UK plans ransomware payment ban for public sector

The UK government is set to ban public sector and critical infrastructure organisations from paying ransoms after cyberattacks, aiming to disrupt the business model that drives ransomware. The proposed legislation would apply to schools, local councils, and the NHS. Security Minister Dan Jarvis said the UK is “determined to smash the cyber criminal business model” and protect essential services.

Businesses outside the ban must notify authorities if they intend to pay, seeking guidance to avoid violating sanctions. A mandatory reporting system is also in development to help law enforcement trace attackers. The move follows a January consultation and comes amid rising ransomware threats, considered the UK’s top cybercrime risk. High-profile victims include the NHS, the British Library, and more recently Marks & Spencer, which suffered an April breach by the DragonForce gang. The Co-op and Harrods have also reported incidents, underlining the persistent and evolving threat to UK organisations.

SharePoint zero-day breach hits 400+ organisations

Security researchers have revealed that over 400 organisations have been breached through a zero-day vulnerability in Microsoft SharePoint, marking a significant escalation since the flaw was first reported last week. The bug, tracked as CVE-2025-53770, affects self-hosted SharePoint servers and allows remote code execution, granting attackers access to internal files and broader networks.

Dutch firm Eye Security, which discovered the flaw, says scans have found hundreds of compromised systems, up from just dozens earlier in the week.

Researchers believe the vulnerability may have been exploited since July 7. Both Microsoft and Google have linked the attacks to China-backed threat actors, though Beijing has denied involvement. With thousands of servers still potentially exposed, experts warn that patching alone may not be enough — full system checks are urgently advised.

For more information read our threat advisory - https://insights.integrity360.com/threat-advisories/critical-vulnerability-in-sharepoint-cve-2025-53770-guidance-mitigation

Breach of US Nuclear agency highlights growing fallout from SharePoint zero-day attacks

The network of the U.S. National Nuclear Security Administration (NNSA), exploiting a recently patched Microsoft SharePoint zero-day. The NNSA, responsible for safeguarding the nation’s nuclear weapons and responding to radiological emergencies, was one of several organisations compromised in the ongoing global espionage campaign.

A Department of Energy spokesperson confirmed the breach, stating the impact was limited due to widespread use of Microsoft 365 cloud services. Affected systems are being restored, with no evidence of classified data theft.

The broader attack campaign, tracked under the ToolShell exploit chain (CVE-2025-53770), has now impacted at least 148 organisations and infected over 400 servers, including targets in Europe and the Middle East. Microsoft and Google have attributed the campaign to multiple China-backed threat groups. The U.S. CISA has mandated urgent patching across federal systems. The situation continues to evolve as more compromises are uncovered worldwide.

APT41 targets African IT firm in cyber-espionage expansion

China-linked cyber-espionage group APT41 has launched a highly targeted attack against a government IT service provider in Africa, signalling a rare move beyond its usual focus on the US and Asia. Researchers at Kaspersky discovered the breach, noting the attackers used tailored malware with hardcoded internal infrastructure details — including victim IPs and proxy services — and even hijacked a SharePoint server within the target’s own network to serve as a command-and-control hub.

The attack leveraged familiar APT41 tactics: credential harvesting with Mimikatz, stealthy data exfiltration via tools like RawCopy and Pillager, and persistent access using Cobalt Strike and Neo-reGeorg web shells. The group’s use of legitimate tools like Impacket for reconnaissance further complicated detection.

APT41, also known as Wicked Panda or Brass Typhoon, has been active since at least 2012 and is known for combining state-sponsored espionage with financially motivated cybercrime. The attack underscores both the group’s evolving tactics and the rising cybercrime risk in Africa.

Swiss healthcare provider AMEOS hit by data breach

AMEOS Group, one of Central Europe’s largest private healthcare networks, has confirmed a data breach that may have exposed sensitive information belonging to patients, employees, and partners. The Zurich-based organisation operates over 100 hospitals, clinics, and care centres across Switzerland, Germany, and Austria, employing around 18,000 people.

In a statement issued under GDPR Article 34, AMEOS said attackers gained unauthorised access to its IT systems despite extensive security measures. The group warned that stolen data may be misused or shared online, though there is currently no evidence of its publication.

In response, AMEOS shut down all IT systems and network connections and engaged external forensic experts to support the investigation. Authorities have been notified, and a criminal complaint has been filed.

Patients and stakeholders are urged to remain vigilant against phishing or fraud attempts. AMEOS continues to assess the impact and has committed to strengthening its cyber security defences.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.