What have a chinese weatherballoon and the Sharepoint on premise disaster in common
Microsoft SharePoint on‑premise zero‑day exploit (CVE‑2025‑53770, aka “ToolShell”) and insights for robust Defense‑in‑Depth strategies:
In early 2023, headlines buzzed with the sighting of Chinese weather balloons drifting silently across Western airspace—an innocuous-looking object that turned out to be a sophisticated surveillance tool, gliding past detection until it had already collected what it came for.
Fast forward to 2025, and a similar phenomenon played out—not in the skies, but deep within enterprise networks. This time, the stealth vehicle was not airborne, but digital: a zero-day exploit targeting Microsoft SharePoint on-premise servers. Like the balloons, it appeared mundane at first—just another server vulnerability. But beneath the surface, Chinese-affiliated threat groups like Storm‑2603 had engineered a quiet, persistent breach, evading detection, gathering access credentials, and quietly embedding themselves in critical infrastructure.
Both the balloons and the SharePoint exploit share the same unsettling truth: the power of quiet, calculated intrusion—weaponized not through brute force, but by exploiting complacency, blind spots, and the illusion of normalcy.
As the world races to secure its skies and its systems, one lesson becomes clear: in modern conflict, the most dangerous threats are the ones that arrive quietly—camouflaged as ordinary.
Incident Overview
- Beginning July 18, 2025, threat actors—primarily Chinese-affiliated groups like Storm‑2603, Linen Typhoon, and Violet Typhoon—exploited a critical vulnerability in on‑premises SharePoint Server installations. The flaw allowed unauthenticated remote code execution via VIEWSTATE manipulation, giving attackers access to install backdoors and steal ASP.NET MachineKeys (used for persistent access), even post-patch.
The remarkable success of Chinese-affiliated APT groups like Storm‑2603, Linen Typhoon, and Violet Typhoon in exploiting the SharePoint on-premise zero-day vulnerability (CVE‑2025‑53770) compared to their Russian or South Korean counterparts can be attributed to several operational, technical, and strategic advantages, which collectively demonstrate how China’s cyber doctrine prioritizes stealth, scale, and infrastructure infiltration.
1. Strategic Focus: Enterprise Infrastructure Penetration
Unlike many Russian or North Korean operations which often favor ransomware (RU) or financial/espionage blend (KP), Chinese actors consistently target core enterprise platforms like:
- SharePoint (internal portals, document repositories)
- Exchange (email and auth tokens)
- VPN concentrators (Pulse, Fortinet, Ivanti)
Why it matters: These platforms are heavily used in regulated sectors (defense, healthcare, education, finance), making them attractive footholds for long-term surveillance, data exfiltration, and potential sabotage.
Chinese APTs often don’t exploit just to encrypt or extort—they exploit to stay undetected.
These exploits affected SharePoint Server editions—2016, 2019, and Subscription Edition. Hosted SharePoint Online / Microsoft 365 was not affected.
Initial patches released July 8 and 20/22 were partially effective. Attempts to exploit began as early as July 7, intensified July 18–19.
2. Superior Exploit Engineering and Pre-Patch Reverse Analysis
Chinese groups demonstrated:
- Pre-patch exploitation as early as July 7—before public advisory.
- Precise manipulation of VIEWSTATE in ASP.NET to bypass authentication.
- Custom webshell deployment (e.g. spinstall0.aspx) with stealthy, post-auth privilege escalation via MachineKey theft.
Why they outpaced others:
- Reports indicate use of disassembled patch diffing and fuzzing techniques to reverse-engineer the vulnerability even after partial patches were issued.
- Many other APT groups waited for public POCs or relied on known CVE chains.
Companies That Were Not Hacked — And Why
Fermilab (U.S. Department of Energy)
- Targeted, but not compromised. According to reports, attackers attempted exploitation, but Fermilab’s defenses detected the intrusion early. No sensitive or classified data was breached. Reuters
Likely Factors That Prevented Compromise
- Strong detection and EDR tooling (e.g. CrowdStrike, Mandiant) rapidly flagged suspicious activity.
- Environments with AMS‑enabled antivirus or AMSI integration were able to block exploitation attempts.
- Some organizations had immediate patch deployment or isolation, disconnecting vulnerable servers from the internet until fixes were applied.
- Proactive threat hunting and log analysis, including monitoring for webshell indicators (e.g. spinstall0.aspx, TOOLPane POST), helped detect early-stage attacks.
Highly Coordinated Attack Waves
Storm‑2603 and related units executed high-volume, low-signal attacks:
- Used diverse IP infrastructure and TOR relays.
- Changed tooling signatures per region.
- Embedded payloads in Microsoft-identified “legitimate” functions (e.g., SharePoint system pages).
In contrast, many Russian or Korean groups re-use known infrastructure, which leads to faster blocking by EDR and threat intelligence platforms.
4. Silence Over Splash: No Ransomware, No Bragging
Chinese cyber units almost never operate with:
- Ransom notes
- Public extortion
- Data dumps
This contrasts starkly with Russian syndicates (e.g., LockBit, Black Basta), which loudly publicize their exploits and thus attract immediate global attention and response.
In this campaign, the absence of ransomware enabled stealth—many intrusions went undetected for over 7–14 days.
