All Articles

CISOPlatform Breach Intelligence July 25, 2025 – SharePoint Zero-Day Exploitation & Aviation BEC Attacks

Posted by CISO Platform on July 29, 2025 at 2:28am in Blog

CISOPlatform Breach Intelligence July 25, 2025 – SharePoint Zero-Day Exploitation & Aviation BEC Attacks

 

Report Date: July 25, 2025

Coverage Period: July 24, 2025

Classification: Confidential - Executive Distribution

 

Executive Summary

 

July 24, 2025 witnessed significant cybersecurity incidents dominated by the ongoing exploitation of Microsoft SharePoint vulnerabilities and sophisticated business email compromise attacks. The most critical development involves Storm-2603, a China-linked threat actor, deploying Warlock ransomware through SharePoint zero-day exploits affecting over 300 organizations globally. Concurrently, the SilverTerrier Nigerian cybercrime group continues targeting aviation executives through sophisticated phishing campaigns, resulting in six-figure financial losses. These incidents underscore the persistent threats to enterprise collaboration platforms and the evolving sophistication of both state-sponsored and financially motivated threat actors.

 

Key Breach Incidents Overview

 

  • SharePoint Zero-Day Exploitation (CVE-2025-49704/49706): Storm-2603 and Chinese APT groups exploiting unpatched SharePoint servers to deploy Warlock ransomware across 300+ organizations globally
  • Microsoft Patch Failure: Initial July 8 SharePoint patch proved incomplete, enabling continued exploitation until secondary patches were released
  • Aviation Industry BEC Attack: SilverTerrier group successfully phished aviation executive credentials, leading to six-figure customer payment fraud
  • Industrial Control Systems Vulnerabilities: CISA released six new ICS advisories affecting Mitsubishi Electric, Honeywell, and Medtronic systems
  • Critical Software Vulnerabilities: NVD published CVE-2025-53084 (WWBN AVideo XSS) and CVE-2025-26397 (SolarWinds privilege escalation)
  • Global Impact Scale: Over 4,600 compromise attempts detected across government, telecom, financial services, and manufacturing sectors
  • Ransomware Evolution: Integration of vulnerability exploitation with ransomware deployment demonstrates advanced threat actor capabilities
  • Supply Chain Targeting: Attackers increasingly focusing on collaboration platforms housing sensitive organizational data

 

Major Incident Analysis

 

 

1. SharePoint Zero-Day Campaign - "ToolShell"

 

SharePoint Attack Visualization
 

Threat Actor: Storm-2603 (China-linked), APT27 (Linen Typhoon), APT31 (Violet Typhoon)

Attack Vector: CVE-2025-49704 (RCE) + CVE-2025-49706 (Spoofing)

Impact: 300+ organizations, 4,600+ compromise attempts

Technical Analysis:

  • Exploitation of unpatched on-premises SharePoint servers through chained vulnerabilities
  • Deployment of spinstall0.aspx web shell for persistent access
  • Command execution via w3wp.exe process with privilege escalation
  • Microsoft Defender bypass through services.exe registry modifications
  • Credential harvesting using Mimikatz targeting LSASS memory
  • Lateral movement via PsExec and Impacket toolkit
  • Group Policy Object modification for Warlock ransomware distribution

MITRE ATT&CK Techniques:

  • T1190: Exploit Public-Facing Application
  • T1505.003: Web Shell
  • T1562.001: Disable or Modify Tools
  • T1003.001: LSASS Memory
  • T1021.002: SMB/Windows Admin Shares
  • T1484.001: Group Policy Modification

IOCs:

  • Web shell: spinstall0.aspx
  • Process: w3wp.exe (SharePoint worker process)
  • Registry modifications targeting Windows Defender
  • Scheduled task creation for persistence
  • ASP.NET machine key theft

 

2. Aviation Industry BEC Attack

 

Business Email Compromise Attack
 

Threat Actor: SilverTerrier (Nigerian cybercrime group)

Attack Vector: Credential phishing + domain spoofing

Financial Impact: Six-figure loss to aviation company customer

Technical Analysis:

