{"id":3374,"date":"2025-10-25T11:52:46","date_gmt":"2025-10-25T11:52:46","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/10\/25\/threat-actors-ramp-up-public-app-exploits-as-toolshell-gains-traction\/"},"modified":"2025-10-25T11:52:46","modified_gmt":"2025-10-25T11:52:46","slug":"threat-actors-ramp-up-public-app-exploits-as-toolshell-gains-traction","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/10\/25\/threat-actors-ramp-up-public-app-exploits-as-toolshell-gains-traction\/","title":{"rendered":"Threat Actors Ramp Up Public App Exploits as ToolShell Gains Traction"},"content":{"rendered":"
\n
\n

The ToolShell exploit, affecting on-premises Microsoft SharePoint servers, has driven a rise in threat actors exploiting public-facing applications for initial access.<\/p>\n

In the last quarter, this tactic appeared in over 60%\u00a0Cisco Talos Incident Response (Talos IR) engagements, an increase from 10% in the previous quarter.<\/p>\n

Almost 40% of all engagements involved ToolShell activity, majorly contributing to this tactic\u2019s rise in popularity, Cisco Talos explained in a recent report.<\/p>\n<\/p><\/div>\n

\"Source:
Source: Cisco Talos<\/figcaption><\/figure>\n
\n

The ToolShell exploit chain was first made public in mid-July 2025. The attack sees CVE-2025-53770\u00a0and\u00a0CVE-2025-53771, two critical and high-severity vulnerabilities\u00a0in internet-facing SharePoint servers, exploited.<\/p>\n

In July 2025, Microsoft warned that Chinese-based threat groups, Linen Typhoon and Violet Typhoon, were actively targeting the SharePoint vulnerabilities. This is likely part of a strategic campaign to gain initial access to targets across government, defense, academia and NGOs.\u00a0<\/p>\n

Active exploitation of the ToolShell vulnerabilities was first observed in the wild on July 18, a day before Microsoft issued its\u00a0emergency advisory.<\/p>\n

\u201cAlmost all Talos IR engagements responding to ToolShell activity kicked off within the following 10 days,\u201d Cisco explained in its Quarterly Trends report<\/em>, published on October 23.<\/p>\n

Read more: US Tops Hit List as 396 SharePoint Systems Compromised Globally<\/em><\/p>\n

Network Segmentation Crucial<\/strong><\/h2>\n

The cybersecurity firm highlighted the need for network segmentation to prevent these attacks enabling threat actors to laterally move within an organization.<\/p>\n

In one engagement by the Talos IR, the firm said the victim organization was impacted by ToolShell exploitation against a SharePoint server, then experienced a ransomware attack a few weeks later.\u00a0<\/p>\n

In the ransomware attack, Talos IR analysis indicated the actors transferred credential stealing malware from the affected public-facing SharePoint server to a SharePoint database server on the victim\u2019s internal network.<\/p>\n

This, Talos IR said, demonstrates how they leveraged the trusted relationship between the two servers to expand their foothold.\u00a0<\/p>\n

Ransomware Remains a Persistent Threat<\/strong><\/h2>\n

Other findings in the Cisco Talos update showed that ransomware incidents made up around 20% of engagements in the third quarter of 2025, down from 50% in the previous quarter.<\/p>\n

Talos IR responded to Warlock, Babuk and Kraken ransomware variants for the first time, while also responding to previously seen families Qilin and LockBit.\u00a0<\/p>\n

The company responded to a ransomware engagement in Q3 that it assessed with moderate confidence was attributable to the Storm-2603 threat group based on overlapping techniques, tactics and procedures (TTPs), such as the deployment of both LockBit and Warlock ransomware.<\/p>\n

The Qilin ransomware group were also particularly active, and Cisco Talos said it will very likely continue to be a top ransomware threat through at least the remainder of 2025, pending any disruption or intervention.<\/p>\n

Image credit: PhotoGranary02 \/ Shutterstock.com<\/em><\/p>\n<\/p><\/div>\n

<\/figure>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

The ToolShell exploit, affecting on-premises Microsoft SharePoint servers, has driven a rise in threat actors exploiting public-facing applications for initial access. In the last quarter, this tactic appeared in over 60%\u00a0Cisco Talos Incident Response (Talos IR) engagements, an increase from 10% in the previous quarter. Almost 40% of all engagements involved ToolShell activity, majorly contributing<\/p>\n","protected":false},"author":2,"featured_media":3375,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-3374","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3374-e0ac64ef-d283-464a-902a-340a6e36d492.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3374-e0ac64ef-d283-464a-902a-340a6e36d492-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3374-e0ac64ef-d283-464a-902a-340a6e36d492.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3374-e0ac64ef-d283-464a-902a-340a6e36d492.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3374-e0ac64ef-d283-464a-902a-340a6e36d492.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3374-e0ac64ef-d283-464a-902a-340a6e36d492.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3374-e0ac64ef-d283-464a-902a-340a6e36d492.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3374-e0ac64ef-d283-464a-902a-340a6e36d492.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3374-e0ac64ef-d283-464a-902a-340a6e36d492.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3374-e0ac64ef-d283-464a-902a-340a6e36d492.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/10\/3374-e0ac64ef-d283-464a-902a-340a6e36d492-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=3374"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/3374\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/3375"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=3374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=3374"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=3374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}