SharePoint – Assume Compromise and Implement Mitigations

This week, many organizations struggled to respond to the ongoing exploitation of SharePoint servers. Organizations running SharePoint on-premise must patch and consider all SharePoint instances as compromised. Widespread compromise started several days ahead of the release of a patch. You must rotate Machine Keys on affected systems and rotate any other credentials. We do also see attempts to exploit backdoors left behind by SharePoint "Toolshell" exploits.

To assist in the response, we do have several blog posts available at SANS.org as well as at the SANS Internet Storm Center:

The ToolShell attack chain is under active and widespread exploitation, affecting unpatched SharePoint servers on premises, but not cloud services such as SharePoint Online or Microsoft 365. By installing web shell backdoors and exfiltrating Machine Keys, unauthenticated attackers can maintain persistence even after systems are patched; experts emphasize that patching is not sufficient, urging that users "assume compromise" and immediately implement remediations and mitigations. Users should apply all updates, enable anti-malware scanning, rotate Machine Keys, isolate vulnerable servers, reset credentials, scan for indicators of compromise, and check backups and logs. Microsoft Threat Intelligence has also observed the deployment of ransomware through this exploit.

At Pwn2Own Berlin in May 2025, Dinh Ho Anh Khoa of Viettel Cyber Security demonstrated two chained flaws allowing unauthenticated remote code execution (RCE) on SharePoint servers, dubbing the exploit "ToolShell." Microsoft patched the flaws (CVE-2025-49706 and CVE-2025-49704) on July 8. However, on Friday, July 18, researchers at Eye Security observed dozens of SharePoint systems around the world actively compromised by a new RCE vulnerability chain, and on Saturday, July 19, Microsoft published a notice confirming a zero-day critical RCE vulnerability in on-premises SharePoint servers. The zero-day flaw, CVE-2025-53770, CVSS score 9.8, allows an unauthorized attacker to execute code over a network due to deserialization of untrusted data in on-premises Microsoft SharePoint Server. This vulnerability is a variant of the ToolShell proof-of-concept, but was not fixed by the July 8 patch. On Sunday, July 20, Microsoft released an emergency patch, and also documented CVE-2025-53771, CVSS score 6.5, which allows an unauthorized attacker to perform spoofing over a network due to a path traversal flaw in Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016. By Wednesday, July 23, Eye Security estimated over 400 systems were actively compromised after four waves of attacks that began on Thursday, July 17. As of Monday, July 21, Microsoft has provided security updates for Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2016, and Microsoft SharePoint Server 2019; Eye Security notes that no patch is expected for Microsoft SharePoint Server 2010/2013, and those systems "must be isolated or decommissioned." Microsoft believes initial attack attempts may have begun as early as July 7.

Eye Security currently estimates over 400 organizations' SharePoint servers worldwide are being actively exploited. Researchers at Checkpoint observed an exploitation attempt against a "major Western government" as early as July 7, 2025. Those affected include the US Department of Energy (DOE) including the US National Nuclear Security Administration, but the DOE states that cloud usage and cybersecurity systems prevented all but a few systems from being impacted, and sensitive data were not affected. The US Department of Homeland Security, the Department of Education, the National Institutes of Health, the Florida Department of Revenue, the Rhode Island General Assembly, and national governments in Europe and the Middle East have also been breached. Checkpoint's analysis initially indicated nearly 50% of attacks targeted the government sector, but ongoing updates show the top targeted sectors as financial services, government, business services, telecommunications, and consumer goods and services, primarily focused on the United States, with smaller proportions in Western European countries, Canada, Brazil, and Australia.

Hardcoded credentials in Hewlett-Packard Enterprise (HPE) Aruba Instant On Access Points could be exploited gain administrative access to vulnerable systems. The critical vulnerability (CVE-2025-37103) affects HPE Networking Instant On Access Points running software version 3.2.0.1 and below. HPE's advisory, updated on July 17, 2025, also includes details of a high-severity authenticated command injection issue affecting the command line interface of HPE Networking Instant On Access Points. The vulnerability (CVE-2025-37102) could be exploited to execute arbitrary commands with elevated privileges. In both cases, users are advised to upgrade to firmware version 3.2.1.0 or newer.

SonicWall has published an advisory warning of a critical post-authentication arbitrary file upload vulnerability in the in the Secure Mobile Access (SMA) 100 series web management interface. The flaw could be exploited to upload arbitrary files to vulnerable systems. SonicWall urges users to update to SMA 100 Series (SMA 210, 410, 500v) 10.2.2.1-90sv and higher versions. In their advisory, SonicWall writes, "While there is currently no evidence that this vulnerability is being actively exploited in the wild and in order to exploit the vulnerability administrator privileges are required. However, the latest threat intelligence report from Google Threat Intelligence Group (GTIG) highlights potential risk" of Overstep malware being deployed on vulnerable SMA appliances. SonicWall outlines recommends measures for users to take to ensure the security of their appliances.

CrushFTP's President, Ben Spink, published a security advisory on July 18, 2025, disclosing a vulnerability first observed that day and believed to be a zero-day under active exploitation in the wild, affecting outdated versions of CrushFTP released before July 1: version 10 below 10.8.5 and version 11 below 11.3.4_23. CVE-2025-54309, CVSS score 9.8, allows a remote attacker to obtain admin access via HTTPS due to CrushFTP mishandling AS2 validation when the DMZ proxy feature is not used. Users who had already updated to newer versions were not affected, but Shadowserver's scans indicate just over 1000 CrushFTP instances are still running unpatched. It is not clear when exploitation first started. Spink directs users with exploited systems to "restore a prior default user from your backup folder from before the exploit," and to review upload/download reports for any transfers. Recommendations for mitigation are to limit IPs allowed for administration and whitelist permitted IPs, use a DMZ CrushFTP instance in front of enterprise implementations, set up frequent and automatic updates, and subscribe to the company's emergency notifications. Spink also provides IoCs, and notes that hackers have been altering CrushFTP's version display to "give a false sense of security."

