Microsoft Ties SharePoint Exploits To China-Backed ToolShell Group
Microsoft has linked a wave of SharePoint Server attacks to a China-based threat actor using a tool called ToolShell. The attackers exploited CVE-2025-53770, a critical remote code execution vulnerability in SharePoint Server, to gain unauthorized access to vulnerable systems—even after patches were released.
The campaign began as early as April 2025 and has affected more than 100 organizations, including government agencies, schools and energy companies.
This attack illustrates the dangers of persistent, strategic compromise. And it shows just how well-resourced and adaptive nation-state attackers can be—especially when defenders stick to the usual playbook.
A Closer Look at CVE-2025-53770
CVE-2025-53770 is a deserialization flaw in SharePoint Server with a critical CVSS rating of 9.8. It allows attackers to send a specially crafted request and run arbitrary code on the system. From there, they can deploy malware, access internal networks and maintain control for future operations.
What makes this more dangerous is that attackers are chaining this vulnerability with others—such as CVE-2025-49704 and CVE-2025-49706—to bypass security patches issued in May.
Once the foothold is established, even patched systems can remain compromised.
ToolShell Reappears
The campaign is driven by a modified version of ToolShell, a remote access trojan that's been previously linked to Chinese espionage groups. In this case, ToolShell is integrated into SharePoint workflows, allowing attackers to blend into normal traffic, evade detection and operate freely inside the network.
Nation-State Attribution and a Growing Threat Landscape
Microsoft's Threat Intelligence team has formally attributed the campaign to a China-based threat actor. But according to Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, the threat has already expanded beyond a single source.
'We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It's critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well,' Carmakal warned.
In other words, the window between state-sponsored discovery and broader criminal adoption is shrinking fast.
Gabrielle Hempel, Security Operations Strategist at Exabeam, sees clear echoes of the 2021 Exchange server attacks in this campaign. 'Yet again, we're seeing a Microsoft enterprise product exploited at scale, with self-hosted deployments as the primary point of failure,' she noted. 'These environments generally remain low-hanging fruit due to patching delays and overexposed internal access.'
Hempel also emphasized the operational complexity of these attacks. 'These attackers aren't just out to steal data, but gain remote access, drop malware and move laterally. Organizations should be treating this as a full domain compromise event and not just a SharePoint-specific incident.'
Patching Isn't Enough
This campaign underscores a frustrating but important truth in cybersecurity: patching alone is not enough. While Microsoft did release a patch for CVE-2025-53770, attackers already inside those systems could maintain persistence using other tools and chained exploits.
In some cases, attackers gained access before the patch was available. In others, organizations failed to patch quickly—or correctly—leaving them vulnerable. Once ToolShell is deployed, it's not just about SharePoint anymore. It's about what else attackers can reach from there.
What Organizations Need to Do Now
Microsoft and other experts recommend several immediate steps:
As Hempel pointed out, many security teams lack visibility into SharePoint logs or internal network movement. 'We will likely see ripple effects from breaches of this vulnerability across PCI, HIPAA, ISO 27001, NIST 800-171 and even DFARS/CMMC,' she warned.
Rethinking Hybrid Security
SharePoint's widespread use and the mix of on-prem and cloud deployments make it a prime target. Many organizations have moved to cloud-based platforms, but legacy on-prem systems often remain in place—and underprotected.
This campaign is a reminder that defending hybrid environments requires more than patching and monitoring the perimeter. It demands real visibility, fast detection and a plan for persistence.
Nation-state attackers do not rely on zero-days alone. They leverage known flaws, chain exploits and adapt faster than most organizations can respond.
