Did China have a Sneak Peak into ToolShell?

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week: Did the Chinese government have a sneak peek into ToolShell? Hackers used ToolShell to hack South Africa. The U.S. Cybersecurity and Infrastructure Security Agency flagged Cisco flaws. An Arizona woman sentenced for aiding North Korean remote IT workers. Most Americans experience online fraud. NASCAR data breach, and France’s Naval Group probed a claimed data leak. Service at French telecom Orange disrupted by an attack. Dating app Tea grapples with a breach.

See Also: Post-Quantum Cryptography – A Fundamental Pillar in the Future of Cybersecurity [ES]

Microsoft may have given Chinese nation-state hackers a leg up on exploiting zero-day flaws in Microsoft SharePoint known as ToolShell. The computing giant routinely gives trusted security vendors advance notice of technical details of upcoming patches in a bid through its Microsoft Active Protections Program.

The idea is for security companies to prep antivirus signatures and intrusion detection rules in advance of a patch – a good idea in a world where users can’t or won’t update their tech strictly according to Microsoft’s monthly dump of fixes. The program includes a slew of Chinese companies, causing the computing giant to investigate whether one of them leaked exploits to Beijing, Bloomberg reported Friday.

Early attempts to exploit the flaws in the wild appeared to trace to two China nation-state groups tracked as Linen Typhoon, Violet Typhoon as well as a China-based threat actor tracked as Storm-2603 that use the vulnerabilities to deploy Warlock ransomware. Victims include the U.S. Department of Energy, including its semi-autonomous National Nuclear Security Administration (see: SharePoint Zero-Days Exploited to Unleash Warlock Ransomware).

Cybersecurity researchers specializing in China including Eugenio Benincasa and Dakota Cary posted Thursdays a blog on Natto Thoughts highlighting the intensity of incentives and state-pressure on Chinese companies to divulge zero-days to Beijing.

There’s the well-known state requirement that went into effect in September 2021 for organizations doing business in China to report newly-discovered zero-days within 48 hours (see: China Likely Amasses 0-Days Via Vulnerability Disclosure Law).

There’s also a voluntary reporting scheme overseen by the Ministry of State Security that gives Chinese cybersecurity firms “financial compensation and prestige,” the researchers wrote. The only thing preventing companies and individuals employed at companies that receive advance data through the Microsoft Active Protections Program is a nondisclosure agreement, they wrote. Their recommendation is to “temporarily suspend PRC-based companies from MAPP pending an investigation by the PRC government into the potential violation of Microsoft’s NDA with local companies.”

Hackers targeted at least six organizations in South Africa, including the National Treasury, a car manufacturer, a university, local government bodies and a federal agency in late June using the set of vulnerabilities in Microsoft SharePoint known as ToolShell. Similar attacks were also reported in Mauritius and Jordan, with experts indicating broader exposure across the African continent.

The vulnerabilities, CVE-2025-49706 and CVE-2025-49704, were discovered in May 2025 during the Pwn2Own Berlin competition and patched by Microsoft in early July. Three days after disclosure, attackers began exploiting variant flaws – CVE-2025-53770 and CVE-2025-53771 – in zero-day campaigns.

Victims had on-premise versions of SharePoint, which are more common in regions where cloud adoption is limited by cost. Microsoft is assisting the National Treasury of South Africa.

The U.S. Cybersecurity and Infrastructure Security Agency added two critical zero-day vulnerabilities in Cisco Identity Services Engine software to this catalog of known exploited vulnerabilities.

Disclosed by Cisco on June 25, the flaws stem from insufficient validation in specific Cisco ISE and ISE-Passive Identity Connector APIs. Tracked as CVE-2025-20281 and CVE-2025-20337, the flaws allow attackers to remotely exploit them through crafted API requests to gain root-level code execution on vulnerable systems, without authentication.

Both vulnerabilities impact Cisco ISE versions 3.3.0 to 3.4 Patch 1, including several patches in between. CVE-2025-20337 also affects ISE-PIC versions 3.1.0 to 3.4.0. Cisco confirmed attempted exploitation in the wild and issued patches. No workaround is available.

CISA mandated federal agencies to patch the flaws by August 18.

