CISA releases malware analysis for Sharepoint Server attack – Source: go.theregister.com

CISA has published a malware analysis report with compromise indicators and Sigma rules for “ToolShell” attacks targeting specific Microsoft SharePoint Server versions.

“Cyber threat actors have chained CVE-2025-49704 and CVE-2025-49706 (in an exploit chain publicly known as ‘ToolShell’) to gain unauthorised access to on-premises SharePoint servers,” the agency explained in its announcement of the report.

“CISA analysed six files including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells. Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data.”

The key vulnerability in SharePoint Server, the “critical”-rated CVE-2025-53770 with a CVSS score of 9.8, built upon the earlier “medium” severity CVE-2025-49706 – a flaw Microsoft thought it had patched last month, only to find it under active exploitation as a zero-day targeting some big names.

Linked with other vulnerabilities in an exploit chain dubbed “Toolshell”, the vulnerability allows for remote code execution through untrusted data deserialisation, and is known to have been exploited by groups including Linen Typhoon (aka Emissary Panda, APT27), Violet Typhoon (aka Zirconium, Judgment Panda, APT31), and Storm-2603.

As of the July 23, the victim count had risen to more than 400 including the US Department of Energy (DOE), which confirmed to The Register that its National Nuclear Security Administration (NNSA) had been breached using the vulnerability – but claimed it was “minimally impacted.”

The timing of the attacks led at least one security researcher to conclude that the vulnerability was leaked following its private disclosure as part of the Pwn2Own exploitation contest in May: “A leak happened here somewhere,” Trend Micro Zero Day Initiative head of threat awareness Dustin Childs told us late last month.

For those concerned they may have been caught up in all these SharePoint security shenanigans, CISA’s malware analysis report can provide some reassurance.

In addition to CVE-2025-53770, the report covers three other related SharePoint vulnerabilities used to form the “ToolShell” exploit alongside a “new and stealthy webshell” dubbed “SharpyShell”, which extracts and exfiltrates cryptographic secrets through a simple GET request – and, most importantly, comes with indications of compromise and a set of detection rules in Sigma format, a cross-vendor open source standard for use with detection and logging systems.

• Microsoft: SharePoint attacks now officially include ransomware infections
• Another massive security snafu hits Microsoft, but don’t expect it to stick
• China says US spies exploited Microsoft Exchange zero-day to steal military info
• UK uncovers novel Microsoft snooping malware, blames and sanctions GRU cyberspies

These rules allow users to analyze logs for evidence of exploitation through any one of the four known vulnerabilities: CVE-2025-49704, CWE-94: Code Injection; CVE-2025-49706 CWE-287: Improper Authentication; CVE-2025-53770, CWE-502: Deserialization of Trusted Data; and CVE-2025-53771, CWE-287: Improper Authentication.

Those looking to implement them, however, are advised to test before deployment:

“Ensure your EDR/SIEM [Endpoint Detection and Response/Security Information and Event Management] instance has enough memory to run these AND/OR condition based queries,” CISA warns, “[which] may take longer to run than [a] conventional Sigma rule query.”

The full report, with indications of compromise and Sigma rules, is available on the CISA website. ®