The compromise isn't coming. For many, it's already here.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
11 minutes ago
- Yahoo
Sheng Siong Group Second Quarter 2025 Earnings: EPS: S$0.022 (vs S$0.022 in 2Q 2024)
Sheng Siong Group (SGX:OV8) Second Quarter 2025 Results Key Financial Results Revenue: S$361.7m (up 7.0% from 2Q 2024). Net income: S$33.8m (flat on 2Q 2024). Profit margin: 9.3% (in line with 2Q 2024). EPS: S$0.022 (in line with 2Q 2024). AI is about to change healthcare. These 20 stocks are working on everything from early diagnostics to drug discovery. The best part - they are all under $10bn in marketcap - there is still time to get in early. All figures shown in the chart above are for the trailing 12 month (TTM) period Sheng Siong Group Earnings Insights Looking ahead, revenue is forecast to grow 5.5% p.a. on average during the next 3 years, compared to a 7.0% growth forecast for the Consumer Retailing industry in Asia. Performance of the market in Singapore. The company's shares are down 2.3% from a week ago. Risk Analysis What about risks? Every company has them, and we've spotted 1 warning sign for Sheng Siong Group you should know about. Have feedback on this article? Concerned about the content? Get in touch with us directly. Alternatively, email editorial-team (at) article by Simply Wall St is general in nature. We provide commentary based on historical data and analyst forecasts only using an unbiased methodology and our articles are not intended to be financial advice. It does not constitute a recommendation to buy or sell any stock, and does not take account of your objectives, or your financial situation. We aim to bring you long-term focused analysis driven by fundamental data. Note that our analysis may not factor in the latest price-sensitive company announcements or qualitative material. Simply Wall St has no position in any stocks mentioned.
Yahoo
18 minutes ago
- Yahoo
Trump news at a glance: president unleashes slew of new tariff rates for trading partners
Donald Trump has signed an executive order placing tariffs on dozens of US trading partners just hours before the 1 August deadline he set for deals to be done. The new tariffs, the next step in his trade agenda that will test the global economy, are set to go into effect in seven days. The extension reflects the government's need for more time to harmonize the tariff rates, AP reports, according to a senior official who spoke to reporters on condition of anonymity. The order applies to 68 countries and the 27-member European Union. Rates were set at 25% for India's US-bound exports, 20% for Taiwan, 19% for Thailand and 15% for South Korea. Trump also increased duties on Canadian goods to 35% from 25% for all products not covered by the US-Mexico-Canada trade agreement, but gave Mexico a 90-day reprieve from higher tariffs to negotiate a broader trade deal. Trump had threatened on Wednesday that Ottawa's move to recognise a Palestinian state would make agreeing a trade deal 'very hard'. Asian shares fell on Friday after the tariffs announcement. Read on for more on tariffs and other key US politics news of the day: Trump imposes tariffs of 10% to 41% on dozens of countries, hours before deadline US president Donald Trump has signed an executive order imposing reciprocal tariffs ranging from 10% to 41% on imports from dozens of countries and foreign locations, as he extended the deadline for a tariff deal with Mexico by another 90 days. Rates were set at 25% for India's US-bound exports, 20% for Taiwan and 30% for South Africa ahead of Trump's self-imposed deadline to strike trade deals with countries around the world by 1 August. Brazil's tariff rate was set at 10%, but a previous order signed by Trump placed a 40% tariff on some Brazilian goods, to punish the country for prosecuting its former president, Jair Bolsonaro, for trying to overturn an election he lost and inspiring his supporters to storm the seat of government. Separately, the White House announced that Canadian imports will face tariffs of 35%, not the current 25%. Trump had threatened on Wednesday that Ottawa's move to recognise a Palestinian state would make agreeing a trade deal 'very hard'. Read the full story Trump signs order increasing tariffs on Canadian goods from 25% to 35% Donald Trump signed an executive order on Thursday increasing tariffs on Canadian goods imported to the United States from 25% to 35%. The new import tax rates goes into effect on Friday, according to a White House factsheet. The tariff would cover all products not covered by the US-Mexico-Canada trade agreement. Goods transshipped to another country to evade the new tariffs would be subject to a transshipment levy of 40%. The decision comes after months of tariff threats from the Trump administration, and escalating trade tensions that have sowed anger in Canada. Read the full story Trump threatens drug giants with crackdown over prices Donald Trump has threatened to use 'every tool in our arsenal' to crack down on pharmaceutical companies if they fail to cut drug prices for Americans within 60 days. The president wrote to executives at 17 companies on Thursday, demanding they match their US prices for prescription drugs with the lowest price offered in other developed nations. Read the full story Executive order brings back presidential fitness test in schools Donald Trump signed an executive order on Thursday to bring back the presidential fitness test, a series of physical tests for schoolchildren in the US that was in place for decades but suspended 12 years ago to focus less on competition and more on healthy lifestyles. Read the full story Hegseth aides used polygraphs against colleagues Senior aides to the defense secretary, Pete Hegseth, conducted polygraphs on their own colleagues this spring, in some cases as part of an effort to flush out anyone who leaked to the media and apparently to undercut rivals in others, according to four people familiar with the matter. Read the full story Fema denies grants to Kentucky counties ravaged by storms The Federal Emergency Management Agency (Fema) denied requests for three Kentucky counties affected by severe storms last spring, and deemed the state ineligible for hazard mitigation grants that would help prepare for future disasters. Read the full story Trump to build 'beautiful' $200m ballroom at White House The White House will soon begin construction of a new $200m ballroom to be ready before Donald Trump's term ends in early 2029. Press secretary Karoline Leavitt said the building will be 90,000 sq ft and will hold up to 650 seats. It will be the latest change introduced to what's known as 'the People's House' since the Republican president returned to office in January. It also will be the first structural change to the executive mansion itself since the addition of the Truman Balcony in 1948. Read the full story What else happened today: British singer Jess Glynne says she feels 'sick' that the Trump administration was using her music to promote immigration deportations. originally sent to the state by the Trump administration to deal with protests over its immigration policies. Donald Trump evaded the question when asked if he agrees with Marjorie Taylor Greene that 'what is occurring [in Gaza] is a genocide'. Trump replied: 'Oh it's terrible what's occurring there, yeah', before repeating his complaint that 'nobody said thank you' when the US donated money to feed the people of Gaza, and his false claim that the recent donation of $30m was $60m. Reuters reports the Trump administration to Harvard informing the university it has referred been referred to the Department of Justice, to address allegations of antisemitic discrimination. Catching up? Here's what happened 30 July 2025.
Yahoo
41 minutes ago
- Yahoo
Be Wary Of UMS Integration (SGX:558) And Its Returns On Capital
Finding a business that has the potential to grow substantially is not easy, but it is possible if we look at a few key financial metrics. Amongst other things, we'll want to see two things; firstly, a growing return on capital employed (ROCE) and secondly, an expansion in the company's amount of capital employed. Put simply, these types of businesses are compounding machines, meaning they are continually reinvesting their earnings at ever-higher rates of return. Having said that, from a first glance at UMS Integration (SGX:558) we aren't jumping out of our chairs at how returns are trending, but let's have a deeper look. We've found 21 US stocks that are forecast to pay a dividend yield of over 6% next year. See the full list for free. What Is Return On Capital Employed (ROCE)? For those who don't know, ROCE is a measure of a company's yearly pre-tax profit (its return), relative to the capital employed in the business. To calculate this metric for UMS Integration, this is the formula: Return on Capital Employed = Earnings Before Interest and Tax (EBIT) ÷ (Total Assets - Current Liabilities) 0.09 = S$42m ÷ (S$520m - S$48m) (Based on the trailing twelve months to March 2025). Therefore, UMS Integration has an ROCE of 9.0%. Even though it's in line with the industry average of 9.0%, it's still a low return by itself. Check out our latest analysis for UMS Integration In the above chart we have measured UMS Integration's prior ROCE against its prior performance, but the future is arguably more important. If you're interested, you can view the analysts predictions in our free analyst report for UMS Integration . What Can We Tell From UMS Integration's ROCE Trend? On the surface, the trend of ROCE at UMS Integration doesn't inspire confidence. Over the last five years, returns on capital have decreased to 9.0% from 14% five years ago. And considering revenue has dropped while employing more capital, we'd be cautious. This could mean that the business is losing its competitive advantage or market share, because while more money is being put into ventures, it's actually producing a lower return - "less bang for their buck" per se. Our Take On UMS Integration's ROCE In summary, we're somewhat concerned by UMS Integration's diminishing returns on increasing amounts of capital. The market must be rosy on the stock's future because even though the underlying trends aren't too encouraging, the stock has soared 119%. In any case, the current underlying trends don't bode well for long term performance so unless they reverse, we'd start looking elsewhere. UMS Integration does have some risks though, and we've spotted 1 warning sign for UMS Integration that you might be interested in. If you want to search for solid companies with great earnings, check out this free list of companies with good balance sheets and impressive returns on equity. Have feedback on this article? Concerned about the content? Get in touch with us directly. Alternatively, email editorial-team (at) article by Simply Wall St is general in nature. We provide commentary based on historical data and analyst forecasts only using an unbiased methodology and our articles are not intended to be financial advice. It does not constitute a recommendation to buy or sell any stock, and does not take account of your objectives, or your financial situation. We aim to bring you long-term focused analysis driven by fundamental data. Note that our analysis may not factor in the latest price-sensitive company announcements or qualitative material. Simply Wall St has no position in any stocks mentioned. Sign in to access your portfolio
