiology Associates of Richmond; Anne Arundel Dermatology; Alpha Medical Centre
(July 15, 18, 21, & 22, 2025)
Radiology Associates of Richmond (Virginia) has notified the US Department of Health and Human Services Office for Civil Rights (HHS OCR) that an April 2024 breach of their network compromised protected health information (PHI) belonging to more than 1.4 million individuals. Anne Arundel Dermatology also reported a breach to HHS OCR. For several months earlier this year, intruders had access to the organization's network, resulting in the compromise of personal and protected health information of more than 1.9 million individuals. A medical practice in Alpharetta, Georgia, was forced to close for good following a February 2025 ransomware attack. Ascension Health Services LLC dba Alpha Wellness and Alpha Medical Centre reported the incident, which affected 1,714 individuals, to HHS OCR earlier this month. The practice closed its doors in April.
Editor's Note
[Neely]
The Ascension Health Services story highlights the challenges of small businesses in the critical (targeted) sector. SMBs, such as Alpha Medical Center, have to juggle the budget between services for patients and cybersecurity beyond what's out of the box. Implementing recent mandates to increase the security of medical devices, out of the box, as well as grants and fund raising are needed for them to remain viable.
[Dukes]
Let’s just admit it; it’s been a bad year for the healthcare sector. And what has been the response from HHS? The issuance of voluntary cybersecurity performance goals. The reality is that the bulk of cybersecurity controls are the same for every industry sector. Good, effective cybersecurity frameworks already exist; pick one and implement.
[Murray]
Identifying medical records as "protected health information (PHI)" is merely aspirational. It is not resulting in adequate protection. | |
|
|
North Korean Laptop Farm Operator Sentenced to Prison
(July 24, 2025)
An Arizona woman who ran a laptop farm out of her home for three years has been sentenced to more than eight years in prison. Christina Marie Chapman's scheme enabled North Korean IT workers to accept remote positions at US companies and appear to be US citizens working from within the country. The scheme generated more than $17 million for Chapman and North Korean citizens. Chapman has also been ordered to forfeit $284,555.92 and pay a judgment of $176,850.
Editor's Note
[Neely]
Two takeaways here, first that there are now demonstrated consequences from this behavior, and second, this can be happening to any company. Make sure that your remote workers are strongly vetted, particularly those working out of the country. Consider whether you want to promote remote work out of the country, and if so, under what conditions and which controls. At a minimum, restrict the amount of data which is carried or accessible from those locations.
Read more in:
- www.theregister.com: Laptop farmer behind $17M North Korean IT worker scam locked up for 8.5 years
- www.justice.gov: Arizona Woman Sentenced for $17M Information Technology Worker Fraud Scheme that Generated Revenue for North Korea
- www.ic3.gov: North Korean IT Worker Threats to U.S. Businesses | |
|
|
|
|
|
SANS Internet Storm Center StormCast Friday, July 25, 2025
ficheck.py; Mital and SonicWall Patches
https://isc.sans.edu/podcastdetail/9542
New File Integrity Tool: ficheck.py
Jim created a new tool, ficheck.py, that can be used to verify file integrity. It is a drop-in replacement for an older tool, fcheck, which was written in Perl and no longer functions well on modern Linux distributions.
https://isc.sans.edu
Mitel Vulnerability
Mitel released a patch for a vulnerability in its MX-ONE product. The authentication bypass could provide an attacker with user or even admin privileges.
https://www.mitel.com
SonicWall SMA 100 Vulnerability
SonicWall fixed an arbitrary file upload issue in its SMA 100 series firewalls. But exploitation will require credentials.
