CISA Warns of ‘ToolShell’ Exploitation Chain Targeting SharePoint Servers; IOCs and Detections Released

CISA Warns of ‘ToolShell’ Exploitation Chain Targeting SharePoint Servers; IOCs and Detections Released

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding an exploitation chain dubbed “ToolShell” targeting on-premises Microsoft SharePoint servers.

It leverages multiple vulnerabilities including CVE-2025-49704 (a remote code execution flaw via code injection, CWE-94), CVE-2025-49706 (improper authentication through network spoofing, CWE-287), CVE-2025-53770 (deserialization of untrusted data, CWE-502), and CVE-2025-53771 (another improper authentication issue, CWE-287).

According to the analysis, threat actors chain CVE-2025-49706 with CVE-2025-49704 to gain unauthorized access, while CVE-2025-53770 and CVE-2025-53771 enable bypassing prior mitigations, potentially allowing stealthy persistence.

CISA’s Malware Analysis Report (MAR-251132.c1.v1) details six submitted files two Base64-encoded .NET DLLs and four ASPX files used in these attacks, emphasizing the extraction of cryptographic secrets like machine keys from ASP.NET configurations, which are then added to HTTP response headers for exfiltration.

This chain, linked to actors such as Linen Typhoon, Violet Typhoon, and Storm-2603, facilitates webshell deployment, command execution, and data theft, posing significant risks to organizations with exposed SharePoint instances.paste.txt

Malware Components

The analyzed artifacts reveal sophisticated tactics: the DLLs (e.g., bjcloiyq.dll and osvmhdfl.dll) employ reflection to access MachineKeySection in System.Web.Configuration, retrieving validation and decryption keys alongside system details like drive letters, usernames, and OS versions, which are formatted and exfiltrated via custom headers like “X-TXT-NET”.

ASPX files such as spinstall0.aspx directly output these keys, while info3.aspx acts as a dropper, decoding and installing a malicious webshell (another info3.aspx variant) that handles cookie-based authentication, command execution via cmd.exe or PowerShell, and file uploads.

Webshells like spinstallb.aspx and spinstallp.aspx execute encrypted PowerShell commands, using XOR decryption with hardcoded keys to run payloads and return outputs in Base64-encoded form, enabling remote control and fingerprinting.

These components demonstrate capabilities for stealing authentication credentials, exfiltrating data, and installing further malware, with YARA rules detecting encoded .NET payloads and SIGMA rules identifying exploitation patterns like suspicious HTTP requests to /_layouts/ paths.paste.txt

snippet of the data file.

Detection Signatures

CISA provides YARA and SIGMA detection rules to identify these threats, including patterns for Base64-encoded DLLs, webshell behaviors, and IOCs like specific IP addresses and file hashes.

Organizations are urged to apply Microsoft’s patches, monitor for anomalous activity in SharePoint logs, and use the provided IOCs for threat hunting.

For deeper mitigation, reviewing references like Microsoft’s guidance on CVE-2025-53770 exploitation is advised, as unpatched servers remain vulnerable to chained attacks.paste.txt

Indicator of Compromise (IoCs)

Type IOC Value Description
SHA256 60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7 Base64-encoded .NET DLL data
SHA256 bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72 .NET DLL extracting machine keys
SHA256 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 ASPX file outputting keys
IP 107.191.58.76 Attacker infrastructure
IP 104.238.159.149 Attacker infrastructure
File Path /_layouts/15/spinstall0.aspx Malicious ASPX endpoint

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free


Source link