Latest news with #ToolShell
Forbes
4 hours ago
- Business
- Forbes
Microsoft Ties SharePoint Exploits To China-Backed ToolShell Group
China-linked hackers are exploiting a critical SharePoint flaw to deploy ToolShell malware, ... More bypassing patches and compromising organizations across key sectors. Microsoft has linked a wave of SharePoint Server attacks to a China-based threat actor using a tool called ToolShell. The attackers exploited CVE-2025-53770, a critical remote code execution vulnerability in SharePoint Server, to gain unauthorized access to vulnerable systems—even after patches were released. The campaign began as early as April 2025 and has affected more than 100 organizations, including government agencies, schools and energy companies. This attack illustrates the dangers of persistent, strategic compromise. And it shows just how well-resourced and adaptive nation-state attackers can be—especially when defenders stick to the usual playbook. A Closer Look at CVE-2025-53770 CVE-2025-53770 is a deserialization flaw in SharePoint Server with a critical CVSS rating of 9.8. It allows attackers to send a specially crafted request and run arbitrary code on the system. From there, they can deploy malware, access internal networks and maintain control for future operations. What makes this more dangerous is that attackers are chaining this vulnerability with others—such as CVE-2025-49704 and CVE-2025-49706—to bypass security patches issued in May. Once the foothold is established, even patched systems can remain compromised. ToolShell Reappears The campaign is driven by a modified version of ToolShell, a remote access trojan that's been previously linked to Chinese espionage groups. In this case, ToolShell is integrated into SharePoint workflows, allowing attackers to blend into normal traffic, evade detection and operate freely inside the network. Nation-State Attribution and a Growing Threat Landscape Microsoft's Threat Intelligence team has formally attributed the campaign to a China-based threat actor. But according to Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, the threat has already expanded beyond a single source. 'We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It's critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well,' Carmakal warned. In other words, the window between state-sponsored discovery and broader criminal adoption is shrinking fast. Gabrielle Hempel, Security Operations Strategist at Exabeam, sees clear echoes of the 2021 Exchange server attacks in this campaign. 'Yet again, we're seeing a Microsoft enterprise product exploited at scale, with self-hosted deployments as the primary point of failure,' she noted. 'These environments generally remain low-hanging fruit due to patching delays and overexposed internal access.' Hempel also emphasized the operational complexity of these attacks. 'These attackers aren't just out to steal data, but gain remote access, drop malware and move laterally. Organizations should be treating this as a full domain compromise event and not just a SharePoint-specific incident.' Patching Isn't Enough This campaign underscores a frustrating but important truth in cybersecurity: patching alone is not enough. While Microsoft did release a patch for CVE-2025-53770, attackers already inside those systems could maintain persistence using other tools and chained exploits. In some cases, attackers gained access before the patch was available. In others, organizations failed to patch quickly—or correctly—leaving them vulnerable. Once ToolShell is deployed, it's not just about SharePoint anymore. It's about what else attackers can reach from there. What Organizations Need to Do Now Microsoft and other experts recommend several immediate steps: As Hempel pointed out, many security teams lack visibility into SharePoint logs or internal network movement. 'We will likely see ripple effects from breaches of this vulnerability across PCI, HIPAA, ISO 27001, NIST 800-171 and even DFARS/CMMC,' she warned. Rethinking Hybrid Security SharePoint's widespread use and the mix of on-prem and cloud deployments make it a prime target. Many organizations have moved to cloud-based platforms, but legacy on-prem systems often remain in place—and underprotected. This campaign is a reminder that defending hybrid environments requires more than patching and monitoring the perimeter. It demands real visibility, fast detection and a plan for persistence. Nation-state attackers do not rely on zero-days alone. They leverage known flaws, chain exploits and adapt faster than most organizations can respond. The compromise isn't coming. For many, it's already here.
