Cyber Intel Brief: July 17-23, 2025

Exploiting Microsoft SharePoint: ToolShell Campaign and Active Web Shell Attacks

The Rundown

Incident Response firm Unit 42 is reporting ongoing and high-impact cyberattacks targeting on-premises Microsoft SharePoint servers. These attacks leverage four major vulnerabilities—CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771. Threat actors can chain these flaws to bypass security controls and run malicious commands remotely, often without needing valid credentials. Top organizations at risk are predominantly in the government, healthcare, education, and large enterprise sectors. Cloud-based SharePoint services, such as SharePoint Online, remain unaffected.

Active exploitation has already been observed in the wild, including theft of sensitive data, installation of backdoors, and compromise of cryptographic keys. Attackers are bypassing multi-factor authentication (MFA) and single sign-on (SSO) systems, suggesting a highly advanced and targeted campaign. In several instances, the attackers planted web shells (like spinstall0.aspx) to maintain long-term access. Security researchers have identified multiple attack variations, using PowerShell scripts to extract configuration data and forge tokens, thereby expanding their reach within victim networks.

Organizations using on-premises SharePoint should act urgently. Patching alone is not enough; Microsoft recommends disconnecting vulnerable servers from the internet, rotating all cryptographic materials, and engaging professional incident response teams. Businesses are urged to follow Microsoft’s updated mitigation guidance and prepare for potential long-term remediation efforts to fully eradicate the threat.

Source Material: PaloAlto Unit 42

CISA-FBI Joint Advisory: Defending Against Interlock Ransomware in Enterprise Environments

The Rundown

The U.S. government has issued a cybersecurity alert concerning “Interlock,” a ransomware threat targeting businesses and critical infrastructure across North America and Europe. First observed in late 2024, Interlock uses a financially motivated “double extortion” strategy, stealing data and encrypting systems, then pressuring victims to pay ransom by threatening to leak stolen information. It targets both Windows and Linux environments, especially virtual machines, and employs a variety of entry techniques, including fake browser updates and social engineering tricks like “ClickFix,” where users are tricked into executing harmful code disguised as system fixes.

Once inside a network, Interlock actors deploy malicious tools to steal credentials, monitor user behavior, and escalate privileges to move laterally across systems. They use legitimate software like AnyDesk and PuTTY for remote control, while hiding their presence using techniques that disguise malware as familiar programs. Their operations involve sophisticated data exfiltration methods, using cloud tools like Azure Storage Explorer and WinSCP, before launching encryption payloads that lock systems and demand payment through the dark web, typically in Bitcoin. Victims receive no upfront ransom demand; instead, they must contact the attackers via a .onion link to learn the terms.

To reduce risk, the FBI, CISA, HHS, and MS-ISAC recommend organizations take proactive steps such as enabling multi-factor authentication, segmenting networks, maintaining offline and immutable data backups, and ensuring all systems are up to date with patches. They also urge companies to train staff to spot phishing attempts and unusual prompts, implement strong identity access policies, and deploy modern threat detection tools like endpoint detection and response (EDR) systems. Notably, paying the ransom is discouraged, as it does not guarantee recovery and may encourage further attacks.

Source Materials: DHS CISA

Ransomware Activity Bulletin: Ransomware and Data Extortion Trends (July 15 – 21)

The Rundown

Between July 15 and 21, ransomware and data extortion activity increased, with 81 victim organizations reported across 17 leak sites, an 8% increase from the previous week’s total of 75. While this increase may suggest a small uptick, it more likely reflects a short-term stabilization in threat actor operations rather than a meaningful increase in overall attack volume.

Key sectors such as Professional Services, Manufacturing, Construction and Retail Trade remained prime targets, emphasizing ongoing focus on high-value industries. A notable share of impacted organizations were based in strategic regions, including the United States, Canada, and Brazil, indicating that geographic targeting remains a consistent priority. For business leaders, these trends reinforce the persistent, calculated nature of ransomware threats. Despite fluctuations in weekly figures, the risk to critical sectors remains high, underscoring the need for ongoing investment in prevention, detection, and incident response capabilities.

