The vulnerability-watching "Zero Day Initiative" was started in 2005 as a division of 3Com, then acquired in 2015 by cybersecurity company Trend Micro, according to Wikipedia.

But the Register reports today that the initiative's head of threat awareness is now concerned about the source for that exploit of Microsoft's Sharepoint servers: How did the attackers, who include Chinese government spies, data thieves, and ransomware operators, know how to exploit the SharePoint CVEs in such a way that would bypass the security fixes Microsoft released the following day? "A leak happened here somewhere," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, told The Register. "And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day...."

Patch Tuesday happens the second Tuesday of every month — in July, that was the 8th. But two weeks before then, Microsoft provides early access to some security vendors via the Microsoft Active Protections Program (MAPP). These vendors are required to sign a non-disclosure agreement about the soon-to-be-disclosed bugs, and Microsoft gives them early access to the vulnerability information so that they can provide updated protections to customers faster....

One researcher suggests a leak may not have been the only pathway to exploit. "Soroush Dalili was able to use Google's Gemini to help reproduce the exploit chain, so it's possible the threat actors did their own due diligence, or did something similar to Dalili, working with one of the frontier large language models like Google Gemini, o3 from OpenAI, or Claude Opus, or some other LLM, to help identify routes of exploitation," Tenable Research Special Operations team senior engineer Satnam Narang told The Register. "It's difficult to say what domino had to fall in order for these threat actors to be able to leverage these flaws in the wild," Narang added.

Nonetheless, Microsoft did not release any MAPP guidance for the two most recent vulnerabilities, CVE-2025-53770 and CVE-2025-53771, which are related to the previously disclosed CVE-2025-49704 and CVE-2025-49706. "It could mean that they no longer consider MAPP to be a trusted resource, so they're not providing any information whatsoever," Childs speculated. [He adds later that "If I thought a leak came from this channel, I would not be telling that channel anything."]

"It also could mean that they're scrambling so much to work on the fixes they don't have time to notify their partners of these other details.

Since 2010 Stack Exchange has run all its sites on physical hardware in New Jersey — about 50 different servers. (When Ryan Donovan joined in 2019, "I saw the original server mounted on a wall with a laudatory plaque like a beloved pet.") But this month everything moved to the cloud, a new blog post explains. "Our servers are now cattle, not pets. Nobody is going to have to drive to our New Jersey data center and replace or reboot hardware..." Over the years, we've shared glamor shots of our server racks and info about updating them. For almost our entire 16-year existence, the SRE team has managed all datacenter operations, including the physical servers, cabling, racking, replacing failed disks and everything else in between. This work required someone to physically show up at the datacenter and poke the machines... [O]n July 2nd, in anticipation of the datacenter's closure, we unracked all the servers, unplugged all the cables, and gave these once mighty machines their final curtain call...

We moved Stack Overflow for Teams to Azure in 2023 and proved we could do it. Now we just had to tackle the public sites (Stack Overflow and the Stack Exchange network), which is hosted on Google Cloud. Early last year, our datacenter vendor in New Jersey decided to shut down that location, and we needed to be out by July 2025. Our other datacenter — in Colorado — was decommissioned in June. It was primarily for disaster recovery, which we didn't need any more. Stack Overflow no longer has any physical datacenters or offices; we are fully in the cloud and remote...!

[O]ur Staff Site Reliability Engineer, got a little wistful. "I installed the new web tier servers a few years ago as part of planned upgrades," he said. "It's bittersweet that I'm the one deracking them also." It's the IT version of Old Yeller.
There's photos of the 50 servers, as well as the 400+ cables connecting them, all of which wound up in a junk pile. "For security reasons (and to protect the PII of all our users and customers), everything was being shredded and/or destroyed. Nothing was being kept... Ever have difficulty disconnecting an RJ45 cable? Well, here was our opportunity to just cut the damn things off instead of figuring out why the little tab wouldn't release the plug."