  • Executive credential theft via fake Microsoft 365 login page
  • Rapid domain registration mimicking legitimate company domain
  • Invoice manipulation based on historical email correspondence
  • Look-alike domain deployment within hours of credential compromise
  • Customer payment redirection to attacker-controlled accounts

Attribution Indicators:

  • Email: roomservice801@gmail.com (240+ registered domains)
  • Historical connections to justyjohn50@yahoo.com, rsmith60646@gmail.com
  • Nigerian phone number: 2348062918302
  • Infrastructure reuse across multiple campaigns since 2012

MITRE ATT&CK Techniques:

  • T1566.002: Spearphishing Link
  • T1589.002: Email Addresses
  • T1583.001: Acquire Infrastructure: Domains
  • T1656: Impersonation

 

Strategic Threat Intelligence Analysis

 

The July 24 incidents reveal a concerning convergence of state-sponsored espionage capabilities with financially motivated cybercrime tactics. The SharePoint campaign demonstrates sophisticated supply chain targeting, where threat actors exploit trusted collaboration platforms to access crown jewel data including strategic plans, source code, and internal communications. The incomplete Microsoft patch cycle exposed critical vulnerabilities in vendor security response processes, enabling sustained exploitation across multiple threat actor groups.

The aviation BEC attack exemplifies the evolution of traditional fraud schemes into highly targeted, industry-specific campaigns. SilverTerrier's decade-long operation demonstrates the persistence and adaptability of organized cybercrime groups, leveraging social engineering and infrastructure reuse to maximize operational efficiency. The rapid domain registration and invoice manipulation capabilities indicate advanced preparation and reconnaissance phases.

Both incidents highlight the shift from perimeter-focused attacks to internal platform exploitation, where attackers gain persistent access to business-critical systems and data. The integration of vulnerability exploitation with ransomware deployment represents a maturation of threat actor capabilities, combining initial access techniques with monetization strategies.

 

CISO Strategic Recommendations

 

1. Immediate SharePoint Hardening: Deploy emergency patches CVE-2025-53770/53771, enable AMSI integration, rotate ASP.NET machine keys, and isolate on-premises instances from internet exposure

2. Enhanced Email Security Controls: Implement advanced email filtering, domain monitoring for look-alike registrations, and mandatory multi-factor authentication for all privileged accounts

3. Collaboration Platform Security Review: Conduct comprehensive security assessments of all internal collaboration tools, implement zero-trust access controls, and establish monitoring for unusual administrative activities

4. Incident Response Capability Enhancement: Activate Financial Fraud Kill Chain procedures for BEC incidents, establish 72-hour response protocols, and maintain updated threat intelligence feeds

5. Executive Protection Program: Deploy targeted security awareness training for C-level executives, implement email authentication technologies (DMARC/SPF/DKIM), and establish secure communication channels for financial transactions

 

Threat Landscape Analysis

 

The current threat landscape demonstrates an acceleration in the weaponization of zero-day vulnerabilities, with threat actors achieving exploitation within hours of public disclosure. State-sponsored groups are increasingly collaborating or competing for access to the same vulnerability sets, creating complex attribution challenges and amplified impact scales.

The persistence of organized cybercrime groups like SilverTerrier indicates that traditional law enforcement approaches remain insufficient to disrupt established criminal infrastructure. The group's ability to maintain operations across multiple jurisdictions while continuously adapting tactics suggests a need for enhanced international cooperation and private sector threat intelligence sharing.

Enterprise collaboration platforms have emerged as primary targets due to their central role in business operations and the sensitive data they contain. The shift from edge appliance targeting to internal platform exploitation requires fundamental changes in security architecture, moving from perimeter-based defenses to comprehensive internal monitoring and zero-trust implementations.

The integration of artificial intelligence and machine learning in both attack and defense capabilities is creating an arms race dynamic, where threat actors leverage automation for reconnaissance and exploitation while defenders struggle to implement equally sophisticated detection and response capabilities.

 

Conclusion and Forward-Looking Insights

 

The July 24 incidents underscore the critical importance of proactive vulnerability management, comprehensive email security controls, and robust incident response capabilities. Organizations must prioritize the security of collaboration platforms and implement defense-in-depth strategies that assume breach scenarios.