A U.S. federal judge sentenced Christina Marie Chapman, 50, of Arizona, to 102 months in prison for aiding North Korean IT workers in fraudulently obtaining remote jobs at 309 companies, including major American defense, tech and media firms. She pleaded guilty to charges including identity theft, wire fraud and money laundering.

Between October 2020 and October 2023, Chapman operated a laptop farm from her home, hosting company-issued computers used by North Korean workers to appear as if they were based in the United States (see: US FBI Busts North Korean IT Worker Employment Scams).

The scheme helped generate over $17 million in illicit earnings, with Chapman laundering payments through her accounts and shipping 49 devices abroad – many to China near the North Korean border.

Authorities seized over 90 laptops during a 2023 search of her home. She was charged alongside Oleksandr Didenko, a Ukrainian national who ran the UpWorkSell platform, which sold fake online credentials.

Roughly three out of every four U.S. residents have been a victim of an online scam or attack, finds the Pew Research Center in a report published Thursday. Fraudulent charges to a payment card is the most common crime, although nearly a third of Americans say hackers penetrated a personal online account such as social media, email or bank account. A quarter reported giving up personal information after receiving a scam email or text message.

10% reported having to pay extortion money to ransomware hackers. Older adults have a reputation as easy marks, but Pew found a slightly higher percentage of people aged 18-29 falling for scams than those aged 65 and above – 73% and 66%, respectively.

Lest anyone still believe that online scams are victimless crimes, roughly a third said their scam hurt personal finances a great deal or a fair amount. The vast majority – three quarters – of victims didn’t inform law enforcement.

This should be no surprise: nearly seven out of 10 adults say the federal government does a very or somewhat bad job in stopping scams. Well over half – 56% – say technology companies do a bad job at protecting them.

The results are based on responses collected between April 14 and April 20 from members of a panel of randomly selected adults. A total of 9,397 individuals responded out of the 10,599 panelists contacted by Pew.

The National Association for Stock Car Auto Racing said hackers stole data during a cyberattack discovered on April 3. Hackers accessed NASCAR’s network between March 31 and April 3, exfiltrating files containing personal information such as names and Social Security numbers.

The privately held company did not disclose the number of affected people or the specific attack method. The Medusa ransomware group claimed responsibility in April, claiming it stole roughly one terabyte of data and demanding a $4 million ransom. NASCAR has not verified this claim.

Founded in 1948, NASCAR is a private motorsports organization that owns major racing venues and oversees national stock car racing competitions, including three racing series.

French state-owned defense contractor Naval Group is investigating a data leak after one terabyte of allegedly stolen information appeared on a hacking forum. The leak was posted by a hacker going as “Neferpitou” on a criminal forum. The hacker posted 13 gigabytes of sample data containing technical documents, internal communications and combat management system files for military vessels. Naval Group labeled the incident a “reputational attack” and filed a formal complaint, stating it has found no signs of intrusion or operational impact.

Naval Group builds advanced naval vessels and systems for France and international clients, including Australia, Brazil and India.

French telecom giant Orange detected a cyberattack on July 25, leading to service disruptions primarily affecting French customers. The company’s cybersecurity arm Orange Cyberdefense isolated the compromised system to contain the breach, but the move caused operational issues were expected to be resolved by Wednesday.

Orange serves 294 million customers across Europe, Africa and the Middle East and reported 40.3 billion euros in revenue for 2024.

Tea, a dating app focused on women’s safety, said a data breach that exposed 72,000 images, including 13,000 user-submitted selfies and photo IDs used for account verification. The incident occurred on Friday, affecting users who joined before February 2024.

Tea said hackers compromised a legacy data storage system. No email addresses or phone numbers were leaked but some images came from posts, comments and direct messages. The compromised selfies had been archived to comply with law enforcement requirements on cyberbullying.

Despite prior promises to delete verification images immediately, the breach occurred, prompting a full investigation with outside cybersecurity experts. The company claims there’s currently no evidence that the photos can be linked to specific users.

In an update, Tea said it disabled direct messaging and took down the affected systems.

Other Stories From Last Week

With reporting from Information Security Media Group’s Gregory Sirico in New Jersey and David Perera in Northern Virginia.