An anonymous reader quotes a report from 404 Media: Users from 4chan claim to have discovered an exposed database hosted on Google's mobile app development platform, Firebase, belonging to the newly popular women's dating safety app Tea. Users say they are rifling through peoples' personal data and selfies uploaded to the app, and then posting that data online, according to screenshots, 4chan posts, and code reviewed by 404 Media. In a statement to 404 Media, Tea confirmed the breach also impacted some direct messages but said that the data is from two years ago. Tea, which claims to have more than 1.6 million users, reached the top of the App Store charts this week and has tens of thousands of reviews there. The app aims to provide a space for women to exchange information about men in order to stay safe, and verifies that new users are women by asking them to upload a selfie.

"Yes, if you sent Tea App your face and drivers license, they doxxed you publicly! No authentication, no nothing. It's a public bucket," a post on 4chan providing details of the vulnerability reads. "DRIVERS LICENSES AND FACE PICS! GET THE FUCK IN HERE BEFORE THEY SHUT IT DOWN!" The thread says the issue was an exposed database that allowed anyone to access the material. [...] "The images in the bucket are raw and uncensored," the user wrote. Multiple users have created scripts to automate the process of collecting peoples' personal information from the exposed database, according to other posts in the thread and copies of the scripts. In its terms of use, Tea says "When you first create a Tea account, we ask that you register by creating a username and including your location, birth date, photo and ID photo."

After publication of this article, Tea confirmed the breach in an email to 404 Media. The company said on Friday it "identified unauthorized access to one of our systems and immediately launched a full investigation to assess the scope and impact." The company says the breach impacted data from more than two years ago, and included 72,000 images (13,000 selfies and photo IDs, and 59,000 images from app posts and direct messages). "This data was originally stored in compliance with law enforcement requirements related to cyber-bullying prevention," the email continued. "We have engaged third-party cybersecurity experts and are working around the clock to secure our systems. At this time, there is no evidence to suggest that current or additional user data was affected. Protecting our users' privacy and data is our highest priority. We are taking every necessary step to ensure the security of our platform and prevent further exposure."

Domain Name System Security Extensions has achieved only 34% deployment after 28 years since publication of the first DNSSEC RFC, according to Internet Society data that labels it "arguably the worst performing technology" among internet enabling technologies. HTTPS reaches 96% adoption among the top 1,000 websites globally despite roughly the same development timeline as DNSSEC.

The security protocol faces fundamental barriers including lack of user visibility compared to HTTPS padlock icons and mandatory implementation throughout the entire DNS hierarchy. Approximately 30% of country-level domains have not implemented DNSSEC, creating deployment gaps that prevent domains beneath them from securing their DNS records.

Microsoft used China-based engineering teams to maintain cloud computing systems for multiple federal departments including Justice, Treasury, and Commerce, extending the practice beyond the Defense Department that the company announced last week it would discontinue. The work occurred within Microsoft's Government Community Cloud, which handles sensitive but unclassified federal information and has been used by the Justice Department's Antitrust Division for criminal and civil investigations, as well as parts of the Environmental Protection Agency and Department of Education.

Microsoft employed "digital escorts" -- U.S.-based personnel who supervised the foreign engineers -- similar to the arrangement it used for Pentagon systems. Following ProPublica's reporting, Microsoft issued a statement indicating it would take "similar steps for all our government customers who use Government Community Cloud to further ensure the security of their data." Competing cloud providers Amazon Web Services, Google, and Oracle told ProPublica they do not use China-based support for federal contracts.

A cyber-espionage campaign exploiting vulnerable Microsoft server software has escalated to deploying ransomware against victims, Microsoft said, marking a significant shift from typical state-backed data theft operations to attacks designed to paralyze networks until payment is made. The campaign by a group Microsoft calls "Storm-2603" has compromised at least 400 organizations, according to Netherlands-based cybersecurity firm Eye Security, quadrupling from 100 victims cataloged over the weekend. The National Institutes of Health confirmed one server was breached and additional servers were isolated as a precaution, while reports indicate the Department of Homeland Security and multiple other federal agencies were also compromised.

An anonymous reader quotes a report from The Register: Some customers of Broadcom's VMware business currently cannot access security patches, putting them at greater risk of attack. Customers in that perilous position hold perpetual licenses for VMware products but do not have a current support contract with Broadcom, which will not renew those contracts unless users sign up for software subscriptions. Yet many customers in this situation run products that Broadcom continues to support with patches and updates.