The convergence of state-sponsored and financially motivated threat actors around common vulnerability sets suggests that traditional threat categorization models require updating. CISOs should prepare for scenarios where espionage and financial crime objectives overlap, creating complex incident response and attribution challenges.

Looking forward, organizations should expect continued targeting of collaboration platforms, increased sophistication in social engineering attacks, and the potential for AI-enhanced threat actor capabilities. Investment in threat intelligence, security automation, and cross-industry information sharing will be essential for maintaining effective cybersecurity postures.

The rapid exploitation timelines observed in these incidents emphasize the need for emergency response capabilities and the ability to implement security controls within hours rather than days. Organizations that cannot achieve this response velocity will face disproportionate risk exposure in the current threat environment.

 

Sources and References

1. The Hacker News - "Storm-2603 Exploits SharePoint Flaws to Deploy Warlock Ransomware on Unpatched Systems" (July 24, 2025)

2. CSO Online - "Microsoft's incomplete SharePoint patch led to global exploits by China-linked hackers" (July 24, 2025)

3. SecurityWeek - "ToolShell Zero-Day Attacks on SharePoint First Wave Linked to China Hit High-Value Targets" (July 24, 2025)

4. KrebsOnSecurity - "Phishers Target Aviation Execs to Scam Customers" (July 24, 2025)

5. CISA - "CISA Releases Six Industrial Control Systems Advisories" (July 24, 2025)

6. CISA - "UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities" (July 24, 2025)

7. National Vulnerability Database - CVE-2025-53084, CVE-2025-26397 (July 24, 2025)

8. ESET Telemetry - Global ToolShell exploitation statistics

9. Check Point Research - SharePoint compromise attempt analysis

10. Palo Alto Networks Unit 42 - SilverTerrier threat group analysis

 

For more breach intelligence reports and cybersecurity insights, visit CISOPlatform.com and sign up to be a member.

Nominate for Global CISO 100 Awards & Future CISO Awards (1-2 October Atlanta, USA): Nominate Your Peer

Views: 65
Tags: breach intelligence
Votes: 0
E-mail me when people leave their comments –
Follow
Posted by CISO Platform

Priyanka, Co-Founder and Editor, CISO Platform Breach Intelligence, leads our threat intelligence and incident analysis efforts, providing actionable insights to the global cybersecurity community. With extensive experience in cybersecurity leadership and breach analysis, she specializes in translating complex technical threats into strategic intelligence for security executives.

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Join The Community Discussion

Read More

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)
 

 

 

CISO Platform Talks : Security FireSide Chat With A Top CISO or equivalent (Monthly)

Jun 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
Virtual
  • Description:

    CISO Platform Talks: Security Fireside Chat With a Top CISO

    Join us for the CISOPlatform Fireside Chat, a power-packed 30-minute virtual conversation where we bring together some of the brightest minds in cybersecurity to share strategic insights, real-world experiences, and emerging trends. This exclusive monthly session is designed for senior cybersecurity leaders looking to stay ahead in an ever-evolving landscape.

    We’ve had the privilege of…

  • Created by: Biswajit Banerjee
  • Tags: ciso, fireside chat

6 City Round Table On "New Guidelines & CISO Priorities for 2025" (Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata)

Dec 1, 2025 at 3:00am to Dec 31, 2025 at 3:00am
India
  • Description:

    We are pleased to invite you to an exclusive roundtable series hosted by CISO Platform in partnership with FireCompass. The roundtable will focus on "New Guidelines & CISO Priorities for 2025"

    Date: December 1st - December 31st 2025

    Venue: Delhi, Mumbai, Bangalore, Pune, Chennai, Kolkata

    >> Register Here

  • Created by: Biswajit Banerjee

Fireside Chat With Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.)

Jan 10, 2026 from 4:30pm to 5:00pm
Online
  • Description:

    We’re excited to bring you an insightful fireside chat with Sandro Bucchianeri (Group Chief Security Officer at National Australia Bank Ltd.) and Erik Laird (Vice President - North America, FireCompass). 

    About Sandro:

    Sandro Bucchianeri is an award-winning global cybersecurity leader with over 25…

  • Created by: Biswajit Banerjee
  • Tags: ciso, sandro bucchianeri, nab