Federal cyber authorities sounded a rare alarm Thursday, issuing an emergency directive about an ongoing and widespread attack spree involving actively exploited zero-day vulnerabilities affecting Cisco firewalls. 

Cisco said it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May. The vendor, which attributes the attacks to the same threat group behind an early 2024 campaign targeting Cisco devices it dubbed “ArcaneDoor,” said the new zero-days were exploited to “implant malware, execute commands, and potentially exfiltrate data from the compromised devices.” 

Cisco disclosed three vulnerabilities affecting its Adaptive Security Appliances  — CVE-2025-20333, CVE-2025-20363 and CVE-2025-20362 — but said “evidence collected strongly indicates CVE-2025-20333 and CVE-2025-20362 were used by the attacker in the current attack campaign.” 

The Cybersecurity and Infrastructure Security Agency said those two zero-days pose an “unacceptable risk” to federal agencies and require immediate action. 

Federal agencies are required to hunt for evidence of compromise, report findings and disconnect compromised devices by the end of Friday. Agencies running Cisco ASA firewalls are also required to apply Cisco’s patches or permanently disconnect end-of-life devices by the end of Friday.

“CISA is directing federal agencies to take immediate action due to the alarming ease with which a threat actor can exploit these vulnerabilities, maintain persistence on the device, and gain access to a victim’s network,” CISA Acting Director Madhu Gottumukkala said in a statement.

Cisco did not fully explain why it waited four months from its initial response to the attacks on federal agencies to disclose the malicious activity and patch the zero-day vulnerabilities. 

The attackers “employed advanced evasion techniques such as disabling logging, intercepting command-line interface commands, and intentionally crashing devices to prevent diagnostic analysis. The complexity and sophistication of this incident required an extensive, multi-disciplinary response across Cisco’s engineering and security teams,” the company said. 

CISA did not immediately respond to questions about why it waited four months to issue an emergency directive.

The agency described the campaign as widespread, resulting in remote-code execution and manipulation of read-only memory that persists through reboots and system upgrades. While CISA’s emergency directive only applies to federal agencies, the private sector often follows these urgent warnings closely.

“The same risks apply to any organizations using these devices. We strongly urge all entities to adopt the actions outlined in this emergency directive,” Gottumukkala said.

Cisco and CISA did not attribute the espionage attacks to a specific nation state, but Censys researchers previously said it found compelling evidence indicating a threat group based in China was behind the ArcaneDoor campaign last year. Censys noted it found evidence of multiple major Chinese networks and Chinese-developed anti-censorship software during its investigation into the early 2024 attacks.

The latest attacks initiated by the espionage group, tracked as UAT4356 by Cisco Talos and Storm-1849 by Microsoft Threat Intelligence, are a continuation or resurgence of that previous campaign involving new zero-days. 

Cisco said remote attackers can “gain full control of an affected device” by chaining together the vulnerabilities, two of which are designated as critical. 

When Storm-1849 was first identified in early 2024, the espionage group was targeting international entities, according to Sam Rubin, senior vice president of Palo Alto Networks’ Unit 42. Unit 42 also considers Storm-1849 to be affiliated with China.

“Over the past year, Unit 42 has observed them evolve their toolkit and in recent months their focus has shifted towards entities in the United States,” he said. “As we have seen before, now that patches are available, we can expect attacks to escalate as cybercriminal groups quickly figure out how to take advantage of these vulnerabilities.”

The post CISA alerts federal agencies of widespread attacks using Cisco zero-days appeared first on CyberScoop.

A Russian nation-state threat group has been spying on foreign diplomats, managing continuous access to their  communications and data in Moscow since at least 2024, according to Microsoft Threat Intelligence.

Secret Blizzard is gaining “adversary-in-the-middle” positions on Russian internet service providers and telecom networks by likely leveraging surveillance tools and deploying malware on targeted devices, researchers said in a report released Thursday. 

Microsoft’s discovery marks the first time its researchers have confirmed with high confidence that Secret Blizzard has capabilities at the ISP level, a degree of access that combines passive surveillance and an active intrusion. 

“It’s a shift, or a kind of movement, toward the evolution of simply watching traffic to actively modifying network traffic in order to get into those targeted systems,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, told CyberScoop. 

Secret Blizzard — also known as Turla, Pensive Ursa or Waterbug — is affiliated with Center 16 of Russia’s Federal Security Service (FSB) and has been active for decades.

The Russian nation-state group is “the classic definition of what you think of when you think of advanced persistent threat: creative, persistent, well resourced, highly organized, able to execute projects, able to execute actions on objectives,” DeGrippo said. “Ultimately, I think that the key word is creative.”