The Hindu
7 hours ago
- Business
- The Hindu
Microsoft knew SharePoint security flaw but failed to patch; Alibaba launches new AI coding model; Amazon to buy AI wearable startup
Microsoft knew SharePoint security flaw but failed to patch A new report has revealed that a security patch released by Microsoft earlier in the month failed to fully fix a critical flaw in their SharePoint server software. The bug had been identified at a hacking contest organised by a cybersecurity firm called Trend Micro in May. A cybersecurity researcher who was participating in the competition located a SharePoint bug at the event termed it 'ToolShell' and won the $100,000 prize. A Microsoft spokesperson confirmed this and said they released patches to fix it. Although it's still not known who orchestrated the attack, Microsoft has said in a blog post that two Chinese hacking groups dubbed 'Linen Typhoon' and 'Violet Typhoon' were some of the parties exploiting the vulnerabilities which affected around 100 organisations over the weekend is expected to grow. According to reports more than 8,000 servers online have been potentially compromised by hackers which include industrial firms, banks, auditors, healthcare companies and several U.S. state-level and global government entities. Alibaba launches new AI coding model Chinese tech giant Alibaba has announced the launch of their most advanced open-source AI coding model, Qwen3-Coder. The tool will be able to assist developers with generating code and managing complicated coding workflows, the company said. Alibaba Group has claimed that the AI model especially excels at 'agentic AI coding tasks' meaning the AI systems can function on their own at different coding tasks. The company also said that the Qwen3-Coder surpassed local rivals including models from DeepSeek and Moonshot AI's K2 at coding. The company also said that the model met the coding capabilities of their Western counterparts like Anthropic's Claude which is widely known as the best at AI coding and OpenAI's GPT-4. AI coding tools have become a rage with new AI startups touching sky high valuations for their easy usage. Amazon to buy AI wearable startup Amazon has formed a deal to acquire an AI wearable startup called Bee that listens in on conversations and transcribes them using a bracelet. The wristband priced at $50 is able to analyse and distil conversations for summaries, to-do lists and other tasks. An Amazon spokesperson has said that they will work with the firm to give users more control over their devices which can automatically transcribe audio but can also be muted. This isn't the first time Amazon has moved into wearables. Earlier, the company marketed a line of wrist health trackers called Halo that was eventually killed the project in 2023. There is also a line of smart glasses embedded with Amazon's virtual assistant Alexa under their Echo brand. Other AI firms like OpenAI have also shifted towards AI gadgets after a partnership with former Apple designer Jony Ive's io startup for about $6.5 billion. There are also other startups that are moving towards AI wearables but with varied results.
Indian Express
12 hours ago
- Indian Express
Microsoft knew of SharePoint security flaw but failed to effectively patch it, timeline shows
A security patch Microsoft released this month failed to fully fix a critical flaw in the U.S. tech giant's SharePoint server software, opening the door to a sweeping global cyber espionage effort, a timeline reviewed by Reuters shows. On Tuesday, a Microsoft spokesperson confirmed that its initial solution to the flaw, identified at a hacker competition in May, did not work, but added that it released further patches that resolved the issue. It remains unclear who is behind the spy effort, which targeted about 100 organisations over the weekend, and is expected to spread as other hackers join the fray. In a blog post Microsoft said two allegedly Chinese hacking groups, dubbed 'Linen Typhoon' and 'Violet Typhoon,' were exploiting the weaknesses, along with a third, also based in China. Microsoft and Alphabet's Google have said China-linked hackers were probably behind the first wave of hacks. Chinese government-linked operatives are regularly implicated in cyberattacks, but Beijing routinely denies such hacking operations. In an emailed statement, its embassy in Washington said China opposed all forms of cyberattacks, and 'smearing others without solid evidence.' The vulnerability opening the way for the attack was first identified in May at a Berlin hacking competition organised by cybersecurity firm Trend Micro that offered cash bounties for finding computer bugs in popular software. It offered a $100,000 prize for so-called 'zero-day' exploits that leverage previously undisclosed digital weaknesses that could be used against SharePoint, Microsoft's flagship document management and collaboration platform. The U.S. National Nuclear Security Administration, charged with maintaining and designing the nation's cache of nuclear weapons, was among the agencies breached, Bloomberg News said on Tuesday, citing a person with knowledge of the matter. No sensitive or classified information is known to have been compromised, it added. The U.S. Energy Department, the U.S. Cybersecurity and Infrastructure Security Agency, and Microsoft did not immediately respond to Reuters' requests for comment on the report. A researcher for the cybersecurity arm of Viettel, a telecoms firm run by Vietnam's military, identified a SharePoint bug at the May event, dubbed it 'ToolShell' and demonstrated a way to exploit it. The discovery won the researcher an award of $100,000, an X posting by Trend Micro's 'Zero Day Initiative' showed. Participating vendors were responsible for patching and disclosing security flaws in 'an effective and timely manner,' Trend Micro said in a statement. 