In April 2024, Broadcom CEO Hock Tan promised "free access to zero-day security patches for supported versions of vSphere" so customers "are able to use perpetual licenses in a safe and secure fashion." VMware patches aren't freely available; users must log on to Broadcom's support portal to access the software. Some VMware users in this situation have told The Register that when they enter the portal they cannot download patches, and that VMware support staff have told them it may be 90 days before the software fixes become available. "Because our support portal requires validation of customer entitlements for software patches, only entitled customers have access to the patches at this time," a VMware spokesperson said. "A separate patch delivery cycle will also be available for non-entitled customers and will follow at a later date."

The timing of that "later date" remains uncertain. The Register also notes that "users haven't had access to patches since May."

An anonymous reader quotes a report from Ars Technica: Hacking is hard. Well, sometimes. Other times, you just call up a company's IT service desk and pretend to be an employee who needs a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset... and it's done. Without even verifying your identity. So you use that information to log in to the target network and discover a more trusted user who works in IT security. You call the IT service desk back, acting like you are now this second person, and you request the same thing: a password reset, an Okta multifactor authentication reset, and a Microsoft multifactor authentication reset. Again, the desk provides it, no identity verification needed. So you log in to the network with these new credentials and set about planting ransomware or exfiltrating data in the target network, eventually doing an estimated $380 million in damage. Easy, right?

According to The Clorox Company, which makes everything from lip balm to cat litter to charcoal to bleach, this is exactly what happened to it in 2023. But Clorox says that the "debilitating" breach was not its fault. It had outsourced the "service desk" part of its IT security operations to the massive services company Cognizant -- and Clorox says that Cognizant failed to follow even the most basic agreed-upon procedures for running the service desk. In the words of a new Clorox lawsuit, Cognizant's behavior was "all a devastating lie," it "failed to show even scant care," and it was "aware that its employees were not adequately trained."

"Cognizant was not duped by any elaborate ploy or sophisticated hacking techniques," says the lawsuit, using italics to indicate outrage emphasis. "The cybercriminal just called the Cognizant Service Desk, asked for credentials to access Clorox's network, and Cognizant handed the credentials right over. Cognizant is on tape handing over the keys to Clorox's corporate network to the cybercriminal -- no authentication questions asked." [...] The new lawsuit, filed in California state courts, wants Cognizant to cough up millions of dollars to cover the damage Clorox says it suffered after weeks of disruption to its factories and ordering systems. (You can read a brief timeline of the disruption here.)

A cyber-espionage campaign exploiting unpatched Microsoft SharePoint vulnerabilities has breached approximately 400 organizations worldwide, including the US National Nuclear Security Administration, according to Netherlands-based cybersecurity firm Eye Security. The figure represents a four-fold increase from 100 organizations cataloged over the weekend, with researchers calling it likely an undercount since not all attack vectors leave detectable artifacts.

Microsoft identified three Chinese groups -- state-backed Linen Typhoon and Violet Typhoon, plus China-based Storm-2603 -- as exploiting the vulnerabilities in on-premises SharePoint servers to steal authentication credentials and execute malicious code remotely. The campaign began July 7 and was first detected July 18 when Eye Security found unusual activity on a customer's server. Victims include the US Energy Department, Education Department, Florida's Department of Revenue, Rhode Island General Assembly, and European and Middle Eastern governments.

At least 759 US hospitals experienced network disruptions during the CrowdStrike outage on July 19, 2024, with more than 200 suffering outages that directly affected patient care services, according to a study published in JAMA Network Open by UC San Diego researchers. The researchers detected disruptions across 34% of the 2,232 hospital networks they scanned, finding outages in health records systems, fetal monitoring equipment, medical imaging storage, and patient transfer platforms.

Most services recovered within six hours, though some remained offline for more than 48 hours. CrowdStrike dismissed the study as "junk science," arguing the researchers failed to verify whether affected networks actually ran CrowdStrike software. The researchers defended their methodology, noting they could scan only about one-third of America's hospitals, suggesting the actual impact may have been significantly larger.

