- Mycomputerspot Security Newsletter
- Posts
- Fail-Safe Friday - 08/22/25
In partnership with
A new wave of threats demands your immediate attention: The Warlock ransomware group is exploiting unpatched SharePoint vulnerabilities to gain access, steal credentials, and deploy ransomware; a massive DaVita healthcare breach underscores how costly data-theft-first extortion has become; and RMM platforms remain critical targets with N‑able N‑central flaws now added to CISA’s KEV. If your identity systems, collaboration stacks, and MSP channels aren’t hardened this weekend, you're running on borrowed time.
Unmanaged AI = Unmanaged Risk. Shadow IT Could Be Spreading in Your Org
You wouldn’t allow unmanaged devices on your network, so why allow unmanaged AI into your meetings?
Shadow IT is becoming one of the biggest blind spots in cybersecurity.
Employees are adopting AI notetakers without oversight, creating ungoverned data trails that can include confidential conversations and sensitive IP.
Don't wait until it's too late.
This Shadow IT prevention guide from Fellow.ai gives Security and IT leaders a playbook to prevent shadow AI, reduce data exposure, and enforce safe AI adoption, without slowing down innovation.
It includes a checklist, policy templates, and internal comms examples you can use today.
Top-level takeaways this week:
Ransomware & Extortion remains paramount—Warlock’s SharePoint-based chain delivers credential theft before encryption turnaround.
Credential Theft persists as a force-multiplier, causing ~20% of breaches—remediation times average 94 days.
Automation continues its advance: scanning volume is up ~16.7% YoY, targeting exposed identity and OT/IoT infrastructure.
AI‑enhanced social engineering is verifying its power—deepfake and token-based scams outpace classic attachment methods.
1) Warlock Ransomware Attacks – High
Warlock is now globally active. They're weaponizing unpatched SharePoint vulnerabilities (CVE‑2025‑49704, CVE‑2025‑49706, CVE‑2025‑53770, CVE‑2025‑53771) to drop web shells, steal credentials, manipulate GPOs, and launch ransomware with data exfiltration via RClone.
These operations have impacted critical infrastructure across multiple continents, including a documented event at Colt Technology Services.
Why this matters: Unpatched SharePoint is now a Tier-0 ransack path—urgent patch and protection required.
2) Healthcare Data Thefts Escalate – High
At DaVita, a ransomware event impacted 2.7 million individuals and triggered $13.5M in remediation costs; Inotiv, a biotech firm, was struck by Qilin ransomware, leaking 176GB of sensitive files.
Why this matters: Patient care continuity and regulatory compliance are at real risk—and fiscal exposure isn't healing any time soon.
3) Credential Theft Surge – Medium
Credential theft incidents are up 160% this year, now constituting ~20% of data breaches. Average remediation time? 94 days.
Why this matters: Compromised credentials remain a leading path to internal fraud, lateral spread, and ransomware—without MFA, you're exposed.
4) AI-Powered Scams & Infrastructure Abuse – Medium
Deepfake CEO impersonation scams are up sharply… 105K cases reported in 2024; AI-driven phishing and “fake help” sites are now delivering new malware like SHAMOS on macOS.
Why this matters: Threat actors are speeding deployment with AI—in both infra buildouts and social engineering—outpacing conventional detection models.
Heads‑up (mobile): Google’s Aug Android update patches Qualcomm GPU flaws linked to targeted exploitation; prioritize high‑risk mobile fleets.
Stage | Vector | What we’re seeing |
|---|---|---|
Initial access | SharePoint & RMM | Unpatched on‑prem SharePoint abuse (Warlock); RMM job/script misuse for mass client reach. |
Lateral/persist (CISA) | Token & service abuse | Token replay, exfil of service creds, over‑scoped service principals; scheduled tasks via RMM/EDR consoles. |
Impact (Reuters) | Data theft → extortion | Exfiltration before encryption; healthcare PII/PHI used for leverage; public leaks drive compliance cost. |
🔄 Patch & Hardening
Apply latest patches for SharePoint; disable legacy auth and WAF external endpoints.
Update N-central to 2025.3+ and rotate every privileged credential.
Check Android device fleets for Qualcomm patch.
🧑💻 People & Monitoring
Launch similar hunts: .aspx file changes, w3wp child processes, archive exfil activity, and unexpected RMM tasks.
Alert on deepfake-style impersonation attempts from finance or leadership.
📋 Process
Freeze identity/RMM changes until Monday; enforce SIEM streaming with real-time alerts.
Kick off data leak communication playbooks placed for healthcare-style scenarios.
🤝 Partners
Require MSP attestations: patch status, job history reviews, real-time SIEM integration, and sub-15 min incident escalation.
SharePoint & RMM are this week’s greatest threat vectors—contain before they contain you.
Data theft is the new standard in ransomware—prepare your compliance, not just recovery.
Automated scanning and credential misuse are silent but relentless—assume detection is evasion.
🔄 Attest: All SharePoint and MSP platforms are patched and monitored.
📊 Validate: Healthcare partner(s) data-exfil protocols and plan.
💼 Confirm: Authentication hygiene across identity estate.
🔹 Double-check: Monday tabletop drill: “Warlock SharePoint → RMM pivot → data theft extortion.”
Final Insight: AI can be your best frenemy…
Is Shadow IT already in your organization?
You wouldn’t allow unmanaged devices on your network, so why allow unmanaged AI into your meetings?
Shadow IT is becoming one of the biggest blind spots in cybersecurity.
Employees are adopting AI notetakers without oversight, creating ungoverned data trails that can include confidential conversations and sensitive IP.
Don't wait until it's too late.
This Shadow IT prevention guide from Fellow.ai gives Security and IT leaders a playbook to prevent shadow AI, reduce data exposure, and enforce safe AI adoption, without slowing down innovation.
It includes a checklist, policy templates, and internal comms examples you can use today.