Full Report
The Departments of Energy, Homeland Security and Health and Human Services have been impacted. The post Microsoft SharePoint attacks ensnare 400 victims, including federal agencies appeared first on CyberScoop.
Analysis Summary
# Incident Report: Global SharePoint Zero-Day Exploit Campaign
## Executive Summary
A widespread attack spree targeted critical zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) in on-premises Microsoft SharePoint servers, leading to active exploitation across over 400 organizations globally, including multiple US government agencies. Attackers, including China-affiliated groups, utilized various techniques, culminating in the deployment of Warlock ransomware by one group (Storm-2603) and attempts to steal cryptographic keys for persistence. Response efforts centered on coordinated patching, threat intelligence sharing, and active mitigation by CISA and affected entities.
## Incident Details
- Discovery Date: Approximately one week prior to reporting (around July 2025, corresponding with Microsoft's patch release cycle).
- Incident Date: Exploitation began around July 18, 2025, with four distinct waves of attacks.
- Affected Organization: Over 400 organizations confirmed compromised, including US Departments of Energy, Homeland Security, Health and Human Services, and the California Independent System Operator (CAISO).
- Sector: Government (Federal), Critical Infrastructure (Energy), Private Sector.
- Geography: Global, with U.S.-based organizations heavily targeted.
## Timeline of Events
### Initial Access
- Date/Time: Exploitation began around July 18, 2025 (Wave 1 targeting by Storm-2603).
- Vector: Exploitation of zero-day vulnerabilities (CVE-2025-53770 and CVE-2025-53771) present in on-premises Microsoft SharePoint servers.
- Details: The 'ToolShell' exploit chain, leveraging these flaws, allowed attackers to bypass MFA/SSO and gain remote code execution capabilities over the network.
### Lateral Movement
- Details: Attackers were observed modifying policy settings to distribute Warlock ransomware (Storm-2603). Other groups (Linen Typhoon, Violet Typhoon) focused on espionage and intellectual property theft, implying deeper network reconnaissance.
### Data Exfiltration/Impact
- Details: Storm-2603 attempted to steal cryptographic keys from compromised servers, a technique aimed at maintaining persistence even after patching. Linen Typhoon focused on stealing intellectual property. No confirmed data exfiltration was reported by surveyed federal agencies (DHS, DOE) at the time of reporting.
### Detection & Response
- Date/Time: CISA launched a coordinated response via an initial alert and subsequent cybersecurity updates shortly after being aware of the new flaws (identified on a preceding Friday). Microsoft released patches for all affected SharePoint versions by late Monday.
- Response actions taken: CISA issued alerts, shared actionable information, and worked with Microsoft and partners to implement mitigation and protective measures. Affected agencies conducted monitoring, identification, and mitigation efforts.
## Attack Methodology
- Initial Access: Exploitation of SharePoint zero-days (CVE-2025-53770 [RCE, patch bypass] and CVE-2025-53771 [Security Bypass, patch bypass]) via the ToolShell exploit chain.
- Persistence: Attempted theft of cryptographic keys post-exploitation to maintain access after remediation.
- Privilege Escalation: Not explicitly detailed, but RCE capability likely allowed for subsequent escalation.
- Defense Evasion: Utilizing zero-day flaws allowed initial evasion; modification of policy settings was observed.
- Credential Access: Not explicitly detailed, but key theft is related to maintaining access integrity.
- Discovery: Threat groups (Linen Typhoon) were engaged in espionage, suggesting internal network mapping occurred.
- Lateral Movement: Modifying policy settings to deploy ransomware (Storm-2603).
- Collection: Stealing intellectual property (Linen Typhoon) and attempting to steal cryptographic keys.
- Exfiltration: Unconfirmed, though IP theft was a goal for one APT.
- Impact: Ransomware deployment (Warlock) and espionage/data theft attempts on critical infrastructure and government entities.
## Impact Assessment
- Financial: Not disclosed; potential costs associated with ransomware remediation and system cleanup.
- Data Breach: Potential theft of intellectual property and sensitive government information, though specific confirmation of exfiltration was denied by some agencies (DHS, DOE).
- Operational: CAISO reported "no impact to market operations or grid reliability." DOE reported only minimal impact due to cloud adoption. Some operational disruption likely occurred in the 400+ compromised organizations.
- Reputational: Significant, given the targeting of high-profile federal agencies.
## Indicators of Compromise
- Network indicators: Exploitation attempts targeting vulnerable SharePoint instances.
- File indicators: Warlock ransomware executable/artifacts (associated with Storm-2603).
- Behavioral indicators: Modification of SharePoint policy settings; attempts to locate and steal cryptographic keys.
## Response Actions
- Containment measures: Rapid deployment of new patches released by Microsoft against CVE-2025-53770 and CVE-2025-53771.
- Eradication steps: Ongoing investigation to fully identify the scope of compromise and remove associated malware (Warlock) and persistence mechanisms.
- Recovery actions: Agencies transitioned affected systems or applied mitigation to shield from future attacks; DOE focused on transitioning a small number of impacted systems to unaffected offerings.
## Lessons Learned
- Zero-day vulnerability management is continuously critical, especially for widely deployed, on-premises enterprise software like SharePoint.
- Patch bypasses (as seen with CVE-2025-53770/53771 being bypasses of earlier flaws) indicate complex, evolving exploit chains that require rapid, multi-faceted security updates.
- Threat diversification: The incident highlights multiple threat actors (Storm-2603, Linen Typhoon, Violet Typhoon) concurrently abusing the same critical vulnerability for different objectives (ransomware vs. espionage).
## Recommendations
- Immediately prioritize patching all on-premises Microsoft SharePoint instances against the newly disclosed zero-days (CVE-2025-53770, CVE-2025-53771) and the previously disclosed vulnerabilities.
- Review configurations for post-exploitation persistence mechanisms, specifically checking for unauthorized modifications to policy settings on SharePoint servers.
- Harden perimeter defenses to detect activity related to the known ToolShell exploit chain.
- For critical infrastructure and government entities, investigate migrating high-value services away from on-premises environments to managed cloud offerings to reduce exposure to on-prem RCE zero-days.