Threat Actors Ramp Up Public App Exploits as ToolShell Gains Traction – Against Invaders – Notícias de CyberSecurity para humanos.

Threat Actors Ramp Up Public App Exploits as ToolShell Gains Traction - Against Invaders - Notícias de CyberSecurity para humanos.

The ToolShell exploit, affecting on-premises Microsoft SharePoint servers, has driven a rise in threat actors exploiting public-facing applications for initial access.

In the last quarter, this tactic appeared in over 60%Cisco Talos Incident Response (Talos IR) engagements, an increase from 10% in the previous quarter.

Almost 40% of all engagements involved ToolShell activity, majorly contributing to this tactic’s rise in popularity, Cisco Talos explained in a recent report.

The ToolShell exploit chain was first made public in mid-July 2025. The attack sees CVE-2025-53770andCVE-2025-53771, two critical and high-severity vulnerabilitiesin internet-facing SharePoint servers, exploited.

In July 2025, Microsoft warned that Chinese-based threat groups, Linen Typhoon and Violet Typhoon, were actively targeting the SharePoint vulnerabilities. This is likely part of a strategic campaign to gain initial access to targets across government, defense, academia and NGOs.

Active exploitation of the ToolShell vulnerabilities was first observed in the wild on July 18, a day before Microsoft issued itsemergency advisory.

“Almost all Talos IR engagements responding to ToolShell activity kicked off within the following 10 days,” Cisco explained in its Quarterly Trends report, published on October 23.

Read more: US Tops Hit List as 396 SharePoint Systems Compromised Globally

Network Segmentation Crucial

The cybersecurity firm highlighted the need for network segmentation to prevent these attacks enabling threat actors to laterally move within an organization.

In one engagement by the Talos IR, the firm said the victim organization was impacted by ToolShell exploitation against a SharePoint server, then experienced a ransomware attack a few weeks later.

In the ransomware attack, Talos IR analysis indicated the actors transferred credential stealing malware from the affected public-facing SharePoint server to a SharePoint database server on the victim’s internal network.

This, Talos IR said, demonstrates how they leveraged the trusted relationship between the two servers to expand their foothold.

Ransomware Remains a Persistent Threat

Other findings in the Cisco Talos update showed that ransomware incidents made up around 20% of engagements in the third quarter of 2025, down from 50% in the previous quarter.

Talos IR responded to Warlock, Babuk and Kraken ransomware variants for the first time, while also responding to previously seen families Qilin and LockBit.

The company responded to a ransomware engagement in Q3 that it assessed with moderate confidence was attributable to the Storm-2603 threat group based on overlapping techniques, tactics and procedures (TTPs), such as the deployment of both LockBit and Warlock ransomware.

The Qilin ransomware group were also particularly active, and Cisco Talos said it will very likely continue to be a top ransomware threat through at least the remainder of 2025, pending any disruption or intervention.

Image credit: PhotoGranary02 / Shutterstock.com

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.