Ongoing Exploitation of SharePoint ‘ToolShell’ Vulnerabilities Results in Widespread Ransomware Attacks
Recent discoveries reveal that adversaries are actively exploiting a chain of SharePoint vulnerabilities, previously thought to be patched, to deploy ransomware in enterprise environments. These exploits have resulted in confirmed compromises across a broad set of organizations, prompting emergency guidance and mandatory action from federal agencies.
Timeline and Evolution of the ToolShell Exploit Chain
The ‘ToolShell’ attack chain made its public debut after the Berlin Pwn2Own contest, where researchers demonstrated critical vulnerabilities in Microsoft SharePoint. While Microsoft initially addressed these in July 2025 with fixes for remote code execution (CVE-2025-49704) and spoofing (CVE-2025-49706), reports soon surfaced that these patches had been circumvented in the wild.
Hotfix Release and Ransomware Campaigns
In response to the overlooked exploit paths, Microsoft published hardened fixes on July 19, 2025, assigning new identifiers CVE-2025-53770 and CVE-2025-53771. Attackers had already leveraged the flaws in these patched environments to deploy ransomware, which encrypted sensitive data and demanded payment under threat of information leakage. The ransomware groups capitalize on incomplete server patching and have targeted SharePoint Server Subscription Edition as well as legacy versions.
Federal Guidance and Mitigation Actions
The Cybersecurity and Infrastructure Security Agency (CISA) escalated the urgency by adding ToolShell-related CVEs to its catalog of exploited vulnerabilities requiring immediate remediation by federal entities. CISA and Microsoft jointly advise organizations to install all available updates and rotate related server cryptographic keys to mitigate post-exploit persistence. The security community anticipates these and potential additional hotfixes will form a significant part of the August 2025 Patch Tuesday releases, reflecting the ongoing and complex nature of the threat.
Technical Analysis
The ToolShell exploit chain leverages deserialization bugs and poor authentication validation to achieve arbitrary code execution on vulnerable SharePoint servers. Attackers exploit these flaws by sending crafted payloads to the server, which processes malicious serialized objects or spoofed requests, ultimately yielding a foothold that can be leveraged for ransomware deployment or further lateral movement. Security researchers found that incomplete patching and failure to rotate machine keys allowed adversaries to replay old tokens, facilitating repeated exploitation and persistence even in updated environments.
Advanced Russian Espionage Campaign Bypasses Gmail Multifactor Authentication
Major cybersecurity vendors have disclosed a new campaign by APT29 (Cozy Bear), a group linked to the Russian government, that successfully bypasses multifactor authentication protections on Gmail accounts of high-value targets. This incident shows a sophisticated evolution in nation-state tradecraft, raising concerns for organizations relying on cloud-based email security.
Attack Vectors and Methods
The attack, detected in July and August 2025, begins with extensive phishing and spearphishing to harvest user credentials, followed by technical interception of authentication flows. APT29 is observed leveraging session hijacking and advanced adversary-in-the-middle (AiTM) techniques, capturing session tokens after victims complete two-factor authentication (2FA).
Defeating Cloud Email Security
By manipulating the OAuth process and exploiting weaknesses in browser session management, the attackers can establish persistent access even if the victim later changes their password. This persistence is sustained by registering rogue OAuth applications or browser extensions under the victim’s account, enabling continued exfiltration and activity surveillance without triggering conventional security alerts.
Implications for Defenders
Security researchers recommend tightening application privilege restrictions, closely monitoring OAuth token grants, and enforcing security controls that can detect anomalies in session creation and extension installation. This campaign demonstrates that multifactor authentication—while crucial—cannot alone guarantee protection against state-level adversaries capable of sophisticated token-based attacks.
Surge in Akira Ransomware Infections Linked to Zero-Day SonicWall Firewall Vulnerability
Security teams across multiple industries are investigating a new wave of ransomware incidents attributed to exploitation of an undisclosed vulnerability in SonicWall firewalls. The Akira ransomware group is implicated in coordinated attacks that bypass network defenses and launch rapid file encryption campaigns.
Zero-Day Exploitation and Initial Access
Researchers detected a rapid increase in successful Akira ransomware deployments from July into August 2025, correlating with the discovery of a suspected zero-day vulnerability impacting certain SonicWall firewall models. Attackers gain remote access by circumventing authentication or exploiting flaws in firmware handling of network traffic.
Techniques and Lateral Spread
Once a foothold is achieved, attackers move laterally using compromised privileged accounts and exploit unsegmented networks to maximize ransomware blast radius. Notably, the attackers exhibit detailed awareness of firewall configurations and leverage scripting to deploy ransomware on critical infrastructure systems within affected organizations.
