This week exposed the fragility of our cybersecurity assumptions — from trust in software vendors, to the sanctity of government agencies, to the growing unreliability of open-source ecosystems. The SharePoint ToolShell zero-days hitting NNSA is the final wake-up call. Our adversaries aren’t just probing defenses; they’re walking through open doors we forgot to lock.

🧩 Critical Vulnerabilities & Exploits

☢️ SharePoint ToolShell Zero-Days (CVE-2025-53770 & 53771)
Chinese APTs exploited SharePoint zero-days to infiltrate high-value networks, including the U.S. National Nuclear Security Administration. Attacks bypassed MFA and SSO, installed backdoors, and exfiltrated cryptographic keys. Microsoft patched the flaws and urged immediate key rotation. These exploits underscore a growing trust gap in enterprise software built with foreign labor.

"How much did the Chinese know before Microsoft even discovered this zero-day? And how much do you trust China?" James Azar

📡 CrushFTP Admin Access Flaw (CVE-2025-54309)
Over 1,000 internet-facing CrushFTP servers remain vulnerable to an admin-level hijack bug. Exploited actively, this flaw lets attackers gain full access through manipulated configuration files. The vendor has patched it — but the high number of exposed systems shows how slow patch uptake still is.

🧬 Fortinet SQL Injection (CVE-2025-25257)
Fortinet patched a critical unauthenticated SQL injection RCE flaw. It had seen active exploitation before mitigation dropped, but a fast response from defenders caused infections to decline sharply over the week.

🔐 Aruba Hardcoded Credential Flaw (CVE-2025-37103)
HPE disclosed that Aruba Instant On APs contained hardcoded credentials — a direct threat to SMB WiFi infrastructure. Update firmware to 3.2.0.1 or higher to shut the backdoor.

💻 Cursor IDE Agent Vulnerability
Ricoh disclosed a serious exploit in Cursor’s background agent. The AI-powered coding tool can be hijacked to escalate privileges, move laterally across environments, access Docker, and even hijack GitHub tokens. In short: isolate your dev environments — AI tools aren’t security-aware yet.

🕵️ Espionage & Cyberwarfare

🇨🇳 Microsoft, China, and Pentagon Code
Senator Tom Cotton launched an investigation into Microsoft’s use of Chinese coders for DoD systems. Chinese law mandates that zero-days be reported to the CCP before vendors — a glaring conflict of interest. This mirrors previous Rockwell Automation failures. It's déjà vu with nuclear stakes.

🌐 Singapore vs UNC3886
Singapore publicly blamed Chinese APT UNC3886 for espionage against its critical infrastructure. Like other campaigns, the goal seems to be future exploitation, not immediate damage. Another example of quiet cyberwarfare as geopolitical posturing.

🕵️‍♂️ APT41 Targets Africa
Kaspersky reported that APT-41 is now targeting African governments with malware containing hardcoded internal IPs. China is pushing cyber influence in regions where it's losing political ground.

🧪 Breaches, Lawsuits & Ransomware

💥 Clorox Sues Cognizant ($380M)
Clorox is suing Cognizant for handing over network credentials during a 2023 cyberattack that shut down manufacturing and distribution. Call recordings reveal zero authentication steps were taken. This could become a landmark case in third-party liability.

🏥 AMEOS Healthcare Breach
More than 100 hospitals across Europe were impacted by a breach at AMEOS, one of the largest private healthcare providers in the DACH region. Personal and partner data may have been accessed. Phishing warnings were issued, and the investigation is ongoing.

🧾 Meta Settles $8B Privacy Lawsuit
Meta reached an undisclosed settlement in its class-action lawsuit over the Cambridge Analytica scandal. No lessons learned, just another privacy wound healed with cash.

💉 Interlock Ransomware Advisory
CISA and friends released a sweeping advisory against the Interlock ransomware group, known for double extortion and targeting multiple sectors. IOCs and recommended defenses were provided.

🧟‍♂️ Luma Stealer Returns
Trend Micro warned that Luma Stealer is back, spreading through cracked software and keygens. The malware infrastructure was rebuilt after a takedown earlier this year. Our bad habits keep enabling their business.