Alaska Airlines and Horizon Air grounded all flights Sunday night due to a major IT outage, prompting a system-wide FAA ground stop that lasted until early Monday. Although operations have since resumed, passengers are still facing delays and residual disruptions. Gizmodo reports: The airline requested a system-wide ground stop from federal aviation authorities at about 11 p.m. ET on Sunday night. That stop remained in effect until around 2 a.m. ET Monday, when the Federal Aviation Administration confirmed it had been lifted. But disruptions didn't end there. Alaska warned passengers to brace for likely delays throughout the day. [...] The FAA's website listed the stop as applying to all Alaska Airlines aircraft. Gizmodo notes that the incident comes nearly a year after the massive 2024 CrowdStrike crash, which has become known as the largest IT outage in history. "The July 2024 outage brought down an estimated 8.5 million Microsoft Windows systems running CrowdStrike's Falcon Sensor software, disrupting everything from hospitals and airports to broadcast networks."

"There's no word yet from Alaska on whether the outage ties into a broader software problem, but the timing, almost exactly a year after the CrowdStrike crash, isn't going unnoticed on social media, with users wondering if the events are related."

An anonymous reader quotes a report from the BBC: One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work. KNP -- a Northamptonshire transport company -- is just one of tens of thousands of UK businesses that have been hit by such attacks. Big names such as M&S, Co-op and Harrods have all been attacked in recent months. The chief executive of Co-op confirmed last week that all 6.5 million of its members had had their data stolen. In KNP's case, it's thought the hackers managed to gain entry to the computer system by guessing an employee's password, after which they encrypted the company's data and locked its internal systems. KNP director Paul Abbott says he hasn't told the employee that their compromised password most likely led to the destruction of the company. "Would you want to know if it was you?" he asks. "We need organizations to take steps to secure their systems, to secure their businesses," says Richard Horne CEO of the National Cyber Security Centre (NCSC) -- where Panorama has been given exclusive access to the team battling international ransomware gangs. A gang of hackers, known as Akira, broke into the company's system and demanded a payment to restore the data. "The hackers didn't name a price, but a specialist ransomware negotiation firm estimated the sum could be as much as 5 million pounds," reports the BBC. "KNP didn't have that kind of money. In the end all the data was lost, and the company went under."

Eric Schmidt, Google's former CEO, has a simple suggestion for young workers struggling to focus at work or relax: turn off your phone. Schmidt told the "Moonshots" podcast that researchers "can't think deeply" when their phones keep buzzing with notifications.

The tech veteran, who spent 10 years running Google and helped build Android's notification system, admitted the industry has worked to "monetize your attention" through constant ads and alerts.

Hackers are hiding malware inside DNS records, allowing malicious code to bypass security defenses that typically monitor web and email traffic. DomainTools researchers discovered the technique being used to host Joke Screenmate malware, with binary files converted to hexadecimal format and broken into chunks stored in TXT records across subdomains of whitetreecollective[.]com.

Attackers retrieve the chunks through DNS requests and reassemble them into executable malware. The method exploits a blind spot in security monitoring, as DNS traffic often goes unscrutinized compared to other network activity.

Sir Keir Starmer's government is seeking a way out of a clash with the Trump administration over the UK's demand that Apple provide it with access to secure customer data, Financial Times reported Monday, citing two officials. From the report: The officials both said the Home Office, which ordered the tech giant in January to grant access to its most secure cloud storage system, would probably have to retreat in the face of pressure from senior leaders in Washington, including Vice President JD Vance.

"This is something that the vice president is very annoyed about and which needs to be resolved," said an official in the UK's technology department. "The Home Office is basically going to have to back down." Both officials said the UK decision to force Apple to break its end-to-end encryption -- which has been raised multiple times by top officials in Donald Trump's administration -- could impede technology agreements with the US.

Microsoft has released emergency security updates for two actively exploited zero-day vulnerabilities in SharePoint, tracked as CVE-2025-53770 and CVE-2025-53771, that have compromised servers worldwide in what researchers call "ToolShell" attacks. The U.S. Cybersecurity and Infrastructure Security Agency warned over the weekend that hackers were exploiting the vulnerabilities to gain remote code execution on on-premises SharePoint installations, while Microsoft has not yet provided patches for all affected versions.

The vulnerabilities allow hackers to steal private digital keys from SharePoint servers without requiring credentials, enabling them to plant malware and access stored files and data. Eye Security, which first identified the attacks on Saturday, found dozens of actively exploited servers and warned that SharePoint's integration with Outlook, Teams, and OneDrive could enable further network compromise. Researcher Silas Cutler at cybersecurity firm Censys estimated more than 10,000 companies with SharePoint servers were at risk, with the largest concentrations in the United States, Netherlands, United Kingdom, and Canada.

Microsoft released patches for SharePoint 2019 and Subscription Edition but is still working on fixes for SharePoint Server 2016. Administrators must install available updates immediately and rotate machine keys to prevent re-compromise, according to Microsoft's security guidance.

"Anybody who's got a hosted SharePoint server has got a problem," the senior VP of cybersecurity firm CrowdStrike told the Washington Post. "It's a significant vulnerability."

And it's led to a new "global attack on government agencies and businesses" in the last few days, according to the article, "breaching U.S. federal and state agencies, universities, energy companies and an Asian telecommunications company, according to state officials and private researchers..."

"Tens of thousands of such servers are at risk, experts said, and Microsoft has issued no patch for the flaw, leaving victims around the world scrambling to respond." (Microsoft says they are "working on" security updates "for supported versions of SharePoint 2019 and SharePoint 2016," offering various mitigation suggestions, and CISA has released their own recommendations.)

From the Washington Post's article Sunday: Microsoft has suggested that users make modifications to SharePoint server programs or simply unplug them from the internet to stanch the breach. Microsoft issued an alert to customers but declined to comment further... "We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available," said Pete Renals, a senior manager with Palo Alto Networks' Unit 42. "We have identified dozens of compromised organizations spanning both commercial and government sectors.''

With access to these servers, which often connect to Outlook email, Teams and other core services, a breach can lead to theft of sensitive data as well as password harvesting, Netherlands-based research company Eye Security noted. What's also alarming, researchers said, is that the hackers have gained access to keys that may allow them to regain entry even after a system is patched. "So pushing out a patch on Monday or Tuesday doesn't help anybody who's been compromised in the past 72 hours," said one researcher, who spoke on the condition of anonymity because a federal investigation is ongoing.

The breaches occurred after Microsoft fixed a security flaw this month. The attackers realized they could use a similar vulnerability, according to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. CISA spokeswoman Marci McCarthy said the agency was alerted to the issue Friday by a cyber research firm and immediately contacted Microsoft... The nonprofit Center for Internet Security, which staffs an information-sharing group for state and local governments, notified about 100 organizations that they were vulnerable and potentially compromised, said Randy Rose, the organization's vice president. Those warned included public schools and universities. Others that were breached included a government agency in Spain, a local agency in Albuquerque and a university in Brazil, security researchers said.
But there's many more breaches, according to the article:

• "Eye Security said it has tracked more than 50 breaches, including at an energy company in a large state and several European government agencies."

• "At least two U.S. federal agencies have seen their servers breached, according to researchers."

• "One state official in the eastern U.S. said the attackers had 'hijacked' a repository of documents provided to the public to help residents understand how their government works. The agency involved can no longer access the material..."

"It was not immediately clear who is behind the hacking of global reach or what its ultimate goal is. One private research company found the hackers targeting servers in China..."

"The U.S. is absolutely facing the most serious Chinese hacking ever." That's what the Washington Post was told by a China-focused consultant at security company SentinelOne: Undeterred by recent indictments alleging widespread cyberespionage against American agencies, journalists and infrastructure targets, Chinese hackers are hitting a wider range of targets and battling harder to stay inside once detected, seven current and former U.S. officials said in interviews. Hacks from suspected Chinese government actors detected by the security firm CrowdStrike more than doubled from 2023 to more than 330 last year and continued to climb as the new administration took over, the company said... Although the various Chinese hacking campaigns seem to be led by different government agencies and have different goals, all benefit from new techniques and from Beijing's introduction of a less constrained system for cyber offense, the officials and outside researchers told The Washington Post... Chinese intelligence, military and security agencies previously selected targets and tasked their own employees with breaking in, they said. But the Chinese government decided to take a more aggressive approach by allowing private industry to conduct cyberattacks and hacking campaigns on their own, U.S. officials said.

