News brief: SharePoint attacks hammer globe

Ongoing SharePoint attacks hit hundreds of Microsoft customers

Microsoft customers with on-premises SharePoint servers are facing a massive wave of ongoing cyberattacks that began in early July and escalated in the past week.

The intrusions exploit an attack chain dubbed ToolShell, a sequence combining remote code injection and network spoofing flaws. Attackers have reportedly used the vulnerabilities to compromise hundreds of SharePoint customers worldwide, including the U.S. National Nuclear Security Administration and the Department of Homeland Security.

According to Microsoft, three Chinese nation-state threat actors were among the first to initiate ToolShell attacks in early July. More recently, one of the groups also began using the vulnerability sequence in ongoing ransomware attacks.

Microsoft released an emergency out-of-band security update on July 19. The patch covers SharePoint Subscription Edition, SharePoint 2019 and SharePoint 2016. Researchers warned that more threat actors might join the ongoing attack campaign, making immediate patching critical for all SharePoint customers.

The vulnerabilities do not affect the Microsoft 365 version of SharePoint Online.

Read the full story by David Jones on Cybersecurity Dive.

Lumma stealer malware returns after FBI takedown

The notorious Lumma malware -- which aims to steal sensitive information, such as credentials and cryptocurrency wallet information -- has rapidly resurfaced following its FBI takedown in May. Trend Micro researchers said Lumma threat actors' activity appeared to have returned to normal levels between June and July, although their tactics have gotten stealthier and more discreet.

Previously, Lumma operators relied heavily on Cloudflare's infrastructure to hide their malicious domains. Now, however, they are increasingly turning to providers that are less beholden to U.S. law enforcement, such as Russia-based Selectel.

Lumma distribution methods are also evolving, with recent attacks using fake cracked software, ClickFix campaigns with deceptive CAPTCHA pages, AI-generated GitHub repositories, and social media campaigns on YouTube and Facebook.

Read the full story by Elizabeth Montalbano on Dark Reading.

Coyote breaks new ground by exploiting Windows UI Automation

The banking Trojan Coyote, active in Latin America since February 2024, has pioneered a new attack method by exploiting the Windows UI Automation framework to steal banking credentials. This marks the first known instance of malware abusing this legitimate accessibility feature designed to help people with disabilities interact with Windows systems.

Active primarily in Brazil, Coyote has targeted users of 75 banks and cryptocurrency exchanges. The malware gains initial access through malicious LNK files in phishing emails, then monitors browser activity for banking websites.

Coyote is particularly dangerous because of its ability to function offline and use UI Automation to extract sensitive information from browser tabs in a more reliable way than traditional methods. It exemplifies how attackers' techniques continue to evolve to outpace security measures.

Read the full story by Jai Vijayan on Dark Reading.

Editor's note: An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.

Alissa Irei is senior site editor of Informa TechTarget's SearchSecurity.