Secret Blizzard is gaining initial access to embassy employee devices by redirecting them to a malicious domain that displays a certificate validation error after targeted victims access a state-aligned network through a captive portal, according to Microsoft.

The error prompts and tricks embassy employees into downloading root certificates falsely branded as Kaspersky Anti-Virus software, which deploy ApolloShadow malware. The custom malware turns off traffic encryption, tricks the devices to recognize malicious sites as legitimate and enables Secret Blizzard to maintain persistent access to diplomatic devices for espionage. 

“This is an excellent piece of social engineering because it plays on habit, it plays on urgency, it plays on emotions, which are the three holy trinity of social engineering,” DeGrippo said. 

“You see this pop-up that’s telling you you have a security issue, and it’s branded as a security vendor. We’ve been seeing that capability for decades,” she said. “Simply clicking through and not examining and thinking about that, especially when on a state-aligned, state-owned network in one of these surveillance-heavy countries where the government has deep technical and legal controls over those ISPs — that infrastructure is now part of your attack surface.”

Microsoft declined to say how many embassies have been impacted, but noted the group is active. Intrusions linked to this politically motivated espionage campaign allow Secret Blizzard to view the majority of the target’s browsing in plain text, including certain tokens and credentials, researchers said in the report.

“This seems relatively simple, but it’s only made so simple by the likely leveraging of a lawful intercept capability,” DeGrippo said. “Relying on local infrastructure in these high-risk environments — China, Russia, North Korea, Iran — in these surveillance-heavy countries, is of concern.” 

Microsoft previously observed Secret Blizzard using tools from other cybercriminal groups to compromise targets in Ukraine, showing how the group uses various attack vectors and means to infiltrate networks of geopolitical interest to Russia.

The post Russia-affiliated Secret Blizzard conducting ongoing espionage against embassies in Moscow appeared first on CyberScoop.

The fallout from an attack spree targeting defects in on-premises Microsoft SharePoint servers continues to spread nearly a week after zero-day exploits were discovered, setting off alarms across the globe. More than 400 organizations have been actively compromised across four waves of attacks, according to Eye Security.

Multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services, have been hit. The California Independent System Operator, which operates some of the state’s wholesale electric grid, was also impacted.

As more victims confirm varying levels of compromise from the attack spree, researchers are learning and sharing more details about post-exploit activities. One of the China-based attackers behind the initial wave of attacks, Storm-2603, deployed Warlock ransomware starting July 18, Microsoft Threat Intelligence said Wednesday in an updated blog post.

The Chinese government-affiliated threat groups Linen Typhoon and Violet Typhoon — which have been active for at least a decade — are also actively exploiting the zero-day vulnerabilities, Microsoft said. Linen Typhoon has focused on stealing intellectual property and Violet Typhoon is an espionage threat group. Storm is a moniker Microsoft uses for threat groups in development.

Microsoft said it observed Storm-2603 modifying policy settings to distribute Warlock ransomware in compromised environments. The attacker is also attempting to steal cryptographic keys from compromised SharePoint servers, which could allow attackers to maintain persistent access to victim environments after the patch has been applied. Microsoft did not say how many organizations have been hit with ransomware.

The zero-days under active exploit —  CVE-2025-53770 and CVE-2025-53771 — are variants of a pair of previously disclosed vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — Microsoft addressed in its security update earlier this month. After discovering the new flaws, Microsoft scrambled to develop patches, releasing the updates for all affected versions of SharePoint by late Monday.

The exploit dubbed “ToolShell,” which allows attackers to bypass multi-factor authentication and single sign-on, contains the newly discovered defects: CVE-2025-53770, a critical remote-code execution vulnerability, and CVE-2025-53771, a security-bypass vulnerability. 

The “ToolShell” exploit chain allows attackers to fully access SharePoint content and execute code over the network, the Cybersecurity and Infrastructure Security Agency said. ESET Labs researchers said threat groups often chain all four vulnerabilities to intrude organizations.

CISA added CVE-2025-53770 to its known exploited vulnerabilities catalog Sunday, and added CVE-2025-47904 and CVE-2025-47906 to the database Tuesday. CISA said CVE-2025-53770 is a patch bypass for CVE-2025-49704 and CVE-2025-53771 is a patch bypass for CVE-2025-49706.

Officials declined to describe the level of compromise sustained across the federal government.

“Once the Microsoft SharePoint vulnerability was identified on Friday, CISA quickly launched a national coordinated response through an initial alert and two cybersecurity updates,” a Department of Homeland Security spokesperson said in a statement. “CISA has been working around the clock with Microsoft, impacted agencies, and critical infrastructure partners to share actionable information, apply mitigation efforts, implement protective measures, and assess preventative measures to shield from future attacks.”