'Patches will occasionally fail,' it added. 'This has happened with SharePoint in the past.' In a July 8 security update Microsoft said it had identified the bug, listed it as a critical vulnerability, and released patches to fix it. About 10 days later, however, cybersecurity firms started to notice an influx of malicious online activity targeting the same software the bug sought to exploit: SharePoint servers. 'Threat actors subsequently developed exploits that appear to bypass these patches,' British cybersecurity firm Sophos said in a blog post on Monday. The pool of potential ToolShell targets remains vast. Hackers could theoretically have already compromised more than 8,000 servers online, data from search engine Shodan, which helps identify internet-linked equipment, shows. Such servers were in networks ranging from auditors, banks, healthcare companies and major industrial firms to U.S. state-level and international government bodies. The Shadowserver Foundation, which scans the internet for potential digital vulnerabilities, put the number at a little more than 9,000, cautioning that the figure is a minimum. It said most of those affected were in the United States and Germany. Germany's federal office for information security, BSI, said on Tuesday it had found no compromised SharePoint servers in government networks, despite some being vulnerable to the ToolShell attack.
The Hindu
13 hours ago
- Business
- The Hindu
Microsoft knew of SharePoint security flaw but failed to effectively patch it, timeline shows
A security patch released by Microsoft earlier this month failed to fully fix a critical flaw in the U.S. tech company's SharePoint server software that had been identified at a hacking competition in May, opening the door to a sweeping global cyber espionage operation, according to a timeline of events reviewed by Reuters. A Microsoft spokesperson confirmed on Tuesday that its initial solution did not work. The spokesperson added that Microsoft had released further patches that fixed the issue. It remains unclear who is behind the ongoing operation, which targeted around 100 organisations over the weekend and is expected to escalate as other hackers join the fray. Microsoft said in a blog post that two allegedly Chinese hacking groups, dubbed "Linen Typhoon" and "Violet Typhoon," were exploiting the vulnerabilities, along with another China-based hacking group. Microsoft and Alphabet's Google have said that China-linked hackers were likely behind the first wave of hacks. Chinese government-linked operatives are regularly implicated in cyberattacks, but Beijing routinely denies carrying out hacking operations. In an emailed statement, the Chinese embassy in Washington said China opposes all forms of cyberattacks, and "smearing others without solid evidence." The vulnerability that facilitated the attack was first identified in May at a hacking competition in Berlin organised by cybersecurity firm Trend Micro, which offered cash bounties for the discovery of computer bugs in popular software. It offered a $100,000 prize for "zero-day" exploits, which are called that because they leverage previously undisclosed digital weaknesses that could be used against SharePoint, Microsoft's flagship document management and collaboration platform. A researcher working for the cybersecurity arm of Viettel, a telecommunications firm operated by Vietnam's military, identified a SharePoint bug at the event, dubbed it "ToolShell" and demonstrated a method of exploiting it. The researcher was awarded $100,000 for the discovery, according to a post on X by Trend Micro's "Zero Day Initiative." In a statement, Trend Micro said it was the responsibility of vendors participating in its competition to patch and disclose security flaws in "an effective and timely manner." "Patches will occasionally fail. This has happened with SharePoint in the past," the statement said. Microsoft said in a July 8 security update that it had identified the bug, listed it as a critical vulnerability, and released patches to fix it. About 10 days later, however, cybersecurity firms started to notice an influx of malicious online activity targeting the same software the bug sought to exploit: SharePoint servers. "Threat actors subsequently developed exploits that appear to bypass these patches," British cybersecurity firm Sophos said in a blog post on Monday. The pool of potential ToolShell targets remains vast. According to data from Shodan, a search engine that helps identify internet-linked equipment, over 8,000 servers online could theoretically have already been compromised by hackers. Those servers include major industrial firms, banks, auditors, healthcare companies, and several U.S. state-level and international government entities. The Shadowserver Foundation, which scans the internet for potential digital vulnerabilities, put the number at a little more than 9,000, while cautioning that the figure was a minimum. It said most of those affected were in the United States and Germany, and the victims included government organisations. Germany's federal office for information security, BSI, said on Tuesday it had found SharePoint servers within government networks that were vulnerable to the ToolShell attack but none had been compromised.
