Active SharePoint Exploits, SBOM Guidance, and AWS CodeBuild Security

Coverage: 31 Jul 2025 (UTC)

Incidents

Unit 42 reported active, widespread exploitation of multiple on‑premises Microsoft SharePoint flaws collectively tracked as ToolShell (CVE‑2025‑49704, CVE‑2025‑49706, CVE‑2025‑53770, CVE‑2025‑53771). Telemetry shows reconnaissance and exploitation against internet‑exposed SharePoint Enterprise Server 2016/2019 and SharePoint Server Subscription Edition, accelerating after proof‑of‑concept code surfaced. Observed chains delivered custom .NET modules and persistent web shells (including spinstall0.aspx), exfiltrated cryptographic MachineKeys and ViewState material, and in at least one case dropped a loader that executed the 4L4MD4R ransomware. Attackers used Base64‑encoded PowerShell via w3wp.exe/cmd.exe to write web shells into LAYOUTS directories, and retrieved ValidationKeys and DecryptionKeys to forge ViewState for credential and session abuse. The brief advises disconnecting exposed servers, applying vendor updates and mitigations for the listed CVEs, rotating ASP.NET machine keys, restarting IIS, and conducting thorough hunts for backdoors—recognizing that patching alone may not evict entrenched access. The team also shared IOCs and detection guidance to support containment and remediation.

Research

ESET reviewed July’s major developments, highlighting exploitation of SharePoint ToolShell, the reemergence of Lumma Stealer, and the business impact of credential weaknesses—citing a ransomware case that began with a guessed employee password and led to a UK transport firm’s closure. The roundup also noted an exposure in the McHire chatbot platform reportedly tied to trivial admin credentials, critical PerfektBlue flaws in a Bluetooth stack with implications for vehicles, and a UK proposal to ban ransom payments by public sector and critical infrastructure entities. The throughline is consistent: disciplined authentication, timely patching, and vendor security practices remain central to resilience.

Unit 42 introduced its Attribution Framework to make threat actor assessments more transparent and repeatable. The model fuses the Diamond Model of Intrusion Analysis with the Admiralty System, assigning default source reliability (A–F) and information credibility (1–6) to evidence while allowing analyst adjustments. Activity is first clustered (CL‑) based on correlated IoCs, TTPs, targeting, or timing; sustained, corroborated clusters can be elevated to temporary groups (TGR‑), and only after robust multi‑source evidence mapped across adversary, infrastructure, capability, and victim vertices are names assigned. An internal review board vets promotions, aiming to reduce naming drift and to report confidence levels consistently.

CISA released Thorium, a high‑throughput malware and forensic analysis framework developed with Sandia National Laboratories. Thorium orchestrates automated workflows across commercial, open‑source, and custom tools, emphasizing speed and scale—ingesting over 10 million files per hour per permission group and scheduling more than 1,700 jobs per second—while maintaining fast queries. It supports containerized command‑line tools, with options to integrate VM or bare‑metal tools, and provides tagging, full‑text search, strict group‑based permissions, and horizontal scaling via Kubernetes and ScyllaDB to match operational demand.

Platforms

AWS outlined a defense‑in‑depth approach for CodeBuild pipelines, clarifying shared responsibility and focusing on risks from untrusted pull requests that can run arbitrary code with access to secrets and artifacts. The guidance defines trust boundaries for internal and external contributors, uses webhook filterGroups to enforce push‑only, branch‑based, or contributor‑allowlist patterns, and proposes a staged rollout. It recommends per‑build least‑privilege IAM roles validated with IAM Access Analyzer, narrowly scoped GitHub tokens stored in Secrets Manager with rotation, isolated VPC environments, combined automated scanning with human approval gates, and monitoring via CloudTrail and AWS Config to detect configuration drift.

For secure file sharing, a two‑part analysis weighs architectures against access patterns, protocol needs, and operational constraints. The first installment, Part 1, examines Transfer Family, Transfer Family web apps, S3 pre‑signed URLs, and a serverless presigned‑URL model via API Gateway and Lambda—highlighting security controls, cost drivers, and risks such as URL reuse and upload limits. The sequel, Part 2, evaluates CloudFront signed URLs for global, cache‑friendly distribution; a PrivateLink VPC endpoint service for private, flexible protocol support at higher operational complexity; and S3 Access Points for scaled access management and VPC‑only S3 access. The guidance concludes no single pattern fits all, and combinations may best balance security, cost, and operational effort.

Policies

An update from MSRC expands the .NET Bounty Program’s scope and clarifies rewards. Coverage now spans supported .NET and ASP.NET versions, adjacent technologies such as F#, repository templates, and relevant GitHub Actions. Awards align with explicit severity and impact categories used across Microsoft programs, and report quality is defined as “complete” (requiring a fully functional exploit) or “not complete,” with payouts scaled accordingly. Top awards reach $40,000 for complete Remote Code Execution or Elevation of Privilege findings, with graduated amounts for other impacts. The changes aim to increase transparency and encourage detailed, actionable submissions across the .NET ecosystem.

These and other news items from the day:

Thu, July 31, 2025

ToolShell SharePoint Vulnerabilities and Ongoing Exploitation

#Active Exploitation #Deserialization #Microsoft #Path Traversal #Ransomware #RCE #SharePoint #Zero-Day

🔔 Unit 42 reports active exploitation of multiple on‑premises SharePoint vulnerabilities collectively dubbed ToolShell, enabling unauthenticated remote code execution, authentication bypass, and path traversal. Activity observed from mid‑July 2025 includes web shell deployment, theft of ASP.NET MachineKeys and ViewState material, and delivery of the 4L4MD4R ransomware in at least one chain. Organizations with internet‑exposed SharePoint servers should assume potential compromise and follow containment, patching, cryptographic rotation, and incident response guidance immediately.