The companies are recruiting top hackers who discover previously unknown, or "zero-day," flaws in software widely used in the United States. Then the companies search for where the vulnerable programs are installed, hack a great many of them at once, and then sell access to multiple Chinese government customers and other security companies. That hacking-for-hire approach creates hundreds of U.S. victims instead of a few, making it hard to block attacks and to decide which were China's key targets and which were unintentionally caught in the hacks, an FBI official said, speaking on the condition of anonymity to follow agency practices... "The result of that incentive structure is that there is significantly more hacking...."

China has mastered the ability to move undetected through networks of compromised U.S. devices, so that the final connection to a target appears to be an ordinary domestic connection. That makes it easy to get around technology that blocks overseas links and puts it outside the purview of the National Security Agency, which by law must avoid scrutinizing most domestic transmissions. Beijing is increasingly focused on hacking software and security vendors that provide access to many customers at once, the FBI official said. Once access is obtained, the hackers typically add new email and collaboration accounts that look legitimate... Beyond the increased government collaboration with China's private security sector is occasional collaborating with criminal groups, said Ken Dunham, an analyst at the security firm Qualys.
The article notes that China's penetration of U.S. telecom carriers "is still not fully contained, according to the current and former officials." But in addition, the group behind that attack "has more recently shown up inside core communications infrastructure in Europe, according to John Carlin, a former top national security official in the Justice Department who represents some U.S. victims of the group." And documents leaked last year from a security contractor that works with the Chinese military and other government groups "described contracts and targets in 20 countries, with booty including Indian immigration data, logs of calls in South Korea, and detailed information on roads in Taiwan.

"It also detailed prices for some services, such as $25,000 for promised remote access to an iPhone, payment disputes with government customers and employee gripes about long hours..."

Google has filed a lawsuit to dismantle the sprawling Badbox 2.0 botnet, which infected over 10 million Android devices with pre-installed malware. Badbox 2.0 "is already the largest known botnet of internet-connected TV devices, and it grows each day. It has harmed millions of victims in the United States and around the world and threatens many more," Google said in its complaint. SecurityWeek reports: The internet giant cautions that, while it has been used mainly for fraud, the botnet could be used for more harmful types of cybercrime, such as ransomware or distributed denial-of-service (DDoS) attacks. In addition to pre-installing the malware on devices, Badbox 2.0's operators also tricked users into installing infected applications that provided them with further access to their personal devices, Google says. As part of their operation, the individuals behind Badbox 2.0 sold access to the infected devices to be used as residential proxies, and conducted ad fraud schemes by abusing these devices to create fake ad views or to exploit pay-per-click compensation models, the company continues. The internet giant also points out that this is the second global botnet the perpetrators have built, after the initial Badbox botnet was disrupted by German law enforcement in 2023.

According to Google, Badbox 2.0 is operated by multiple cybercrime groups from China, each having a different role in maintaining the botnet, such as establishing infrastructure, developing and pre-installing the malware on devices, and conducting fraud. "The BadBox 2.0 Enterprise includes several connected threat actor groups that design and implement complex criminal schemes targeting internet-connected devices both before and after the consumer receives the device," Google says. "While each member of the Enterprise plays a distinct role, they all collaborate to execute the BadBox 2.0 Scheme. All of the threat actor groups are connected to one another through the BadBox 2.0 shared C2 infrastructure and historical and current business ties," the company continues.

LibreOffice has accused Microsoft of intentionally using "unnecessarily complex" file formats to lock in Office users, claiming the company weaponizes its Office Open XML schema to create barriers for competitors. The open-source office suite argued that Microsoft's OOXML format includes deeply nested structures with non-intuitive naming conventions and numerous optional elements that make implementation difficult for developers outside Microsoft.

LibreOffice compared the situation to a railway system where tracks are public but one company's control system is so convoluted that competitors cannot build compatible trains.