Full Report
Ransomware gangs have recently joined ongoing attacks targeting a Microsoft SharePoint vulnerability chain, part of a broader exploitation campaign that has already led to the breach of at least 148 organizations worldwide. [...]
Analysis Summary
# Incident Report: Widespread Exploitation of Microsoft SharePoint Servers via ToolShell
## Executive Summary
Ransomware gangs and other threat actors began actively exploiting zero-day vulnerabilities (CVE-2025-49706 and CVE-2025-49704, later tracked as CVE-2025-53770 and CVE-2025-53771) in Microsoft SharePoint servers, leading to widespread compromise. Initial detection pointed to at least 54 organizations affected, though later analysis suggested the compromise spanned at least 148 organizations and 400 servers with malware infection. Remediation efforts began following Microsoft's July 2025 Patch Tuesday release and CISA directives.
## Incident Details
- **Discovery Date:** Early July 2025 (specific initial detection by Eye Security confirmed exploitation of CVE-2025-49706/49704).
- **Incident Date:** Exploitation signs documented dating back to July 7, 2025.
- **Affected Organization:** At least 148 organizations globally, including government entities, telecommunications, technology organizations, and multinationals.
- **Sector:** Government, Telecommunications, Technology, Multinational Corporations.
- **Geography:** North America and Western Europe, potentially global given the scale.
## Timeline of Events
### Initial Access
- **Date/Time:** Starting around July 7, 2025.
- **Vector:** Exploitation of unpatched Microsoft SharePoint vulnerabilities, specifically forming part of the **ToolShell exploit chain**. The initial CVEs mentioned are CVE-2025-49706 and CVE-2025-49704.
- **Details:** Attackers used Remote Code Execution (RCE) flaws to gain initial access to SharePoint servers. Even fully patched servers were later found vulnerable to subsequent zero-days (CVE-2025-53770/53771).
### Lateral Movement
- **Details:** Indicators suggest the exploitation led to malware infections on at least 400 servers across affected networks, implying successful post-exploitation activities and persistence across the victim environments.
### Data Exfiltration/Impact
- **Details:** The primary impact cited is the deployment of malware, with ransomware gangs reportedly joining the activity, indicating potential data encryption or significant operational disruption stemming from remote code execution and persistence.
### Detection & Response
- **Discovery:** Dutch cybersecurity firm Eye Security first detected the ToolShell exploitation. Check Point Research also observed signs of exploitation starting July 7th.
- **Response actions taken:** Microsoft released patches for the two initial flaws via the July 2025 Patch Tuesday updates. CISA added CVE-2025-53770 to its catalog and mandated federal agencies secure systems within 24 hours.
## Attack Methodology
- **Initial Access:** Remote Code Execution (RCE) leveraging zero-day vulnerabilities in Microsoft SharePoint (CVE-2025-49706, CVE-2025-49704, later CVE-2025-53770).
- **Persistence:** Implied by the widespread malware infection across hundreds of servers, suggesting established footholds within compromised networks.
- **Privilege Escalation:** Not explicitly detailed, but RCE exploitation is often sufficient to gain high privileges on the exploited system.
- **Defense Evasion:** Not explicitly detailed, but the ability to evade detection long enough to infect 400+ servers suggests successful evasion techniques were employed.
- **Credential Access:** Not explicitly detailed, but ransomware gangs are known to pivot to credential theft post-exploitation.
- **Discovery:** Not explicitly detailed, but standard lateral movement techniques would follow initial compromise.
- **Lateral Movement:** Indicated by the scale of infections (400 servers across 148 organizations).
- **Collection:** Not explicitly detailed, but likely involved reconnaissance preceding ransomware deployment or data exfiltration.
- **Exfiltration:** Associated with ransomware activity, though a specific exfiltration method is not detailed.
- **Impact:** Remote Code Execution leading to malware infection (potentially ransomware) across infrastructure.
## Impact Assessment
- **Financial:** Not quantified, but significant due to the widespread nature and mandatory response actions (estimated costs related to remediation, downtime, and regulatory response).
- **Data Breach:** Likely, given the involvement of ransomware groups, suggesting potential data theft prior to encryption/disruption.
- **Operational:** Significant business disruption implied due to the infection of 400 servers across 148 organizations.
- **Reputational:** High risk due to the involvement of ransomware gangs and the compromise of government and multinational entities.
## Indicators of Compromise
*(Note: Full IoCs are omitted per instructions, but context provides the following:*
- **Network indicators:** Related to the ToolShell exploit chain attempting RCE against SharePoint.
- **File indicators:** Malware deployed on compromised servers.
- **Behavioral indicators:** Unauthorized RCE activity targeting SharePoint servers.
## Response Actions
- **Containment measures:** Patching the underlying SharePoint vulnerabilities addressed by Microsoft's July 2025 Patch Tuesday. Isolation/reimaging of the 400+ infected servers.
- **Eradication steps:** Removal of deployed malware from affected systems.
- **Recovery actions:** Restoring services from backups and validating system integrity post-patching and malware removal.
## Lessons Learned
- **Key takeaways:** Zero-day vulnerabilities in widely used enterprise software (like SharePoint) pose an immediate, massive risk capable of being leveraged by multiple threat actors (including ransomware gangs). The exploitation window between patch release and widespread application can be critical.
- **What could have been done better:** Faster external detection of the full scope (the initial 54 organizations estimate was later far exceeded). Proactive monitoring for RCE attempts on critical internet-facing services.
## Recommendations
- **Prevention measures for similar incidents:** Maintain an aggressive patch management schedule, prioritizing patches for internet-facing applications, especially those rated as RCE vulnerabilities. Implement robust network segmentation to limit lateral movement in the event of initial compromise. Continuously monitor SharePoint servers for unusual process execution or network connections indicative of exploitation attempts.