Cybersecurity Threats and Trends - 07/29/2025

This week's threat landscape is dominated by state-sponsored actors and sophisticated cybercrime groups targeting critical infrastructure and enterprise systems.

Author

J.W. Croley
July 29, 2025

In partnership with

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

  1. Join the Superhuman AI newsletter – read by 1M+ people at top companies

  2. Master AI tools, tutorials, and news in just 3 minutes a day

  3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

While you were busy explaining to your boss why "admin123" isn't technically a password because it has numbers in it, threat actors were busy turning enterprise SharePoint servers into their personal ransomware distribution centers. Grab your coffee and prepare for this week's cybersecurity nightmare fuel – spoiler alert: the Chinese APT groups are having a field day.

1. Chinese APT Groups Exploit SharePoint Zero-Days in Massive Global Campaign

Primary Threat: Multiple Chinese state-sponsored hacking groups have compromised over 400 organizations worldwide through critical SharePoint vulnerabilities.

Risk: CRITICAL

Microsoft reports that Chinese threat actors, including the notorious Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm-2603, have been actively exploiting zero-day vulnerabilities in on-premises Microsoft SharePoint servers since July 7, 2025. The attack campaign, dubbed "ToolShell," leverages a chain of critical vulnerabilities (CVE-2025-49706, CVE-2025-49704, and CVE-2025-53770) to achieve remote code execution and deploy ransomware across enterprise networks. What makes this particularly alarming is the scale and sophistication of the operation – over 420 SharePoint servers remain exposed online and vulnerable according to Shadowserver tracking, with at least 148 organizations confirmed breached across multiple continents.

The attackers' methodology demonstrates advanced persistent threat capabilities, beginning with initial compromise through the SharePoint vulnerabilities, followed by credential harvesting using Mimikatz to extract plaintext passwords from LSASS memory. They then employ lateral movement techniques using PsExec and the Impacket toolkit, executing commands via Windows Management Instrumentation (WMI) and modifying Group Policy Objects to deliver Warlock and LockBit ransomware payloads across compromised networks. The campaign has already impacted critical U.S. government agencies, including the Department of Energy's National Nuclear Security Administration, the Department of Education, and the National Institutes of Health, raising serious national security concerns.

Detection and Remediation Tips:

  • Apply Microsoft's emergency SharePoint Server security updates immediately if you haven't already

  • Conduct comprehensive network scans to identify any SharePoint servers that may have been compromised since July 7

  • Implement network segmentation to isolate SharePoint servers from critical business systems

  • Review and strengthen authentication mechanisms for all SharePoint deployments

  • Monitor for indicators of compromise including unusual WMI activity and unauthorized GPO modifications

  • Establish out-of-band communication channels in case primary systems become compromised

  • Consider temporarily taking SharePoint servers offline if patching cannot be completed immediately

2. Scattered Spider Targets VMware ESXi in Critical Infrastructure Ransomware Spree

Primary Threat: The notorious Scattered Spider cybercrime group is aggressively targeting VMware ESXi hypervisors across U.S. critical infrastructure sectors.

Risk: HIGH

Google's Mandiant team disclosed that Scattered Spider (also known as 0ktapus, Muddled Libra, Octo Tempest, and UNC3944) has launched a coordinated campaign targeting VMware ESXi hypervisors in the retail, airline, transportation, and insurance sectors across North America. Unlike typical ransomware operations that rely on software exploits, these attacks demonstrate sophisticated social engineering tactics centered on phone calls to IT help desks, followed by a "living-off-the-land" approach that manipulates trusted administrative tools to avoid detection. The group's precision-targeted operations focus specifically on organizations' most critical virtualized systems and data, making recovery particularly challenging for affected entities.

Detection and Remediation Tips:

  • Implement strict verification procedures for IT help desk requests, especially those involving privileged access

  • Deploy additional monitoring on VMware ESXi environments for unusual administrative activity

  • Establish multi-factor authentication requirements for all hypervisor management interfaces

  • Create offline backup copies of critical virtual machines stored separately from the primary infrastructure

3. France's Naval Group Defense Contractor Suffers 1TB Data Breach

Primary Threat: France's state-owned warship builder Naval Group is investigating a cyberattack resulting in 1TB of allegedly stolen data being leaked on hacking forums.

Risk: HIGH

BleepingComputer reports that Naval Group, the French state-owned defense contractor responsible for building warships and submarines, has confirmed a significant cybersecurity incident. The breach has resulted in approximately 1TB of sensitive data being leaked on underground hacking forums, potentially exposing classified defense information, technical specifications, and operational details related to naval vessels. Given Naval Group's role in France's national defense infrastructure and its contracts with international military organizations, this breach raises serious concerns about potential intelligence gathering by foreign adversaries.

Detection and Remediation Tips:

  • Defense contractors should immediately review data classification and access controls for sensitive technical information

  • Implement enhanced monitoring for unusual data exfiltration activities

  • Conduct thorough security assessments of all external-facing systems and third-party connections

Did you know...?

The term "Advanced Persistent Threat" (APT) was actually coined by the U.S. Air Force in 2006 to describe sophisticated, state-sponsored cyber espionage campaigns. Today's SharePoint attacks by Chinese APT groups demonstrate exactly why this classification remains relevant – these aren't opportunistic hackers looking for quick wins, but well-resourced, patient adversaries who maintain long-term access to target networks for strategic intelligence gathering and disruption capabilities.

