A wave of large-scale attacks has been observed targeting the Microsoft SharePoint vulnerability CVE-2025-53770. This vulnerability allows unauthorized attackers to execute malicious code directly on Microsoft SharePoint Server, potentially compromising the system. For more details on CVE-2025-53770, please refer to Microsoft’s official advisory.
TeamT5’s MDR Services and Cyber Threat Intelligence teams responded promptly to the vulnerability incident. They assisted customers in determining whether their environments were affected by this wave of attacks, and provided guidance on mitigation and prevention strategies. And this article offers suggestions for handling the high-risk vulnerability effectively.
TeamT5 Defense Actions
Threat Analysis
SharePoint is commonly used to share content within the company and is highly integrated with many core services. Once compromised, attackers may use it to spread laterally to these core systems. According to the CISA organization's suggestions, companies with SharePoint servers should assume that they have been penetrated. Even if a patch is installed, they still need to fully check the server status and respond to the incident.
Field Inspection
The TeamT5 MDR Service team proactively examined the customer’s environment for malicious programs by analyzing attack patterns and associated IP addresses (detailed below). They also reviewed endpoint scan reports and activity logs to ensure no potential threats were present.
[Suspicious IPs / Domains]
104.238.159.149
107.191.58.76
34.121.207.116
34.72.225.196
45.191.66.77
45.77.155.170
96.9.125.147
104.238.159.149
107.191.58.76
34.121.207.116
34.72.225.196
45.191.66.77
45.77.155.170
96.9.125.147
For more information, subscribe to ThreatVision - Vulnerability Threat Intelligence.
Endpoint Scanning
For this vulnerability attack feature, TeamT5’s threat forensics analysis platform “ThreatSonar” can be used to scan the SharePoint server to obtain relevant information and confirm whether malicious attack behaviors have occurred. The key points of confirmation are:
- Malicious event records: whether there is suspicious Powershell execution status.
- Malicious file content: whether there is a WebShell.
- Malicious system instructions: whether there is a related lateral movement instruction (lolbas) execution status.
TeamT5 Suggestions
If you find that the SharePoint server in the field has been attacked, it is recommended to take the following measures:
- Stop the external services of the SharePoint server (disconnect and isolate), reset the MachineKey of this server, and install the patch.
- Store malicious files and Web Access Logs for cybersecurity experts to identify and analyze the sources of the attacks, so as to find relevant IoC for investigation and confirmation.
- Immediately delete the malicious files found in the system, and execute cybersecurity health diagnosis (compromise assessment) and threat hunting on other servers in the field to confirm whether other endpoints in the information field are safe.
In light of the increasing frequency of APT and ransomware attacks, TeamT5 recommends strengthening the following protection and response measures within your environment:
- When the IoC of a cybersecurity incident is released, the information should be immediately imported into the cybersecurity protection equipment and platform, and proactive scanning should be carried out to confirm whether there are hidden threats.
- Master the threat information of network terminal equipment, external service systems, internal core AD management and endpoint systems in the field, review possible attack behaviors and introduce relevant protection mechanisms to reduce the probability of successful attacks.
- For the field security incident response process, it is recommended to face possible network attack threats through "preemptive prevention", "in-process protection and response" and "post-incident recovery and enhancement", and retain relevant evidence for investigation.
- Consult TeamT5’s threat intelligence and incident response service team to help review potential threats in the field and plan response plans in advance, such as:
- Use TeamT5 threat intelligence platform ThreatVision to monitor the latest cyber attack threat intelligence and deep & dark web threat intelligence, grasp the possible attack situation and system leakage of account and password, data leakage situation, promptly find out the possible breach, immediately repair the weakness, and prevent the disaster from expanding.
- Review the network architecture and assess external exposure risks. For critical systems such as Web, Email, ERP, AD, and operational endpoints, deploy the endpoint detection & response platform ThreatSonar Anti-Ransomware to enhance endpoint security. This solution enables rapid detection, response, and blocking of hacker threats, ensuring timely protection of your environment.
TeamT5's Commitment
To safeguard our customers' environments, TeamT5 offers a range of services tailored to diverse security needs, with a continued focus on ensuring system integrity and protection. If you have any questions or require further information, please don’t hesitate to contact us.
TeamT5 CSIRT & PSIRT mainly provide customers with cybersecurity incident detection, notification and response services. During the process, they will work closely with the customer's IT and cybersecurity team, and provide customers with the intelligence and professional tools they need to face network threats in advance, assist in identifying and defending against threats, conduct detection and response during the incident, and provide post-incident recovery and enhancement services.Contact us for consultancy.
(cover source: pexels)