The spokesperson said an investigation to identify potential exposure remains ongoing, adding “there is no evidence of data exfiltration at DHS or any of its components at this time.”

The Energy Department, which was impacted along with the National Nuclear Security Administration, is also unaware of any compromise of sensitive or classified information. 

Exploitation of the Microsoft SharePoint zero-day vulnerability began affecting the Energy Department and the NNSA on Friday. “The department was minimally impacted due to its widespread use of the Microsoft 365 cloud and very capable cybersecurity systems,” an agency spokesperson said in a statement.

“A very small number of systems were impacted. NNSA is taking the appropriate action to mitigate risk and transition to other offerings as appropriate,” the spokesperson added.

The Department of Health and Human Services said it is monitoring, identifying and mitigating all risks to its IT systems posed by the Microsoft SharePoint vulnerability. “This vulnerability is not unique to HHS and has been observed in other federal agencies and the private sector,” a spokesperson for the agency said in a statement. “At present, we have no indication that any information was breached as a result of this vulnerability.”

Jayme Ackemann, director of communications at the California Independent System Operator, said the nonprofit, which manages long-distance power lines across 80% of California’s grid, became aware of potential exploitation Sunday. “There has been no impact to market operations or grid reliability due to this incident,” Ackemann said. “All systems remain stable and fully operational.”

Microsoft SharePoint is prevalent across enterprise and government and deeply integrated with Microsoft’s platform. Researchers warn that attackers could use intrusions to burrow deeper into victim networks.

Attacks have spread globally but U.S.-based organizations are the most heavily targeted to date, accounting for more than 13% of attacks, according to ESET’s telemetry data. Scans from the Shadowserver Foundation showed nearly 11,000 SharePoint instances were still exposed to the internet as of Wednesday.

The post Microsoft SharePoint attacks ensnare 400 victims, including federal agencies appeared first on CyberScoop.

Microsoft said two China nation-state threat groups and a separate attacker based in China are exploiting the zero-day vulnerabilities that first caused havoc to SharePoint servers over the weekend.

Linen Typhoon and Violet Typhoon — the Chinese government-affiliated threat groups — and an attacker Microsoft tracks as Storm-2603 are exploiting the pair of zero-day vulnerabilities affecting on-premises SharePoint servers, Microsoft Threat Intelligence said in a blog post Tuesday.

The zero-days — CVE-2025-53770 and CVE-2025-53771 — have been exploited en masse to intrude hundreds of organizations globally, spanning multiple sectors, including government agencies, according to researchers. 

Both defects are variants of previously disclosed vulnerabilities that Microsoft had already addressed in its security update earlier this month. After discovering the new flaws, Microsoft scrambled to develop patches, releasing the updates for all versions of SharePoint by late Monday.

The attack spree is ongoing and spreading. 

“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” Microsoft Threat Intelligence researchers said in the blog post.

Underscoring the widespread alarm caused by the attacks, the Cybersecurity and Infrastructure Security Agency issued a rare weekend alert about active attacks and added the defect to its known exploited vulnerabilities catalog Sunday.

Microsoft’s initial attribution assessment tracks with other incident responders and researchers who are swarming to combat the threat the attacks pose to critical infrastructure. The motivations and origins of threat groups behind the attacks have also spread beyond China and its government.

Charles Carmakal, chief technology officer at Mandiant Consulting, said the early zero-day exploitation was broad and opportunistic. 

“At least one of the actors responsible for this early exploitation is a China-nexus threat actor,” he said in an email. “It’s critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.”

Microsoft researchers said Linen Typhoon, Violet Typhoon and Storm-2603 attempted to exploit the previously disclosed SharePoint vulnerabilities — CVE-2025-49706 and CVE-2025-49704 — as early as July 7. Typhoon is the family name Microsoft applies to nation-state threat groups originating from China, and Storm is a moniker the company uses for threat groups in development.

Linen Typhoon, which has been active since 2012, has focused on stealing intellectual property from organizations in government, defense, strategic planning and human rights, according to Microsoft. 

Violet Typhoon, which emerged in 2015, is an espionage threat group targeting former government and military personnel, non-governmental organizations, think tanks, higher education, media, finance and health-related industries in the United States, Europe and East Asia. “This group persistently scans for vulnerabilities in the exposed web infrastructure of targeting organizations, exploiting discovered weaknesses to install web shells,” Microsoft researchers said.

Storm-2603 is the China-based attacker that’s attempting to steal MachineKeys from compromised SharePoint servers, according to Microsoft. Researchers have warned that the theft of cryptographic keys could allow attackers to maintain persistent access to victim environments after the patch has been applied.

The post Microsoft SharePoint zero-day attacks pinned on China-linked ‘Typhoon’ threat groups appeared first on CyberScoop.