SharePoint Zero-Days Exploited as China Hacks Ramp Up Amid Microsoft Defense Dept Scandal

This is your China Hack Report: Daily US Tech Defense podcast.

Ting here—your always-on, slightly sleep-deprived, and definitely caffeine-fueled narrator for the latest on China-linked cyber shenanigans targeting US tech. Strap in, friends, because the past 24 hours have been anything but boring.

Let’s talk big headlines: the **SharePoint zero-day situation**. At least two major Chinese state-backed groups—Microsoft identifies them as Storm Cloud and Fragrant Pass—were actively exploiting two critical SharePoint bugs (CVE-2025-49704 and CVE-2025-49706) for full system access. Emergency patches came out July 22, but attacker sophistication shot up when they bypassed those patches within days. So yes, if you’re running on-prem SharePoint and procrastinated on patching, this may be your gentle wake-up call. CISA issued a fresh reminder to patch immediately and audit for signs of lateral movement or exfiltration—keyword: urgency. According to NextGov, even the Department of Homeland Security itself was caught up in this exploit, though the Pentagon claims it dodged the worst of it by sheer luck and sleepless sysadmins.

Pivot to *new malware*: researchers from Guardio Labs revealed a fresh technique called PromptFix, where Chinese APTs hijack AI browsers by sneaking malicious instructions inside fake CAPTCHA checks. Imagine your browser with GenAI capabilities suddenly following orders embedded in a “prove you’re not a robot” pop-up. This is AI-powered social engineering, folks, and as of today, enterprise browsers are scrambling to roll out new sandboxes and prompt verification engines. Absolutely upgrade your browsers if you see an update—don’t wait.

Now, in the same cyber time zone: the *Trend Micro Apex One* vulnerability, tracked as CVE-2025-54948, landed on CISA’s Known Exploited Vulnerabilities catalog yesterday after US agencies observed clusters of attacks on healthcare and finance. CISA directives for federal networks: deploy the latest hotfix, hunt for persistence mechanisms, and verify audit logs for exfiltration attempts dating back two weeks.

Meanwhile, ProPublica just dropped an exposé on Microsoft. It turns out, for months, Microsoft quietly allowed China-based engineers to maintain US Defense Department Azure cloud systems—a move that had former Defense CIO John Sherman face-palming in LinkedIn posts. The “digital escort” practice supposedly kept things secure, but experts agree: if your tech support sits behind the Great Firewall, assume Chinese agencies can tap them. Microsoft claims the practice has stopped, but lawmakers are pressing for tighter contractor vetting and clarification of all foreign personnel with potential access.

Quick sector check: web hosting and telecom are getting hammered, especially in Taiwan and US entities with East Asia ties. FBI and Cisco Talos both note that the old CVE-2018-0171 flaw in Cisco networking gear is being exploited again—yes, it’s been patched since, but apparently policy and patching didn’t quite keep pace. For defenders, the playbook is painfully familiar: patch now, monitor network configs for shadow admin users, and audit for SYNful Knock-style router implants.

CISA’s final word in their overnight blast: treat every cloud and legacy system as potentially compromised until checked. Immediate measures? Update, back up, restrict privileged access, and prepare for incident response drills now.

Listeners, the cyber kitchen is officially on fire, but together, we’re dishing out armor, not just alarm bells. Thanks for tuning in—don’t forget to subscribe, and tell your SOC analyst they owe you a coffee. This has been a quiet please production, for more check out quiet please dot ai.

For more http://www.quietplease.ai


Get the best deals