Three New York public agencies have proposed new, tougher cybersecurity standards for water and wastewater utilities in that state. The Department of Environmental Conservation (DEC), the Department of Health (DOH), and the Department of Public Service (DPS) have each put forth water and wastewater security standards. Under the proposed rules, New York water and wastewater utilities serving between 3,300 and 50,000 people will be required to adopt an array of security measures, including undergoing annual cybersecurity analyses, developing and implementing incident response plans, adhering to new incident reporting requirements, and training employees in cyber hygiene. Utilities serving more than 50,000 people will also be required to have a designated staff member responsible for administering the cybersecurity program and monitoring network activity. The state's governor has also announced a $2.5 million grant program to help those utilities with expenses incurred implementing the new standards. NY's chief cyber officer Colin Ahern noted that "the new ... grant program, called the Cyber Resilience Grant Program for Water Systems, is the first he knows of that provides funding exclusively for cybersecurity improvements in the water and wastewater sector." Public comments on the proposed rules will be accepted by DEC through September 3, 2025 and by DOH and DPS through September 14, 2025. Water utilities will be required to comply with the rules by January 2027.

On July 15, 2025, ProPublica published an article raising concerns about a heretofore largely unknown “Digital Escort” program at Microsoft. US citizens with security clearances have been hired to interface with sensitive Department of Defense (DoD) data, “escorting” global software engineers who are not permitted access, reducing labor costs. However, digital escorts have reported they lack the technical training to understand and properly evaluate the safety of engineers' requests. On July 17, Senator Tom Cotton (R-Ark.) wrote a letter to US Secretary of Defense Pete Hegseth, mentioning Microsoft by name and requesting information on DoD contractors, focusing specifically on personnel based in China, employment and training of digital escorts, and FedRAMP requirements. Hegseth in turn signed a memo to the DoD on July 18, ordering a two-week review focused on mitigating "adversarial foreign influence" in department programs, processes, information technology capabilities, and personnel, leveraging "the Cybersecurity Maturity Model Certification, the Software Fast Track Program, the Authority to Operate process, the Federal Risk and Authorization Management Program, and ... the Secure Software Development Framework." Hegseth concurrently released a video in which he specified, "China will no longer have any involvement whatsoever in our cloud services," echoing Microsoft's announcement the same day from Chief Communications Officer Frank X. Shaw, that Microsoft has made changes so that "no China-based engineering teams are providing technical assistance for DoD Government cloud and related services." No other modifications to the digital escort program have been announced. ProPublica's initial report cites past incidents, namely the 2015 Office of Personnel Management breach through a third-party contractor and the 2023 State Department email breach through a Microsoft engineer's compromised account, as incidents that draw focus to China-based threats, also noting that Microsoft depends on a "vast global workforce," including major operations in India and the EU.

After a period of public consultation, the UK Home Office has published legislative proposals aimed at preventing and combating ransomware attacks. The first measure would place a "targeted ban" on ransomware payments by public sector and critical infrastructure organizations. The second measure would require groups outside the banned categories to notify the government of any payments as part of a "payment prevention regime" forestalling payments to any sanctioned threat actors. The third measure would require mandatory reporting of all ransomware incidents to law enforcement. Jamie MacColl, a senior research fellow at think tank RUSI believes that "threat actors are unlikely to develop a rigorous understanding of British legislation or how we designate our critical national infrastructure," noting that the measures could hinder recovery without deterring attacks, also raising concerns over the resources needed to handle increased volume of incoming intelligence from reporting programs. The proposals include approval statistics from the public consultation, which ran from January 14 to April 8, 2025, notably closing before the series of ransomware attacks on UK businesses in May 2025. The Record notes the UK's history of increasingly serious cyberattacks over the last five years and the government's previous discussions to pass similar legislation; a Cyber Resilience Bill expanding on 2018 cyber legislation is also anticipated in Parliament this year.

Clorox is suing IT help desk service provider Cognizant for $380 million, alleging that the organization allowed staff access credentials to be reset on multiple locations without taking steps to ensure the individuals requesting the resets were entitled to do so. Clorox claims that the release of the information led directly to a cyberattack in 2023 that cost Clorox hundreds of millions of dollars. Clorox is seeking reimbursement for monetary losses as well as punitive damages.

Radiology Associates of Richmond (Virginia) has notified the US Department of Health and Human Services Office for Civil Rights (HHS OCR) that an April 2024 breach of their network compromised protected health information (PHI) belonging to more than 1.4 million individuals. Anne Arundel Dermatology also reported a breach to HHS OCR. For several months earlier this year, intruders had access to the organization's network, resulting in the compromise of personal and protected health information of more than 1.9 million individuals. A medical practice in Alpharetta, Georgia, was forced to close for good following a February 2025 ransomware attack. Ascension Health Services LLC dba Alpha Wellness and Alpha Medical Centre reported the incident, which affected 1,714 individuals, to HHS OCR earlier this month. The practice closed its doors in April.

An Arizona woman who ran a laptop farm out of her home for three years has been sentenced to more than eight years in prison. Christina Marie Chapman's scheme enabled North Korean IT workers to accept remote positions at US companies and appear to be US citizens working from within the country. The scheme generated more than $17 million for Chapman and North Korean citizens. Chapman has also been ordered to forfeit $284,555.92 and pay a judgment of $176,850.