SharePoint Stunner: Beijing's Nuke Snoop Spree Sparks Cyber Scramble

This is your China Hack Report: Daily US Tech Defense podcast.

Listeners, Ting here with your China Hack Report: Daily US Tech Defense. Buckle up, because it’s been a hair-raising 24 hours across cyberspace—a perfect storm of state-backed mischief and fresh digital fire drills. Let’s dive right in.

The big headline: Chinese hackers, specifically groups Microsoft has dubbed “Linen Typhoon,” “Violet Typhoon,” and “Storm-2603,” have punched straight through critical Microsoft SharePoint vulnerabilities. According to both Microsoft and Google’s Mandiant, these intrusions started as early as July 7, but over the last day their impacts exploded, hitting not just small businesses but the mother of all targets: the US National Nuclear Security Administration. Get this—the very agency responsible for America’s nuclear arsenal got its systems breached, with first confirmed hits rolling in on July 18. The Department of Energy says no sensitive data was stolen—chalk it up to rapid CISA-led incident response and their heavy use of Microsoft M365 cloud defenses, which mostly isolated the attack.

Now, the technical weeds. We’re talking active exploitation of CVE-2025-53770, a SharePoint Server remote code execution vulnerability, letting attackers steal cryptographic keys and potentially run stealthy commands on compromised servers. And it doesn’t end there: CISA says two more SharePoint flaws—CVE-2025-49704 and CVE-2025-49706—are being chained with a ToolShell attack sequence that combines code injection and network spoofing. The upshot? Even patched servers could be at risk if you didn’t rotate your encryption keys or run forensic remediation.

Sector-wise, it’s not just nukes. Government agencies, defense contractors, and even higher ed have seen SharePoint servers targeted. Meanwhile, US businesses using CrushFTP should pay attention to a new zero-day bug—CVE-2025-54309—with a critical 9.0 score. CISA has flagged this, and emergency patches are out. In parallel, Google Chromium’s GPU input validation flaw—also under CISA’s Known Exploited Vulnerabilities catalog—is being actively targeted. Cisco Identity Services Engines are in the crosshairs, too, with upgraded advisories after live exploitation attempts in July.

Over in malware land, security researchers spotted Cobalt Strike beacons traced to a server run by Beijing Jingdong 360 E-commerce, flagged on July 26, upping the ante on persistent access risks. For the gamer crowd, Endgame Gear confirmed their popular OP1w mouse software got hijacked to distribute Xred malware, snaring anyone who thought they were just updating drivers.

CISA and Microsoft are unanimous on immediate actions: patch everything with the latest SharePoint updates, but also scan for evidence of key theft, rotate credentials, and check for web shells or unauthorized command execution. If you’re using CrushFTP, apply their out-of-band fix now. Network defenders should monitor for lateral movement, unusual network traffic, and new accounts—especially admin roles suddenly popping up out of nowhere.

Finally, remember, the US and China are escalating not just in tech, but also in cyber diplomacy like their AI governance dance at the Shanghai World AI Conference this weekend. But the ground truth? For now, patch, isolate, and verify.

Thanks for tuning in. Subscribe for your next shot of cyber reality with me, Ting. This has been a quiet please production, for more check out quiet please dot ai.

For more http://www.quietplease.ai


Get the best deals https://amzn.to/3ODvOta