CISA Warns of ‘ToolShell’ Exploitation Chain Targeting SharePoint Servers; IOCs and Detections Released
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding an exploitation chain dubbed “ToolShell” targeting on-premises Microsoft SharePoint servers.
It leverages multiple vulnerabilities including CVE-2025-49704 (a remote code execution flaw via code injection, CWE-94), CVE-2025-49706 (improper authentication through network spoofing, CWE-287), CVE-2025-53770 (deserialization of untrusted data, CWE-502), and CVE-2025-53771 (another improper authentication issue, CWE-287).
According to the analysis, threat actors chain CVE-2025-49706 with CVE-2025-49704 to gain unauthorized access, while CVE-2025-53770 and CVE-2025-53771 enable bypassing prior mitigations, potentially allowing stealthy persistence.
CISA’s Malware Analysis Report (MAR-251132.c1.v1) details six submitted files two Base64-encoded .NET DLLs and four ASPX files used in these attacks, emphasizing the extraction of cryptographic secrets like machine keys from ASP.NET configurations, which are then added to HTTP response headers for exfiltration.
This chain, linked to actors such as Linen Typhoon, Violet Typhoon, and Storm-2603, facilitates webshell deployment, command execution, and data theft, posing significant risks to organizations with exposed SharePoint instances.paste.txt
Malware Components
The analyzed artifacts reveal sophisticated tactics: the DLLs (e.g., bjcloiyq.dll and osvmhdfl.dll) employ reflection to access MachineKeySection in System.Web.Configuration, retrieving validation and decryption keys alongside system details like drive letters, usernames, and OS versions, which are formatted and exfiltrated via custom headers like “X-TXT-NET”.
ASPX files such as spinstall0.aspx directly output these keys, while info3.aspx acts as a dropper, decoding and installing a malicious webshell (another info3.aspx variant) that handles cookie-based authentication, command execution via cmd.exe or PowerShell, and file uploads.
Webshells like spinstallb.aspx and spinstallp.aspx execute encrypted PowerShell commands, using XOR decryption with hardcoded keys to run payloads and return outputs in Base64-encoded form, enabling remote control and fingerprinting.
These components demonstrate capabilities for stealing authentication credentials, exfiltrating data, and installing further malware, with YARA rules detecting encoded .NET payloads and SIGMA rules identifying exploitation patterns like suspicious HTTP requests to /_layouts/ paths.paste.txt
Detection Signatures
CISA provides YARA and SIGMA detection rules to identify these threats, including patterns for Base64-encoded DLLs, webshell behaviors, and IOCs like specific IP addresses and file hashes.
Organizations are urged to apply Microsoft’s patches, monitor for anomalous activity in SharePoint logs, and use the provided IOCs for threat hunting.
For deeper mitigation, reviewing references like Microsoft’s guidance on CVE-2025-53770 exploitation is advised, as unpatched servers remain vulnerable to chained attacks.paste.txt
Indicator of Compromise (IoCs)
| Type | IOC Value | Description |
|---|---|---|
| SHA256 | 60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7 | Base64-encoded .NET DLL data |
| SHA256 | bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72 | .NET DLL extracting machine keys |
| SHA256 | 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 | ASPX file outputting keys |
| IP | 107.191.58.76 | Attacker infrastructure |
| IP | 104.238.159.149 | Attacker infrastructure |
| File Path | /_layouts/15/spinstall0.aspx | Malicious ASPX endpoint |
The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free
Source link
