SharePoint Under Siege: Chinese Hackers Deploy ToolShell Attack Chain

SharePoint Under Siege: Chinese Hackers Deploy ToolShell Attack Chain

Microsoft SharePoint, a widely used collaboration and document management platform, is currently facing a significant security threat. Chinese hackers are actively exploiting a sophisticated attack chain, dubbed "ToolShell," to gain unauthorized access to on-premises SharePoint servers. This campaign involves the deployment of backdoors, ransomware, and loaders, posing a serious risk to organizations worldwide.

Understanding Emerging Cybersecurity Threats

The ToolShell Attack Chain Explained

The ToolShell attack chain is a multi-stage exploit that targets vulnerabilities in on-premises Microsoft SharePoint servers. It leverages a combination of CVEs to achieve unauthenticated remote code execution, allowing attackers to gain full control over the compromised systems. Key vulnerabilities involved in the ToolShell attack chain include:

• CVE-2025-49704: A vulnerability in the /ToolPane.aspx system page, used for website configuration and management.
• CVE-2025-49706: An authentication bypass exploit.
• CVE-2025-53770: A critical unauthenticated remote code execution vulnerability that enables attackers to forge requests and signed ViewState.

By chaining these vulnerabilities together, attackers can bypass security measures and execute malicious code on the SharePoint server without requiring any authentication.

Impact and Scope of the Attacks

The exploitation of the ToolShell attack chain has had a significant impact, with reports indicating that over 148 organizations have been affected. Ransomware gangs are actively leveraging these vulnerabilities to deploy ransomware payloads, encrypting sensitive data and demanding ransom payments for its release. The attacks primarily target on-premises SharePoint servers, leaving Microsoft 365 SharePoint Online relatively unaffected.

The attacks have been attributed to Chinese state-sponsored threat actors, raising concerns about potential espionage and data theft. The attackers are using the compromised SharePoint servers to deploy backdoors, allowing them to maintain persistent access to the network and steal sensitive information over an extended period.

Mitigation and Prevention Strategies

To protect against the ToolShell attack chain and other SharePoint vulnerabilities, organizations should implement the following mitigation and prevention strategies:

1. Apply Security Patches: Promptly apply all security patches released by Microsoft for SharePoint Server. This includes patches for the CVEs mentioned above, as well as any other relevant security updates.
2. Disable Unnecessary Features: Disable any unnecessary features or functionalities in SharePoint Server that could potentially be exploited by attackers.
3. Implement Strong Authentication: Enforce strong authentication mechanisms, such as multi-factor authentication (MFA), to prevent unauthorized access to SharePoint servers.
4. Monitor Network Traffic: Monitor network traffic for suspicious activity, such as unusual login attempts or data exfiltration.
5. Regular Security Audits: Conduct regular security audits and penetration testing to identify and address any vulnerabilities in SharePoint Server.
6. Web Application Firewall (WAF): Deploy a WAF to filter malicious traffic and protect against web-based attacks targeting SharePoint.

Key Takeaways

The ToolShell attack chain represents a significant threat to organizations using on-premises Microsoft SharePoint servers. Chinese hackers and ransomware gangs are actively exploiting these vulnerabilities to deploy backdoors, ransomware, and loaders. By implementing the recommended mitigation and prevention strategies, organizations can significantly reduce their risk of falling victim to these attacks and protect their sensitive data.

References

• https://socradar.io/wp-content/uploads/2024/02/impact-of-cl0p-ransomware-on-the-cyber-threat-landscape-in-2023-an-analysis-of-cyber-tactics-and-threat-evolution-over-the-year.png
• https://gbhackers.com/chinese-hackers-exploit-sharepoint-flaws/
• https://www.linkedin.com/pulse/toolshell-sharepoint-attack-binariilabs-phz0e
• https://www.darkreading.com/remote-workforce/microsoft-rushes-emergency-fix-exploited-sharepoint-toolshell-flaw
• https://www.bleepingcomputer.com/news/microsoft/microsoft-sharepoint-zero-day-exploited-in-rce-attacks-no-patch-available/
• https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
• https://www.sentinelone.com/blog/sharepoint-toolshell-zero-day-exploited-in-the-wild-targets-enterprise-servers/