Thu, July 31, 2025

July 2025 Cybersecurity Roundup: Key Incidents and Risks

#Active Exploitation #Data Leak #Lumma Stealer #PerfektBlue #Ransomware #Regulatory Action #ToolShell #Zero-Day

🛡️ In July 2025, ESET Chief Security Evangelist Tony Anscombe highlighted major cybersecurity incidents, including exploitation of ToolShell zero‑day vulnerabilities in on‑premises Microsoft SharePoint and the confirmed return of Lumma Stealer. Other critical stories included a ransomware attack that closed UK transport firm KNP, a massive data exposure in McDonald's hiring chatbot McHire, and the discovery of PerfektBlue Bluetooth flaws affecting vehicles. The UK also proposed banning ransom payments by public bodies.

Thu, July 31, 2025

Implementing Defense-in-Depth for AWS CodeBuild Pipelines

#AWS #AWS IAM #AWS Secrets Manager #CI/CD Security #GitHub #Least Privilege #Security Bulletin #Supply-Chain Incident #Token Leakage

🔒 This guide consolidates practical recommendations for securing AWS CodeBuild CI/CD pipelines, emphasizing webhook configuration, trust boundaries, and least-privilege access. It warns against automatic pull request builds from untrusted contributors and prescribes push-based, branch-based, and contributor-filtered webhook patterns, plus staged rollout using Infrastructure as Code. Additional safeguards include scoped GitHub tokens, per-build IAM roles, isolated build environments, CloudTrail logging, and manual approval gates for sensitive deployments.

Thu, July 31, 2025

Secure File Sharing in AWS: Security and Cost Guide

#AWS CloudFront #AWS IAM #AWS KMS #AWS PrivateLink #AWS S3 #Data Sovereignty #Encryption at Rest #Encryption in Transit

🔒 This second part of the guide examines three AWS file‑sharing mechanisms — CloudFront signed URLs, an Amazon VPC endpoint service backed by a custom application, and S3 Access Points — contrasting their security, cost, protocol, and operational trade‑offs. It highlights CloudFront’s edge caching and WAF/Shield integration for low‑latency public delivery, PrivateLink for fully private TCP connectivity, and Access Points for scalable IAM‑based S3 access control. The post emphasizes choosing or combining solutions based on access patterns, compliance, and budget.

Thu, July 31, 2025

Secure File Sharing on AWS: Security and Cost Options

#API Gateway #AWS #AWS CloudFront #AWS Lambda #AWS Transfer Family #S3 Access Points #S3 Presigned URLs

🔐 This post by Swapnil Singh (updated July 28, 2025) compares AWS file-sharing options and explains security and cost trade-offs to help architects choose the right approach. Part 1 focuses on AWS Transfer Family, Transfer Family web apps, S3 pre-signed URLs, and a serverless pre-signed URL pattern (API Gateway + Lambda), outlining strengths, limitations, and pricing considerations. It emphasizes requirements gathering—access patterns, protocols, security, operations, and business constraints—and presents a decision matrix and high-level guidance for selecting a solution.

Thu, July 31, 2025

Unit 42 Attribution Framework: Systematic Attribution

#Advanced Persistent Threat #Nomenclature #Ransomware #Threat Report

🔎 Unit 42's Attribution Framework defines a structured, repeatable process for linking observed cyber activity to clusters, temporary groups, or formally named threat actors. It pairs the Diamond Model with the Admiralty System to score source reliability and information credibility, guiding analysts through minimum standards, naming conventions, and promotion criteria to reduce premature attribution.

Thu, July 31, 2025

CISA Releases Thorium: Scalable Malware Analysis Platform

#CISA #Kubernetes #Malware Analysis #Product Release #ScyllaDB #Thorium

🛡️ CISA, in partnership with Sandia National Laboratories, released Thorium, an automated, scalable malware and forensic analysis platform that consolidates commercial, custom, and open-source tools into unified, automated workflows. Thorium is configured to ingest over 10 million files per hour per permission group and schedule more than 1,700 jobs per second, enabling rapid, large-scale binary and artifact analysis while maintaining fast query performance. It scales on Kubernetes with ScyllaDB, supports Dockerized tools and VM/bare-metal integrations, and enforces strict group-based access controls along with tag and full-text filtering for results.

Thu, July 31, 2025

Microsoft .NET Bounty Program Raises Awards to $40,000

#Bug Bounty #CI/CD Security #GitHub #Microsoft #.NET #Privilege Escalation #RCE

🔒 Microsoft has expanded the .NET Bounty Program, increasing maximum awards to $40,000 and broadening coverage to include all supported .NET and ASP.NET versions, adjacent technologies like F#, templates, and GitHub Actions. The program simplifies award tiers, aligns impact categories with other Microsoft bounty programs, and defines report quality as complete (working exploit) or not complete, encouraging detailed, actionable submissions.

Thu, July 31, 2025

Microsoft .NET Bounty Program Increases Awards to $40,000

#Bug Bounty #GitHub #Microsoft #.NET

🛡️ Microsoft has updated the .NET Bounty Program, expanding scope and increasing maximum payouts to $40,000 for high-impact vulnerabilities. The program now covers all supported versions of .NET and ASP.NET (including Blazor and F#), repository templates, and GitHub Actions in .NET repositories. Awards are now tied to explicit severity and report quality criteria, with higher payments for complete, exploit-backed reports.

< all cybersecurity news >