
SharePoint Under Siege 'ToolShell'
Indicators of Compromise
APT Groups3
<p><b>Summary of Actor</b>:EMISSARY PANDA, also known as TG-3390 or APT27, is a Chinese cyber espionage group known for targeting foreign embassies, defense contractors, and energy companies. They have been active since at least 2010 and are known for their strategic espionage activities.</p><p><b>General Features</b>:EMISSARY PANDA is known for conducting cyber espionage primarily aligned with Chinese geopolitical interests. They are adept at using custom malware, spear-phishing, and exploiting vulnerabilities to gain initial access and achieve persistence.</p><p><b>Related Other Groups</b>: APT10,APT31,GOTHIC PANDA</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Spear-phishing emails with malicious attachments</li><li>Usage of custom malware such as HyperBro, SysUpdate</li><li>Command and Control traffic via HTTP/HTTPS</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: Recently, EMISSARY PANDA has been observed targeting vaccine research organizations and NGOs involved in COVID-19 response. They have also launched campaigns against high-profile entities in the fintech and defense sectors.</li><li><b>Emerging Trends </b>: There is an increasing use of cloud infrastructure for command and control, and a shift towards more sophisticated spear-phishing tactics incorporating COVID-19 themes. They are also beginning to leverage supply chain attacks to increase their reach and impact.</li></ul></p>
<p><b>Summary of Actor</b>:APT31, also known as Zirconium, is a Chinese state-sponsored threat actor known for conducting cyber espionage activities targeting various sectors globally. The group has been active since at least 2016 and is known for using sophisticated malware and advanced techniques to achieve its objectives.</p><p><b>General Features</b>:APT31 is characterized by its use of customized malware, spear-phishing campaigns, and exploitation of zero-day vulnerabilities. The group primarily focuses on intelligence gathering and has targeted political, economic, and defense-related entities.</p><p><b>Related Other Groups</b>: APT15,APT10,APT40</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Use of custom implants</li><li>Spear-phishing with malicious attachments</li><li>Exploitation of zero-day vulnerabilities</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: APT31 has recently been linked to a campaign targeting European government institutions with spear-phishing emails containing malicious attachments designed to deploy custom malware. They have also been observed targeting U.S. political entities in the lead-up to major elections.</li><li><b>Emerging Trends </b>: There has been an increased use of sophisticated and evasive techniques, including the use of legitimate cloud services for command and control. The group has also shown a shift towards targeting supply chains to indirectly compromise high-value targets.</li></ul></p>
<p><b>Summary of Actor</b>:APT27, also known as Emissary Panda or TG-3390, is a well-known cyber espionage group believed to be associated with the Chinese government. They are known for targeting information related to defense, aerospace, and government sectors.</p><p><b>General Features</b>:APT27 specializes in cyber espionage operations and exhibits sophisticated tactics, techniques, and procedures (TTPs). They frequently use both publicly available tools and custom malware, and they are adept at lateral movement and maintaining persistence within compromised environments.</p><p><b>Related Other Groups</b>: APT10,APT1,APT40</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Unusual PowerShell activity</li><li>Abnormal remote desktop protocol (RDP) usage</li><li>Execution of known APT27 malware like HyperBro</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: In the latest activities, APT27 has been observed targeting defense contractors and government agencies using spear-phishing attacks that exploit vulnerabilities in Microsoft Exchange.</li><li><b>Emerging Trends </b>: Recently, there has been a noticeable shift towards exploiting zero-day vulnerabilities more aggressively and leveraging living-off-the-land tactics to blend in with normal network activity.</li></ul></p>
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
These vulnerabilities apply to on-premises SharePoint Servers only.
SharePoint Online in Microsoft 365 is not impacted. Microsoft has released security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 against the risks posed by CVE-2025-53770 , and CVE-2025-53771.
| Product | Security Update link |
| Microsoft SharePoint Server Subscription Edition | Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002768) from Official Microsoft Download Center |
| Microsoft SharePoint Server 2019 | Download Security Update for Microsoft SharePoint Server Subscription Edition (KB5002754) from Official Microsoft Download Center |
| Microsoft SharePoint Server 2016 | Not available yet |
| Product | KB Article | Security Update | Fixed Build Number |
| Microsoft SharePoint Server 2019 | 5002741 | Security Update | 16.0.10417.20027 |
| Microsoft SharePoint Enterprise Server 2016 | 5002744 | Security Update | 16.0.5508.1000 |
- Ensure Antimalware Scan Interface the is turned on and configured correctly
Configure Antimalware Scan Interface (AMSI) integration in SharePoint, enable Full Mode for optimal protection,
Note: AMSI integration was enabled by default in the September 2023 security update for SharePoint Server 2016/2019 and the Version 23H2 feature update for SharePoint Server Subscription Edition.
If you cannot enable AMSI, Microsoft recommend you consider disconnecting your server from the internet until a security update is available.
- Rotate SharePoint Server ASP.NET machine keys
After applying the latest security updates above or enabling AMSI, it is critical that customers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers.
- Manually via PowerShell
To update the machine keys using PowerShell, use the Update-SPMachineKey cmdlet
Manually via Central Admin
Trigger the Machine Key Rotation timer job by performing the following steps:
- Navigate to the Central Administration site.
- Go to Monitoring -> Review job definition.
- Search for Machine Key Rotation Job and select Run Now.
After the rotation has completed, restart IIS on all SharePoint servers using iisreset.exe.
If you cannot enable AMSI, you will need to rotate your keys after you install the new security update.
- Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
- Use Endpoint Detection and Response (EDR), Intrusion Prevention System (IPS), and Web Application Firewall (WAF) logs to identify, detect, and block exploit patterns and anomalous behaviors associated with this vulnerability.