5. Multi‑Stage Persistence Mechanisms
Once inside, Chinese APTs:
- Dumped and exfiltrated MachineKeys
- Created webshell persistence
- Often re-patched SharePoint servers to blend into legitimate updates
“They were patching the vulnerabilities after exploiting them to stay hidden.” – Microsoft Threat Intelligence
No other groups in this campaign demonstrated such strategic lifecycle exploitation.
Risk assessment to avoid Future Implications
- Chinese operations demonstrate the rising military-grade application of offensive cybersecurity.
- On-prem systems—especially enterprise middleware—are priority targets for long-term persistence.
- Defenders must go beyond patching and consider:
-
- MachineKey rotations
- Behavioral monitoring of webshell paths
- Hardening default ASP.NET deserialization logic
- Zero Trust segmentation of exposed services
Lessons Learned — Defense‑in‑Depth Hardeners
1. Treat All Exposed Legacy Servers as Already Compromised
Until proven otherwise, assume any internet-facing on‑prem SharePoint (or similar legacy systems) were targeted or breached. Rotating ASP.NET MachineKeys and restarting IIS are critical post-incident steps.
2. Patch Fast and Fully — Then Validate
Applying vendor patches immediately is essential—but insufficient. Given the bypass of the initial July 8 patch, full validation—including proof that deserialization and authentication bypass are addressed—is vital.
3. Enable Runtime Protections and AMSI
Activate AMSI, Microsoft Defender or an equivalent endpoint agent, which can detect malicious payloads during execution—even if exploit attempts occur.
4. Harden Network Exposure and Apply Zero Trust
Limit internet exposure of SharePoint servers—consider ZTNA, VPN access restrictions, and network segmentation.
5. Implement Active Threat Hunting and Logging
Look for anomalous POST activity (e.g. ToolPane endpoint), unauthorized .aspx uploads, or abnormal w3wp.exe processes. Conduct proactive searches for known IOCs
6. Monitor Supply Chain Dependencies
Check and patch other related software ecosystems (e.g. Ivanti EPMM CVEs CVE‑2025‑4427/4428), which are often chained with SharePoint in APT campaigns.
7. Adopt Real-Time Incident Response Practices
Enable tabletop exercises and readiness plans for zero‑days: detection, isolation, key rotation, restoration, and post-incident review must all move quickly.
Summary Table
| Category | Best Practice |
|---|---|
| Exposure | Discontinue public internet exposure or move to managed cloud services |
| Patching Strategy | Emergency patch testing + fast full deployment & validation |
| Runtime Protection | AMSI/Defender/EDR always-on for SharePoint |
| Key Management | Rotate MachineKeys before and after patching |
| Threat Monitoring | Hunt for ToolShell IOCs and anomalous injection patterns |
| System Hardening | Segment networks, enforce ZTNA, restrict management interfaces |
| Incident Response | Assume breach, trigger containment, forensic investigation |
Takeaways
hile many organizations have been breached, effective defenders (like Fermilab) remained intact due to a combination of rapid detection, isolation, patch management, and runtime protection.
Treat legacy on-prem SharePoint as inherently high-risk—cloud-hosted alternatives reduce the attack surface significantly.
Follow Zero Trust and assume compromise philosophy: patch fast, hunt aggressively, and rotate secrets post-exploit.
Primary Sources
- Axios – “Ransomware spree looms after SharePoint breach”
https://www.axios.com/2025/07/29/microsoft-sharepoint-hacks-ransomware - Reuters – “US Fermilab hit in cyberattack targeting Microsoft’s SharePoint”
https://www.reuters.com/technology/us-fermilab-hit-cyberattack-targeting-microsofts-sharepoint-bloomberg-news-2025-07-29 - Associated Press (AP) – “What to know about a vulnerability being exploited on Microsoft SharePoint servers”
https://apnews.com/article/65ebcae88267e1aa375013adaa283765 - Microsoft Security Blog – “Disrupting active exploitation of on-premises SharePoint vulnerabilities”
https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities - SANS Institute – “What you need to know about CVE-2025-53770”
https://www.sans.org/blog/critical-sharepoint-zero-day-exploited-what-you-need-to-know-about-cve-2025-53770 - Check Point Research – “ToolShell: CVE-2025-53770 exploit analysis”
https://blog.checkpoint.com/research/sharepoint-zero-day-cve-2025-53770-actively-exploited-what-security-teams-need-to-know - HeyColleagues – “ToolShell SharePoint Exploit Dissection”
https://www.heycolleagues.com/news/analyzing-microsoft-sharepoint-zero-day-exploit-cve-2025-53770 - WSJ (Wall Street Journal) – “Microsoft alerts firms to server software attack”
https://www.wsj.com/tech/cybersecurity/microsoft-alerts-firms-to-server-software-attack-99f9b036 - TechRadar Pro – “‘SharePoint-ageddon’ attacks riddled with ransomware”
https://www.techradar.com/pro/sharepoint-ageddon-attacks-riddled-with-free-warlock-ransomware-and-thousands-of-services-could-be-compromised - CISA – “Update: Microsoft releases guidance on exploitation of SharePoint vulnerabilities”
https://www.cisa.gov/news-events/alerts/2025/07/20/update-microsoft-releases-guidance-exploitation-sharepoint-vulnerabilities - Techzine Europe – “What went wrong with SharePoint – and what to do”
https://www.techzine.eu/blogs/security/133235/microsoft-sharepoint-zero-day-what-went-wrong-and-what-should-you-do