https://psirt.global.sonicwall.com | |
SANS Internet Storm Center StormCast Thursday, July 24, 2025
Reversing SharePoint Exploit; NPM “is” Compromise; Microsoft Quick Machine Recovery
https://isc.sans.edu/podcastdetail/9540
Reversing SharePoint “Toolshell” Exploits CVE-2025-53770 and CVE-2025-53771
A quick walk-through showing how to decode the payload of recent SharePoint exploits
https://isc.sans.edu
Compromised JavaScript NPM “is” Package
The popular npm package “is” was compromised by malware. Luckily, the malicious code was found quickly, and it was reversed after about five hours.
https://socket.dev
Microsoft Quick Machine Recovery
Microsoft added a new quick machine recovery feature to Windows 11. If the system is stuck in a reboot loop, it will boot to a rescue partition and attempt to find fixes from Microsoft.
https://learn.microsoft.com | |
SANS Internet Storm Center StormCast Wednesday, July 23, 2025
Sharepoint 2016 Patch; MotW Privacy and WinZip; Interlock Ransomware; Sophos Patches
https://isc.sans.edu/podcastdetail/9538
Microsoft Updates SharePoint Vulnerability Guidance CVE-2025-53770 and CVE-2025-53771
Microsoft released its update for SharePoint 2016, completing the updates across all currently supported versions.
https://msrc.microsoft.com
WinZip MotW Privacy
Starting with version 7.10, WinZip introduced an option to no longer include the download URL in zip files as part of the Mark of the Web (MotW).
https://isc.sans.edu
Interlock Ransomware
Several government agencies collaborated to create an informative and comprehensive overview of the Interlock ransomware. Just like prior writeups, this writeup is very informative, including many technical details useful to detect and block this ransomware.
https://www.cisa.gov
Sophos Firewall Updates
Sophos patched five different vulnerabilities in its firewalls. Two of them are critical, but these only affect a small percentage of users.
https://www.sophos.com | |
SANS Internet Storm Center StormCast Tuesday, July 22, 2025
SharePoint Emergency Patches; How Long Does Patching Take; HPE Wifi Vuln; AppLocker Bypass Risks; Zoho WorkDrive Abused
https://isc.sans.edu/podcastdetail/9536
Microsoft Released Patches for SharePoint Vulnerability CVE-2025-53770 CVE-2025-53771
Microsoft released a patch for the currently exploited SharePoint vulnerability. It also added a second CVE number identifying the authentication bypass vulnerability.
https://msrc.microsoft.com
How Quickly Are Systems Patched?
Jan took Shodan data to check how quickly recent vulnerabilities were patched. The quick answer: Not fast enough.
https://isc.sans.edu
HP Enterprise Instant On Access Points Vulnerability
HPE patched two vulnerabilities in its Instant On access points (aka Aruba). One allows for authentication bypass, while the second one enables arbitrary code execution as admin.
https://support.hpe.com
Revealing the AppLocker Bypass Risks in The Suggested Block-list Policy
AppLocker sample policies suffer from a simple bug that may enable some rule bypass, but only if signatures are not enforced. While reviewing Microsoft’s suggested configuration, Varonis Threat Labs noticed a subtle but important issue: the MaximumFileVersion field was set to 65355 instead of the expected 65535.
https://www.varonis.com
Ghost Crypt Malware Leverages Zoho WorkDrive
The Ghost malware tricks users into downloading by sending links to Zoho WorkDrive locations.
https://www.esentire.com | |
SANS Internet Storm Center StormCast Monday, July 21, 2025
SharePoint Exploited; Veeam Fake Voicemail Phish; Passkey Phishing Attack
https://isc.sans.edu/podcastdetail/9534
SharePoint Servers Exploited via 0-day CVE-2025-53770
Late last week, CodeWhite found a new remote code execution exploit against SharePoint. This vulnerability is now actively exploited.
https://isc.sans.edu
Veeam Voicemail Phishing
Attackers appear to impersonate VEEAM in recent voicemail-themed phishing attempts.
https://isc.sans.edu
Passkey Phishing Attack
A currently active phishing attack takes advantage of the ability to use QR codes to complete the Passkey login procedure.
https://expel.com | |
|
|
|