Techday NZ
18 hours ago
- Techday NZ
SharePoint zero-day flaw exploited as over 9,000 servers at risk
Cybersecurity experts have raised fresh alarms following reports of active exploitation targeting Microsoft SharePoint servers worldwide. The scale and sophistication of the attacks, which began to surface in detailed research at the end of last week, are causing concern among organisations that rely on the popular collaboration platform for critical information infrastructure. The vulnerability at the centre of the incident, now assigned as CVE-2025-53770, affects a wide cross-section of SharePoint Server deployments. Research from Eye Security first brought attention to what it described as "active, large-scale exploitation," driven by a zero-day weakness identified within a pair of vulnerabilities collectively known as ToolShell. Successful exploitation allows attackers to extract the MachineKey configuration details from vulnerable servers - exposing both the validationKey and decryptionKey, which are crucial to securing authentication tokens and encrypted data. This critical information, once in criminal hands, can be weaponised. As Satnam Narang, Senior Staff Research Engineer at Tenable, explained, "Attackers were able to exploit the flaw, now identified as CVE-2025-53770, to steal MachineKey configuration details from vulnerable SharePoint Servers. These details can be used by attackers to create specially crafted requests that could be used to gain unauthenticated remote code execution." Narang noted that the consequences for affected organisations may be severe, with broad implications for data integrity and security across industry sectors. Indicators of compromise are already being circulated among security teams. Organisations are being urged to check for evidence of unauthorised access, with one telltale sign being the sudden creation of files named " on vulnerable servers, possibly under other extensions. The scope of exposure is significant, with estimates suggesting over 9,000 externally accessible SharePoint servers are potentially at risk. These systems are deployed globally by enterprises, government entities, and a range of other organisations relying on SharePoint for document management and collaboration. Patching efforts have commenced in earnest. Microsoft began distributing fixes late on 20 July, prioritising SharePoint Server 2019 and SharePoint Subscription Edition. A remedy for SharePoint Server 2016 remains pending but is expected imminently. Narang advised, "We strongly advise organisations to begin conducting incident response investigations to identify potential compromise; otherwise, apply the available patches and review the mitigation instructions provided by Microsoft." Andrew Obadiaru, Chief Information Security Officer at offensive security firm Cobalt, warned that the speed and depth of zero-day exploitation leaves little margin for delay or complacency. "Zero-day vulnerabilities in widely deployed platforms like SharePoint are a goldmine for attackers because they provide immediate, scalable access to high-value environments. "The challenge isn't just patching - it's that attackers typically implant persistence mechanisms within hours, ensuring long-term footholds. Defence strategies need to assume breach and validate controls through proactive testing, including red teaming and continuous pentesting, to uncover weaknesses before adversaries do. In today's threat landscape, reactive security alone is a losing game." Obadiaru's remarks echo growing industry consensus that traditional perimeter defences are proving insufficient in the face of increasingly sophisticated and rapid cyber threats. Security teams are being encouraged to revisit their incident response and detection protocols, embracing a proactive security posture and preparing for the possibility that attackers may already be inside their networks. For now, the advice from the security community is clear: immediate action is essential. Organisations are urged to initiate incident response processes, apply available patches without delay, and review configuration settings for any signs of compromise. Vigilance and proactive testing will be the defining factors in limiting the fallout from yet another high-profile zero-day targeting widely used enterprise software.