4. Google Adds Android Auto-Reboot Feature to Block Forensic Data Extractions

Primary Threat: Attackers compromised Toptal's GitHub organization account and published 10 malicious npm packages that were downloaded over 5,000 times.

Risk: HIGH

TheHackerNews revealed that unknown threat actors successfully compromised Toptal's GitHub organization account and used it to distribute malicious npm packages to the developer community. The supply chain attack resulted in 10 compromised packages being downloaded more than 5,000 times before detection, potentially affecting numerous development environments and downstream applications. This incident highlights the ongoing vulnerability of software supply chains and the trust relationships that developers place in established organizations' repositories.

Detection and Remediation Tips:

  • Audit all npm packages in your development environments for any Toptal-related dependencies

  • Implement package integrity verification and dependency scanning in your CI/CD pipelines

  • Review GitHub organization security settings and enable two-factor authentication for all maintainers

5. Critical Vulnerabilities Discovered in Niagara Framework for Smart Buildings

Primary Threat: Over a dozen security vulnerabilities in Tridium's Niagara Framework could allow network-based attackers to compromise smart building and industrial control systems.

Risk: HIGH

Nozomi Networks Labs disclosed more than a dozen security vulnerabilities affecting Tridium's Niagara Framework, a widely-used platform for managing HVAC, lighting, energy management, and security systems in smart buildings and industrial environments. The vulnerabilities are fully exploitable when Niagara systems are misconfigured with disabled encryption, allowing attackers with network access to potentially compromise building management systems. Given the framework's deployment across critical infrastructure facilities, hospitals, and commercial buildings worldwide, successful exploitation could result in physical security breaches, service disruptions, or even life safety incidents.

Detection and Remediation Tips:

  • Immediately audit all Niagara Framework deployments to ensure encryption is properly enabled

  • Implement network segmentation to isolate building management systems from corporate networks

  • Apply available security patches and follow Tridium's hardening guidelines

6. Allianz Life Data Breach Impacts Majority of 1.4 Million Customers

Primary Threat: Insurance giant Allianz Life has confirmed that personal information for the majority of its 1.4 million customers was exposed in a recent data breach.

Risk: MEDIUM-HIGH

Allianz Life acknowledged that a cybersecurity incident earlier this month resulted in unauthorized access to personal information belonging to the majority of its 1.4 million customers. While the company has not disclosed the specific attack vector or the full extent of compromised data types, the scale of the breach affecting over one million individuals in the financial services sector raises significant concerns about identity theft and financial fraud risks for affected customers.

Detection and Remediation Tips:

  • Allianz Life customers should monitor credit reports and financial accounts for suspicious activity

  • Organizations in the financial sector should review data encryption and access controls for customer information

  • Implement enhanced fraud detection mechanisms for customer accounts

IN SUMMARY:

The ongoing SharePoint zero-day exploitation campaign represents one of the most significant security incidents of 2025, with Chinese APT groups demonstrating their ability to conduct coordinated, large-scale operations against both government and private sector targets.

Meanwhile, the continued success of social engineering attacks like those conducted by Scattered Spider reminds us that human factors remain the weakest link in even the most technically sophisticated security programs.

🚨 Key Takeaways:
✔️ Chinese APT groups are actively exploiting SharePoint zero-days in a global campaign affecting 400+ organizations.
✔️ Critical infrastructure sectors are under sustained attack from both state-sponsored and cybercriminal groups.
✔️ Supply chain attacks continue to evolve, with GitHub and npm repositories being weaponized for malware distribution.
✔️ Smart building and industrial control systems face increasing threats from network-based attackers.
✔️ Social engineering remains a primary attack vector for gaining initial access to enterprise environments.
✔️ Defense contractors and government agencies are prime targets for data exfiltration operations.

🔎 Immediate Actions:
✔️ Patch all SharePoint servers immediately and implement additional monitoring for signs of compromise
✔️ Review and strengthen IT help desk verification procedures to prevent social engineering attacks
✔️ Audit software dependencies and implement supply chain security controls in development environments
✔️ Conduct security assessments of building management and industrial control systems
✔️ Implement network segmentation to isolate critical systems from potential compromise
✔️ Establish incident response procedures specifically for state-sponsored attack scenarios

💡 Stay vigilant, keep your systems patched, and remember – in cybersecurity, paranoia isn't a bug, it's a feature. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

How 1,500+ Marketers Are Using AI to Move Faster in 2025

Is your team using AI like the leaders—or still stuck experimenting?

Masters in Marketing’s AI Trends Report breaks down how top marketers are using tools like ChatGPT, Claude, and Breeze to scale content, personalize outreach, and drive real results.

Inside the report, you’ll discover:

  • What AI use cases are delivering the strongest ROI today

  • How high-performing teams are integrating AI into workflows

  • The biggest blockers slowing others down—and how to avoid them

  • A 2025 action plan to upgrade your own AI strategy

Download the report. Free when you subscribe to the Masters in Marketing newsletter.

Learn what’s working now, and what’s next.