US National Nuclear Security Administration

The US National Nuclear Security Administration fell victim to a cyberattack exploiting the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint Server. The threat actor, 4L4MD4R, deployed ransomware using this flaw, demanding a ransom of $500 worth of Bitcoin. The attack involved unauthenticated remote code execution, allowing attackers to gain control over unpatched systems. The vulnerability, rated with a severity score of 9.8/10, posed a critical risk to organizations that had not applied the patch. The attack targeted high-profile entities, including government networks, and could have severe implications for national security and sensitive data.

Source: https://www.techradar.com/pro/security/microsoft-sharepoint-worries-increase-as-ransomware-gangs-join-the-party-experts-warn

TPRM report: https://www.rankiteo.com/company/national-nuclear-security-administration

"id": "nat221080925",
"linkid": "national-nuclear-security-administration",
"type": "Ransomware",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'National Security',
                        'location': 'USA',
                        'name': 'US National Nuclear Security Administration',
                        'type': 'Government'},
                       {'industry': 'Education',
                        'location': 'USA',
                        'name': 'Department of Education',
                        'type': 'Government'},
                       {'industry': 'Public Administration',
                        'location': 'Florida, USA',
                        'name': 'Florida’s Department of Revenue',
                        'type': 'Government'},
                       {'industry': 'Legislative',
                        'location': 'Rhode Island, USA',
                        'name': 'Rhode Island General Assembly',
                        'type': 'Government'},
                       {'industry': 'Public Administration',
                        'location': 'Europe and Middle East',
                        'name': 'Government networks in Europe and the Middle '
                                'East',
                        'type': 'Government'}],
 'attack_vector': 'Exploitation of CVE-2025-53770 (ToolShell vulnerability in '
                  'Microsoft SharePoint Server)',
 'data_breach': {'data_encryption': 'Yes'},
 'date_detected': '2025-07-27',
 'description': 'The threat actor 4L4MD4R is deploying ransomware by '
                'exploiting the ToolShell vulnerability (CVE-2025-53770) in '
                'Microsoft SharePoint Server. The ransom demanded is $500 '
                'worth of Bitcoin.',
 'initial_access_broker': {'entry_point': 'CVE-2025-53770 (ToolShell '
                                          'vulnerability)'},
 'motivation': 'Financial gain',
 'post_incident_analysis': {'root_causes': 'Exploitation of unpatched '
                                           'Microsoft SharePoint Server '
                                           'vulnerability (CVE-2025-53770)'},
 'ransomware': {'data_encryption': 'Yes',
                'ransom_demanded': '$500 worth of Bitcoin (0.005 BTC)',
                'ransomware_strain': '4L4MD4R (based on open-source Mauri870 '
                                     'code)'},
 'references': [{'source': 'Palo Alto Networks Unit 42'},
                {'source': 'BleepingComputer'}],
 'threat_actor': '4L4MD4R',
 'title': '4L4MD4R Ransomware Deployment via ToolShell Exploit',
 'type': 'Ransomware',
 'vulnerability_exploited': 'CVE-2025-53770'}