Risky Business #799 -- Everyone's Sharepoint gets shelled

Risky Biz returns after two weeks off, and there sure is cybersecurity news to catch up on. Patrick Gray and Adam Boileau discuss:

• Microsoft tried to make outsourcing the Pentagon’s cloud maintenance to China okay (it was not)
• She shells Sharepoint by the sea-shore (by ‘she’ we mean ‘China’)
• Four (alleged) Scattered Spider members arrested (and bailed) in the UK
• Hackers spend $2700 to buy creds for a Brazilian payment system, steal $100M
• Fortinet has SQLI in the auth header, Citrix mem leak is weaponised, HP hardcodes creds and Sonicwalls get user-moderootkits. Just security vendor things!

This week’s episode is sponsored by Airlock Digital. CEO David Cottingham talks through what it takes to build a mature, resilient management platform for a security critical system.

This episode is also available on Youtube.

• Update on DOD’s cloud services
• Microsoft to stop using engineers in China for tech support of US military, Hegseth orders review
• A Little-Known Microsoft Program Could Expose the Defense Department to Chinese Hackers
• While DOD policy bans unauthorized apps like TikTok from being on employees phones over national security risks
• Microsoft Fix Targets Attacks on SharePoint Zero-Day – Krebs on Security
• National Guard was hacked by China's 'Salt Typhoon' group, DHS says
• Suspected contractor for China’s Hafnium group arrested in in Italy | Cybersecurity Dive
• Singapore accuses Chinese state-backed hackers of attacking critical infrastructure networks | The Record from Recorded Future News
• UK Arrests Four in ‘Scattered Spider’ Ransom Group – Krebs on Security
• Four people bailed after arrests over cyber attacks on M&S, Co-op and Harrods
• Brazilian police arrest IT worker over $100 million cyber theft | The Record from Recorded Future News
• At Least 750 US Hospitals Faced Disruptions During Last Year’s CrowdStrike Outage, Study Finds | WIRED
• Hacker returns cryptocurrency stolen from GMX exchange after $5 million bounty payment | The Record
• Indian crypto exchange CoinDCX says $44 million stolen from reserves | The Record
• Chainalysis: $2.17 billion in crypto stolen in first half of 2025, driven by North Korean hacks | The Record
• PoisonSeed bypassing FIDO keys to ‘fetch’ user accounts
• Risky Bulletin: Browser extensions hijacked for web scraping botnet
• A Startup is Selling Data Hacked from Peoples’ Computers to Debt Collectors
• A surveillance vendor was caught exploiting a new SS7 attack to track people's phone locations | TechCrunch
• Ukrainian hackers wipe databases at Russia's Gazprom in major cyberattack, intelligence source says
• File transfer company CrushFTP warns of zero-day exploit seen in the wild | The Record
• HPE warns of hardcoded passwords in Aruba access points
• Pre-Auth SQL Injection to RCE - Fortinet FortiWeb Fabric Connector (CVE-2025-25257)
• Researchers, CISA confirm active exploitation of critical Citrix Netscaler flaw | Cybersecurity Dive
• Google finds custom backdoor being installed on SonicWall network devices - Ars Technica
• Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years