Chinese hackers exploit ToolShell in SharePoint, targeting global infrastructure.

🚨 ToolShell Exploits in Microsoft SharePoint: A Wake-Up Call for IT and Security Leaders In the months following Microsoft’s July 2025 patch, multiple China-linked threat groups—including Linen Typhoon, Violet Typhoon, and Salt Typhoon—have exploited CVE-2025-53770, a critical SharePoint vulnerability now known as “ToolShell” thehackernews.com. 🔍 What we know: CVE-2025-53770 enables authentication bypass and remote code execution on on-prem SharePoint servers. Despite being patched, the flaw was rapidly weaponized in espionage campaigns targeting: A telecom provider in the Middle East Government agencies in Africa and South America A U.S. university and a European finance firm thehackernews.com Attackers deployed tools like ShadowPad, Zingdoor, and KrustyLoader—indicating long-term persistence and credential theft objectives thehackernews.com. Some campaigns also leveraged PetitPotam (CVE-2021-36942) for privilege escalation and domain compromise thehackernews.com. 🧠 Why this matters: ToolShell is a case study in patch lag, threat actor agility, and the limits of perimeter defense. The flaw bypasses previous patches (CVE-2025-49704/49706), raising concerns about patch efficacy and regression testing. The breadth of targets—telecom, education, finance, and government—underscores the cross-sector risk of unpatched collaboration platforms. 💬 For CISOs, MSPs, and infrastructure leaders: Reassess your SharePoint exposure—especially on-prem deployments. Validate patch coverage and monitor for post-exploitation behaviors (DLL side-loading, credential theft, lateral movement). Strengthen vendor patch validation processes and threat intel integration. This isn’t just a SharePoint issue—it’s a governance issue. How are we ensuring that patching, detection, and response are aligned across silos? #CyberSecurity #SharePoint #ToolShell #CVE202553770 #PatchManagement #ThreatIntelligence #MSP #CISO #ZeroDay #InfrastructureResilience #VendorAccountability #SecurityOps #Governance Article Link - https://lnkd.in/gcDUA9St

Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft's July Patch Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025. Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country. According to Broadcom's Symantec Threat Hunter Team, the attacks involved the exploitation of CVE-2025-53770, a now-patched security flaw in on-premise SharePoint servers that could be used to bypass authentication and achieve remote code execution. Stay connected for industry’s latest content – Follow Deepthi Talasila #DevSecOps #ApplicationSecurity #AgenticAI #CloudSecurity #CyberSecurity #AIinSecurity #SecureDevOps #AppSec #AIandSecurity #CloudComputing #SecurityEngineering #ZeroTrust #MLSecurity #AICompliance #SecurityAutomation #SecureCoding #linkedin #InfoSec #SecurityByDesign #AIThreatDetection #CloudNativeSecurity #ShiftLeftSecurity #SecureAI #AIinDevSecOps #SecurityOps #CyberResilience #DataSecurity #SecurityInnovation #SecurityArchitecture #TrustworthyAI #AIinCloudSecurity #NextGenSecurity https://lnkd.in/e9NTgkkv

Chinese Hackers Using ToolShell Vulnerability To Compromise Networks Of Government Agencies Research shows China-linked actors have exploited the critical ToolShell vulnerability in on-prem Microsoft SharePoint since July 2025, gaining unauthenticated RCE, deploying web shells, and stealing data across government and critical infrastructure worldwide. Key points: • Vulnerability & vector: ToolShell allows unauthenticated RCE via deserialization; often paired with CVE-2025-53771 auth bypass. • Actors & impact: Budworm, Sheathminer, Storm-2603; 400+ compromises across multiple continents. • Tactics & tools: DLL sideloading, Zingdoor, ShadowPad, KrustyLoader, Sliver C2, Certutil, Procdump, PetitPotam. • TDS BY NOMIOS TUNISIA Recommendations: Patch SharePoint, hunt for web shells & malicious DLLs, audit admin accounts, block/monitor IOCs, enforce EDR/network detections. Why it matters: A single SharePoint flaw can enable persistent espionage and large-scale data theft. #CyberSecurity #SharePoint #ToolShell #CVE2025 #ThreatIntel #APT #IncidentResponse #PatchManagement #InfoSec #TDSBYNOMIOSTUNISA

💻 The Hacker News 📰 Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft's July Patch Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025. Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology https://lnkd.in/gkvjpc2G 📌 🔗 Read more: https://lnkd.in/gtV8mG2w

Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East. #2025 #Infosec #BT https://lnkd.in/gtV8mG2w

This is exactly why "visibility" without validation is dangerous — attackers live in native protocols. Read Part 1, then catch Part 2 for the low-noise signals you can actually alert on. Want a demo of detections in action? We’ll show you how NodeZero validates those gaps.

Prevalence + invisibility = urgency. If your SIEM/EDR can’t separate normal Kerberos traffic from malicious reconnaissance, you need proof-driven testing — not assumptions.

Prevalence + invisibility = urgency. If your SIEM/EDR can’t separate normal Kerberos traffic from malicious reconnaissance, you need proof-driven testing — not assumptions.

🕵️♂️ The attacker’s first 15 minutes in Active Directory: exposed. If you’ve ever had a low-privilege foothold in a Windows domain, you know the playbook: quiet enumeration, Kerberoast collection, AS-REP grabs — all before the loud stuff even starts. This blog walks that exact workflow, minute-by-minute, and shows why these native, credential-driven techniques are so dangerous and easy to miss. TL;DR: 💡 Enumeration: Quietly scrape Active Directory (AD) for users, descriptions, and Service Principal Names (SPNs) to find weak service and legacy accounts. 💡 Kerberoasting: Request Kerberos service tickets (TGS) for SPN accounts and crack offline. 💡 AS-REP Roasting: Request Authentication Service replies (AS-REP) for users with Kerberos pre-authentication (pre-auth) disabled and crack offline. 💡 Why dangerous: Native traffic, fast execution, pre-exploit timing, and often invisible to endpoint tools. 💡 Prevalence: These weaknesses appear in the majority of production environments we assess. They’re also leveraged in the real world by serious threat actors and part of real attack campaigns with dire consequences. 💡 Detection gap: SIEM/EDR struggle because Kerberos traffic looks like normal admin activity, offline cracking is invisible, and signal-to-noise is high. In part 2, we’ll show deterministic, low-noise signals you can use to spot this behavior early — before it becomes privilege escalation or ransomware. Read part 1: https://lnkd.in/gKqmragK #ActiveDirectory #Kerberoasting #ADSecurity #OffensiveSecurity #NodeZero