Key Trends:

• Most affected industries:
  • Professional, Scientific, and Technical Services
  • Manufacturing
  • Retail Trade
  • Construction
• Most affected countries:
  • United States
  • Canada
  • Brazil
• Most active leak sites:
  • Akira
  • Qilin
  • INC Ransom

Exploited Vulnerabilities in Fortinet, Microsoft, SysAid, Google, and CrushFTP Products Added to CISA’s Catalog – Immediate Mitigation Recommended

The Rundown

Between July 17 and July 23, CISA added eight critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, affecting products from Fortinet, Microsoft, SysAid, Google, and CrushFTP. These flaws are confirmed to be actively exploited in diverse threat campaigns.

If unpatched, these vulnerabilities pose serious risks, including unauthorized access and potential escalation, threatening the integrity of widely used technologies. Their exploitation could lead to severe operational disruptions and reputational damage.

Given heightened interest from both nation-state and financially motivated attackers, immediate remediation is vital. Delays significantly raise the likelihood of compromise and broader organizational impact.

Fortinet | FortiWeb CVE-2025-25257

• Vulnerability Description: Fortinet FortiWeb contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.
• Exploited in a Ransomware attack? Unknown
• Action: Apply updates per vendor instructions.
• Date Added to catalog: 2025-07-18
• Recommended Mitigation Due Date: 2025-08-08
  

Microsoft | SharePoint CVE-2025-53770, CVE-2025-49704, CVE-2025-49706

• Vulnerability Description:
  • CVE-2025-53770: Microsoft SharePoint Server on-premises contains a deserialization of untrusted data vulnerability that could allow an unauthorized attacker to execute code over a network.
  • CVE-2025-49704: Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view sensitive information and make some changes to disclosed information. This vulnerability could be chained with CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.
  • CVE-2025-49706: Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow an attacker to view sensitive information and make some changes to disclosed information. This vulnerability could be chained with CVE-2025-49704. The update for CVE-2025-53771 includes more robust protections than the update for CVE-2025-49706.
• Exploited in a Ransomware attack? Unknown
• Action: Apply updates per vendor instructions.
• Date Added to catalog: 2025-07-20
• Recommended Mitigation Due Date: 2025-07-21

SysAid | SysAid On-Prem CVE-2025-2775, CVE-2025-2776

• Vulnerability Description:
  • CVE-2025-2775: SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read primitives.
  • CVE-2025-2776: SysAid On-Prem contains an improper restriction of XML external entity reference vulnerability in the Server URL processing functionality, allowing for administrator account takeover and file read primitives.
• Exploited in a Ransomware attack? Unknown
• Action: Apply updates per vendor instructions.
• Date Added to catalog: 2025-07-22
• Recommended Mitigation Due Date: 2025-08-12

Google | Chromium CVE-2025-6558

• Vulnerability Description: Google Chromium contains an improper input validation vulnerability in ANGLE and GPU. This vulnerability could allow a remote attacker to potentially perform a sandbox escape via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
• Exploited in a Ransomware attack? Unknown
• Action: Apply updates per vendor instructions.
• Date Added to catalog: 2025-07-22
• Recommended Mitigation Due Date: 2025-08-12

CrushFTP | CrushFTP CVE-2025-54309

• Vulnerability Description: CrushFTP contains an unprotected alternate channel vulnerability. When the DMZ proxy feature is not used, it mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS.
• Exploited in a Ransomware attack? Unknown
• Action: Apply updates per vendor instructions.
• Date Added to catalog: 2025-07-22
• Recommended Mitigation Due Date: 2025-08-12

Recommendations

ATI recommends mitigative action occur according to the mitigation “Due Date” recommended by CISA.

Source: CISA