Ethical Hacking News
Ransomware gangs are targeting Microsoft SharePoint servers, compromising at least 148 organizations worldwide. The attack uses zero-day exploits and state-backed hacking groups, making it challenging for organizations to detect and respond to. Stay informed and take proactive measures to protect your organization from these types of attacks.
The ToolShell attack targets vulnerable Microsoft SharePoint servers worldwide. The attack is attributed to Chinese threat actors, including Linen Typhoon, Violet Typhoon, and Storm-2603. A variant of ransomware called 4L4MD4R has been detected on compromised systems. The malware loader was spotted following a failed exploitation attempt that revealed malicious PowerShell commands. The attack exploits CVE-2025-49706 and CVE-2025-49704, leading to the compromise of at least 400 servers across multiple organizations. Microsoft has patched the vulnerabilities with July 2025 Patch Tuesday updates.
In recent weeks, a new wave of attacks has been making headlines, targeting vulnerable Microsoft SharePoint servers across the globe. These malicious actors, known as ransomware gangs, have joined forces to exploit a vulnerability chain in SharePoint that has already led to the breach of at least 148 organizations worldwide.
According to security researchers at Palo Alto Networks' Unit 42, a variant of ransomware called 4L4MD4R has been detected on systems compromised by this attack. The 4L4MD4R ransomware is based on open-source Mauri870 code and was analyzed after discovering a malware loader that downloaded and executed the ransomware from a specific IP address.
The malware loader was spotted following a failed exploitation attempt that revealed malicious PowerShell commands designed to disable security monitoring on the targeted device. "Analysis of the 4L4MD4R payload revealed that it is UPX-packed and written in GoLang," said Unit 42. "Upon execution, the sample decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new thread to execute it."
The 4L4MD4R ransomware encrypts files on the compromised system and demands a payment of 0.005 Bitcoin, generating ransom notes and encrypted file lists on infected systems.
Microsoft security researchers have linked the ToolShell attacks to Chinese threat actors, with three separate state-backed hacking groups identified: Linen Typhoon, Violet Typhoon, and Storm-2603. "Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers," Microsoft said. "In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities."
Eye Security, a Dutch cybersecurity firm, first detected the ToolShell exploitation targeting CVE-2025-49706 and CVE-2025-49704 in zero-day attacks, initially identifying 54 compromised organizations. Check Point Research subsequently revealed exploitation signs dating to July 7, targeting government, telecommunications, and technology organizations across North America and Western Europe.
Microsoft has patched the two flaws with the July 2025 Patch Tuesday updates and assigned two new CVE IDs (CVE-2025-53770 and CVE-2025-53771) for zero-days exploited to compromise fully patched SharePoint servers. Eye Security Chief Technology Officer Piet Kerkhofs told BleepingComputer that the actual scope extends far beyond initial estimates, with the firm's data indicating that the attackers have infected at least 400 servers with malware across the networks of at least 148 organizations.
The Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE-2025-53770 remote code execution vulnerability, part of the ToolShell exploit chain, to its catalog of exploited flaws and ordered federal agencies to secure their systems within 24 hours.
This attack highlights the growing concern for global organizations that rely on Microsoft SharePoint servers. As cybersecurity threats continue to evolve, it is essential for businesses to stay vigilant and take proactive measures to protect themselves from these types of attacks.
In recent years, ransomware has become a major threat to organizations worldwide, with attacks targeting various industries, including healthcare, finance, and government. The use of state-backed hacking groups adds an extra layer of complexity to these attacks, making it challenging for organizations to determine the scope and impact of the breach.
The use of zero-day exploits in these attacks further exacerbates the issue, as they can be particularly difficult to detect and respond to. In this case, the exploitation of CVE-2025-49706 and CVE-2025-49704 has led to the compromise of at least 400 servers across multiple organizations.
Microsoft's patch Tuesday updates have provided some relief by fixing these vulnerabilities, but it is essential for organizations to ensure that their systems are fully patched and up-to-date. Regular security audits and vulnerability assessments can help identify potential weaknesses in an organization's defenses.
In addition, organizations should consider implementing robust backup and disaster recovery plans to minimize the impact of a breach. The use of threat intelligence and incident response planning can also help organizations respond quickly and effectively to these types of attacks.
As the threat landscape continues to evolve, it is crucial for organizations to stay informed and take proactive measures to protect themselves from these types of attacks. By staying vigilant and taking steps to harden their defenses, organizations can reduce the risk of being targeted by ransomware gangs and minimize the impact of a breach.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomware-Gangs-Wreak-Havoc-on-Microsoft-SharePoint-Servers-A-Growing-Concern-for-Global-Organizations-ehn.shtml
https://www.bleepingcomputer.com/news/security/ransomware-gangs-join-attacks-targeting-microsoft-sharepoint-servers/
Published: Mon Aug 4 07:07:12 2025 by llama3.2 3B Q4_K_M