Mitigation Status and Vendor Response
SonicWall has initiated an urgent investigation and recommends that all clients update device firmware, enable advanced threat protections, and monitor for anomalous traffic. Security operations centers should prioritize detection of unusual admin actions and large-scale file modifications. The status of a formal security patch or workaround remains pending as threat intelligence teams seek to reverse-engineer the underlying exploit.
Broader Ransomware Landscape
The prevalence of Akira ransomware in conjunction with a firewall-based zero-day underscores the criticality of layered defenses, rapid patch management, and continuous threat monitoring on perimeter devices. Related campaigns are exploiting this vulnerability en masse, illustrating the ongoing attractiveness of hardware vulnerabilities to ransomware operators targeting enterprise victims.
SafePay Ransomware Campaign Threatens Massive Data Leak at Ingram Micro
A new ransomware variant known as SafePay is responsible for a large-scale cyber extortion campaign targeting the global distributor Ingram Micro. The threat actors claim to have exfiltrated—and threaten to leak—up to 35TB of sensitive company data if ransom demands are not met.
Attack Discovery and Data Exfiltration
In early August 2025, Ingram Micro’s internal investigation revealed anomalous data transfers and subsequent file encryption. The attackers embedded themselves within the network for several weeks, moving laterally to access high-value storage and backup systems. Data was systematically staged and exfiltrated before the ransomware detonation phase.
Ransomware Techniques and Motivations
SafePay employs double extortion tactics: simultaneous encryption of critical company data and exfiltration for release on public leak sites if payment is refused. Attackers provided proof-of-theft by selectively releasing samples of confidential business documents.
Recommendations and Industry Impact
Security professionals emphasize the necessity of robust network segmentation, least privilege enforcement, and real-time anomaly detection to mitigate future occurrences. Incident response measures include rapid containment, forensic analysis, and coordinated action with law enforcement. This event highlights the rising threat of “mega-leak” ransomware campaigns with both operational and reputational consequences for global supply chain organizations.
Palo Alto Networks Probes SharePoint Exploitation-Linked Ransomware Incident
Palo Alto Networks is investigating a security breach that originated from exploitation of the recent SharePoint vulnerability chain. The attackers, utilizing access to internal collaboration systems, delivered ransomware and subsequently issued a significant ransom demand.
Incident Progression and Attribution
Initial findings indicate exploitation of the CVE-2025-53770/53771 SharePoint flaws to gain privileged access within the corporate network. Once inside, adversaries deployed custom ransomware targeting document repositories and backups. Investigators are assessing the potential correlation between this attack and the widespread ToolShell exploitation campaign.
Detection, Response, and Next Steps
The incident has prompted immediate deployment of endpoint monitoring, network isolation, and collaboration with external threat intelligence partners. Palo Alto aims to ascertain whether the attack reflects a new phase of ransomware operations leveraging legacy and newly patched vulnerabilities within software supply chains.
Preliminary technical findings
Digital forensics point to sophisticated abuse of single sign-on infrastructure within the enterprise, with attackers employing both off-the-shelf and custom post-exploitation tools to escalate privileges and maintain persistence. The security team is analyzing lateral movement patterns and data access logs in partnership with federal and private sector responders.
AI-Generated Linux Cryptocurrency Miner ‘Koske’ Emerges, Bypassing Traditional Detection
Security analysts have uncovered a new malware family dubbed ‘Koske,’ which is notable for being one of the first large-scale Linux cryptocurrency mining botnets generated by artificial intelligence. Koske demonstrates advanced evasion capabilities against rule-based and behavioral endpoint security solutions.
Development and Deployment
Koske is reportedly assembled using state-of-the-art large language models instructed to optimize for stealth and resilience. The malware’s architecture is polymorphic, facilitating rapid adaptation to both static and dynamic analysis tools. Watched closely by threat research teams, Koske infections have proliferated rapidly among vulnerable Linux servers running outdated software.
Technical Sophistication and Payload
Upon initial breach, Koske establishes persistence via systemd service installation and injects itself into active processes. Its payload includes multi-chain mining capabilities (targeting Monero, Ethereum, and lesser-known coins), and deploys a variety of memory-resident exploits to propagate laterally across internal networks.
Detection Evasion and Mitigation Strategies
Koske’s AI-generated source code leverages obfuscation layers uncommon in hand-crafted malware, including dynamic opcode reordering and code entropy manipulation to bypass signature-based scanners. Security teams recommend enhanced anomaly-based monitoring and real-time forensic imaging to identify infected systems. Traditional antivirus and IDS solutions have low effectiveness against this malware without customized detection signatures.
