Penta Security Inc. > Blog > [Security News] Microsoft Confirms China link to SharePoint ‘ToolShell’ Vulnerabilities

[Security News] Microsoft Confirms China link to SharePoint ‘ToolShell’ Vulnerabilities

2025-07-23 Blog
Micorsoft attacked by Chinese Hackers

23rd July 2025

 

Microsoft confirms China link to SharePoint ‘ToolShell’ Vulnerabilities

Multiple Chinese state-sponsored hacking groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, have exploited a Microsoft SharePoint zero-day vulnerability chain called “ToolShell” to breach at least 54 organizations globally. The attacks targeted internet-facing on-premises SharePoint servers and affected government, telecom, and software sectors across North America and Western Europe. Microsoft released emergency patches and CVE identifiers (CVE-2025-53770 and CVE-2025-53771) to address the flaws, but a public proof-of-concept exploit has since increased the risk of further attacks. CISA has added the RCE flaw to its Known Exploited Vulnerabilities catalog and urges immediate patching and defensive measures.

Microsoft shared IOCs (indicators of compromise) to help defenders identify Sharpoint servers on their network:

  • 134.199.202[.]205: IP address exploiting SharePoint vulnerabilities
  • 104.238.159[.]149: IP address exploiting SharePoint vulnerabilities
  • 188.130.206[.]168: IP address exploiting SharePoint vulnerabilities
  • 131.226.2[.]6: Post-exploitation C2
  • Spinstall0.aspx: Web shell used by threat actors (also named spinstall.aspx, spinstall1.aspx, and spinstall2.aspx)
  • c34718cbb4c6.ngrok-free[.]app/file.ps1: Ngrok tunnel delivering PowerShell to C2

Source: Bleeping Computer, Infosecurity Megazine

 

Alcohol & Drug Testing Service Experience Data Breach of 750,000 Individuals

The Texas-based Alcohol & Drug Testing Service has disclosed that nearly 750,000 individuals were affected by a July 2024 data breach, in which a wide range of sensitive personal information was stolen. The breach, believed to be carried out by the BianLian ransomware group, involved the unauthorized access and theft of 218GB of data, including names, Social Security numbers, biometric data, and login credentials. TADTS completed its investigation only recently, reset passwords, and enhanced monitoring tools, but declined to offer free identity theft protection to victims. While no fraud has been reported yet, affected individuals are urged to monitor their credit and financial activity closely.

Source: Security Week, WGN9, Maine.gov

 

6.5 million Members Data Stolen from Co-op in Cyberattack

UK retailer Co-op confirmed that personal data of 6.5 million members was stolen in an April cyberattack that disrupted operations and led to food shortages. The breach, carried out by threat actors linked to Scattered Spider and DragonForce ransomware, exposed members’ contact information but not financial data. Attackers accessed Co-op’s systems via social engineering, stealing Active Directory files to crack passwords and move laterally. Four suspects, including teens, were arrested by the UK’s NCA in connection with this and other high-profile attacks.

Source: Bleeping Computer, BBC, Computing UK

 

SquidLoader is Heading to Hong Kong’s Financial Sector

A new malware campaign in Hong Kong is using SquidLoader to target financial institutions with highly evasive, multi-stage attacks. Delivered via Mandarin-language spear-phishing emails, SquidLoader disguises itself as a Word document and deploys Cobalt Strike after bypassing sandboxes and antivirus tools. It features advanced anti-analysis tactics like obfuscation, environmental checks, and fake error messages to evade detection. The campaign is currently focused on Hong Kong, with possible activity extending to Singapore and Australia.

Source: HackRead, Infosecurity Magazine, Cyber Security News

 

Penta Security Wins Frost & Sullivan – 2025 Frost & Sullivan’s Company of the Year Recognition

Penta Security has been honored with the “The South Korea Web Application Firewall Industry” award by global market research and consulting firm Frost & Sullivan. Frost & Sullivan highlighted Penta Security’s achievements, stating “Penta Security has been selected for its exceptional performance in technological innovation, strategic execution, and customer value creation. With years of proven expertise and advanced security technologies, Penta Security’s flagship WAAP solution, WAPPLES, has established itself as the standard in Korea’s web security landscape, delivering outstanding proactive protection capabilities.” as the reason for awarding ‘2025 Frost & Sullivan’s Company of the Year Recognition – The South Korea Web Application Firewall Industry’.

Source:EIN Newswire, PR Newswire

 

 

 

Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D.AMO

Click here for inquiries regarding the partner system of Penta Security

Check out the product lines of  Cloudbric by Penta Security:

Cloud-based Fully Managed WAAP: Cloudbric WAF+

Agent based Zero Trust Network Access Solution: Cloudbric PAS

Agentless Zero Trust Network Access Solution: Cloudbric RAS

Click here for inquiries regarding the partner system of Cloudbric

 

 

 

* Would you like to learn more?
We invite you to discover how we can help your business.

 

Chinese hackers Microsoft Chinese hackers Microsoft

Tags: