[ad_1]
A global hacking campaign is exploiting a critical zero-day flaw (CVE-2025-53770) in Microsoft’s on-premise SharePoint software, with attacks escalating from espionage to ransomware. First detected around July 7, the breach has impacted over 400 organizations, including the U.S. Department of Homeland Security.
The attackers steal cryptographic server keys to gain persistent control. Microsoft released emergency patches on July 21 and is urging customers to update immediately. With a public exploit now available, the threat of widespread, automated attacks against unpatched systems is growing rapidly.
Chinese State-Sponsored Hackers Blamed for Global Campaign
Microsoft and Google’s Mandiant have attributed the initial attacks to multiple Chinese state-sponsored threat actors. In a detailed report, Microsoft identified two established groups, Linen Typhoon and Violet Typhoon, and a newer entity, Storm-2603, as the primary culprits.
Google’s Mandiant corroborated the findings. Charles Carmakal, CTO of Mandiant Consulting, stated, “we assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor,” adding that the situation is evolving rapidly. This attribution adds a significant geopolitical dimension, echoing previous major hacks of Microsoft products also blamed on China.
The Chinese government has firmly denied these allegations. In a statement, Chinese Foreign Ministry spokesman Guo Jiakun said, “China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues,” pushing back against the claims from Microsoft and U.S. officials.
Anatomy of the Attack: Stolen Keys and a Sophisticated Patch Bypass
The vulnerability, dubbed “ToolShell,” is a classic example of a “patch bypass.” Security researchers believe attackers used “patch diffing” to analyze Microsoft’s July security update, which fixed a related flaw (CVE-2025-49706). This technique allowed them to quickly engineer a new exploit that circumvents the original fix.
The attack itself is dangerously stealthy. Instead of deploying a typical webshell, attackers plant a small script to exfiltrate the server’s cryptographic machine keys. This method provides a far more persistent and dangerous form of access. As the research team at Eye Security warns, “these keys allow attackers to impersonate users or services, even after the server is patched. So patching alone does not solve the issue.”
This makes remediation a complex, two-step process. Simply applying the new patch is not enough to evict attackers who have already breached a server. Organizations must also rotate their ASP.NET machine keys to invalidate the stolen credentials and lock out intruders for good.
From Espionage to Ransomware: The Threat Escalates
Initially, the campaign appeared to be a targeted espionage effort focused on government and high-value corporate networks. However, the situation has taken a more destructive turn. Microsoft confirmed on July 23 that the Storm-2603 group is now using the exploit to deploy Warlock ransomware.
This escalation significantly raises the stakes for unpatched organizations, shifting the threat from data theft to operational paralysis. The availability of a proof-of-concept exploit on GitHub further democratizes the attack, making it accessible to less sophisticated cybercriminals.
The number of victims has skyrocketed from initial reports of a few dozen to at least 400 firms, according to cybersecurity firm Eye Security. Vaisha Bernard, the firm’s chief hacker, believes the true number is even higher, noting, “There are many more, because not all attack vectors have left artifacts that we could scan for.”
Microsoft and CISA Scramble to Contain the Fallout
The severity of the threat prompted a swift response from both Microsoft and U.S. authorities. After initially providing mitigation guidance, Microsoft released emergency out-of-band security updates for all affected SharePoint versions on July 21. The company’s threat intelligence division warned, “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. The agency issued a binding directive ordering all federal civilian agencies to apply Microsoft’s patches and remediation steps.
In its alert, CISA explained the danger, stating, “This exploitation activity, publicly reported as ‘ToolShell,’ provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content… and execute code over the network.” The breach of the Department of Homeland Security and the National Nuclear Security Administration underscores the gravity of the incident. This event recalls other major SharePoint security crises, including critical exploits in late 2024.
[ad_2]
Source link