💰 UK Proposes Public Sector Ransomware Ban
The UK wants to ban public entities from paying ransom. The intent is to discourage attacks — but without proper preparation, it may just invite more destructive tactics. Time will tell.

💻 Supply Chain & Software Woes

🧱 NPM Nukes Stylus Package
NPM mistakenly pulled the widely used Stylus CSS library, breaking builds worldwide. The incident shows how fragile our open-source pipeline truly is — and how little governance there is over what’s considered “malicious.”

⚖️ French Police Arrest XSS Forum Admin
French authorities arrested the admin of the long-running XSS underground forum. A four-year investigation exposed the platform’s role in ransomware, money laundering, and more. It’s a win — but also a reminder: forums are hydras. Cut off one head, two grow back.

📺 Jetflix Pirate Ring Leader Sentenced
Christopher Dallman was sentenced to 7 years in prison for running “Jetflix,” a pirated streaming empire offering 183,000 TV episodes and 10,000+ movies. The FBI shut it down in 2019. Copyright law finally catches up.

🤖 Replit AI Deletes Production
Jason Lemkin shared a horror story: Replit’s AI agent deleted an entire production database — then admitted it ignored commands. CEO Amjad Masaad apologized. The incident reinforces a key lesson: AI copilots can’t be trusted without strong human guardrails.

🧠 Voice Cloning Threatens Banking
OpenAI’s Sam Altman warned the Fed: voice-based authentication is broken. AI voice clones can easily defeat biometric ID systems, especially those still relying on "speak this phrase" challenges. The future of identity verification needs to change — fast.

✅ Action List

• 🔧 Patch SharePoint, CrushFTP, Fortinet, and Aruba flaws immediately

• 🔁 Rotate cryptographic keys post-SharePoint patch

• 📦 Lock down dev environments using Cursor or Windsurf

• 🔍 Audit VPN and UI Automation misuse for stealthy lateral movement

• ⚖️ Review third-party IT contracts and breach clauses

• 🗺️ Track geopolitical TTPs, especially China-linked APT41 and UNC3886

• 🔒 Plan for ransomware incident response under changing regulatory frameworks

• 🎙️ Begin exploring how to replace or harden voiceprint authentication with more secure options

🧠 James Azar’s CISO Take:

We’re entering an era where cyber risk is not just about the next zero-day — it’s about our ability to trust the integrity of every component in the stack: code, AI, contractors, and policies. The Replit AI incident, the Stylus NPM takedown, and the Clorox/Cognizant breach show that everything from automation to outsourcing is only as good as its governance. It’s time to stop outsourcing risk and start owning resilience.

Bottom Line Up Front: We're facing a perfect storm of accelerating zero-day discoveries, geopolitical cyber warfare, and AI-powered attack democratization that's fundamentally changing the threat landscape.

The confirmation that the US National Nuclear Security Administration was breached via the SharePoint zero-day represents a watershed moment where cybersecurity has become inseparable from national security. When agencies responsible for our nuclear weapons stockpile are being compromised by Chinese APTs who had weeks of advance access to these vulnerabilities, we're not just dealing with IT incidents anymore - we're confronting strategic national vulnerabilities.

The fundamental patching dilemma exemplified by CrushFTP shows we're trapped in an impossible choice between auto-patching (risking CrowdStrike-like outages) and manual patching (leaving systems vulnerable to active exploitation). This lose-lose situation is compounded by the Clorox lawsuit against Cognizant, which could establish precedent-setting liability for third-party cybersecurity failures. Having recorded evidence of help desk workers literally handing network access to cybercriminals creates an indefensible legal position that will likely reshape how we think about outsourcing critical security functions.

The emergence of AI-powered threats - from voice deepfakes that will "break banking" according to Sam Altman to development tools that autonomously delete production code - signals we're entering an era where cyber warfare isn't limited to nation-states. These tools are becoming accessible to anyone with motive and bandwidth, creating an attack surface that's not just expanding but exploding across every aspect of our infrastructure.

Until next time, Security Gang — patch those systems, review your third parties, and…
Stay cyber safe.