Chinese APTs Exploiting Latest SharePoint RCE Flaws to Deliver Ransomware

Microsoft has confirmed active exploitation of critical vulnerabilities in on-premises SharePoint servers by Chinese nation-state actors. These vulnerabilities: CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771, are leveraged to gain initial access, deploy web shells, and ultimately drop ransomware (Warlock, Lockbit). Microsoft has released emergency security updates and shared IOCs for defense.

Severity Level: Critical

Threat Actor Details

Key Points To Highlight

• Over 400 systems have been actively compromised across four confirmed attack waves.
• Initial activity observed on July 17, 12:51 UTC from IP 96.9.125[.]147 – likely a testing phase.
• Wave #1: July 18, 18:06 UTC from IP 107.191.58[.]76 – widely successful exploitation campaign.
• Wave #2: July 19, 07:28 UTC from IP 104.238.159[.]149 – continued expansion of attack footprint.
• Post-July 21: Multiple waves launched following public PoC release on GitHub for CVE-2025-53770/53771.
• Exploitation rapidly escalated due to availability of multiple script variants in the wild.

Threat Summary

• Affected Regions: Global exploitation observed, with strong targeting in the U.S., Europe, and East Asia.
• Targeted Sectors: Government, Defense, Think Tanks, NGOs, Healthcare, Higher Education, Finance, Media, etc.
• Affected Products: SharePoint Server 2016, SharePoint Server 2019, SharePoint Subscription Ed.
• Ransomware used: Warlock – deployed via GPOs to encrypt systems after exploiting SharePoint and gaining domain-wide access.

Attack Flow

1. Initial Exploitation: The attack begins with the exploitation of unpatched on-premises SharePoint servers through vulnerabilities including CVE-2025-53770, CVE-2025-53771, CVE-2025-49704, and CVE-2025-49706. Attackers send crafted POST requests to the ToolPane endpoint, gaining unauthenticated access.
2. Web Shell Deployment: A malicious ASPX file (e.g., spinstall0.aspx) is uploaded to the server. This web shell enables remote code execution by invoking PowerShell or CMD commands through the SharePoint worker process (w3wp.exe).
3. Command Execution and Reconnaissance: After initial access, the threat actor runs reconnaissance commands such as whoami and system information queries. PowerShell scripts are used in an obfuscated (base64) form to avoid detection.
4. Defense Evasion: Using registry edits, the actor disables Microsoft Defender Antivirus and AMSI. These actions are done silently through services like services.exe, ensuring security tools are rendered ineffective.
5. Persistence Establishment: Persistence is maintained by creating scheduled tasks, abusing IIS to load malicious .NET assemblies, and keeping the web shell accessible for long-term access.
6. Privilege Escalation: The attacker uses PsExec with SYSTEM-level privileges (-s flag) to escalate access. This enables unrestricted control over the system and allows for subsequent lateral movement.
7. Credential Access: Mimikatz is deployed to extract credentials from LSASS memory. This includes plaintext passwords and Kerberos tokens, allowing access to additional internal resources.
8. Command and Control (C2): C2 communication is established using domains like update.updatemicfosoft[.]com and Ngrok tunnels (*.ngrok-free[.]app). Data is exfiltrated or commands are received over HTTP/S, DNS, or proxies.
9. Impact – Ransomware Deployment: Once full access is achieved, the actor modifies Group Policy Objects (GPO) to push the Warlock ransomware across the network. Systems are encrypted, data is locked, and operations are disrupted.

Recommendations

Guidance for customers using SharePoint Server:

1. Use supported versions of on-premises SharePoint Server. Apply the latest security updates, including the July 2025 Security Update.
2. Configure AMSI integration in SharePoint, enable Full Mode for optimal protection, and deploy an appropriate antivirus solution such as Defender Antivirus.
3. If you cannot enable AMSI, Microsoft recommends disconnecting your server from the internet until you have applied the most current security update linked above. If the server cannot be disconnected from the internet, consider using a VPN or proxy requiring authentication or an authentication gateway to limit unauthenticated traffic.
4. After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers.
5. Continuously monitor for creation or modification of files with names like spinstall0.aspx on SharePoint server paths such as \TEMPLATE\LAYOUTS\ to detect web shell deployments indicative of post-exploitation.
6. Set alerts for PowerShell executions initiated by the SharePoint worker process (w3wp.exe), especially those containing encoded commands or references to spinstall, as these are used for establishing persistence or data exfiltration.
7. Correlate process events where cmd.exe, powershell.exe, or services.exe are spawned by w3wp.exe, as these can indicate lateral movement, privilege escalation, or defense evasion activities.
8. Look for evidence of credential access tools such as Mimikatz by monitoring for LSASS memory access attempts or the use of modules like sekurlsa::logonpasswords.
9. Block the IOCs at respective controls
   https://www.virustotal.com/gui/collection/93d472c19c90f5ad26abb363e403adf00335e6b9af8df56981ab633031821a13/iocs

Source:

• https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
• https://research.eye.security/sharepoint-under-siege/?
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.