Did a Vendor's Leak Help Attackers Exploit Microsoft's SharePoint Servers? (theregister.com)
- Reference: 0178478678
- News link: https://it.slashdot.org/story/25/07/27/0337218/did-a-vendors-leak-help-attackers-exploit-microsofts-sharepoint-servers
- Source link: https://www.theregister.com/2025/07/26/microsoft_sharepoint_attacks_leak/
But the Register reports today that the initiative's head of threat awareness is now [2]concerned about the source for that exploit of Microsoft's Sharepoint servers :
> How did the attackers, who include Chinese government spies, data thieves, and ransomware operators, know how to exploit the SharePoint CVEs in such a way that would bypass the security fixes Microsoft released the following day? "A leak happened here somewhere," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, told The Register. "And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day...."
>
> Patch Tuesday happens the second Tuesday of every month — in July, [3]that was the 8th . But two weeks before then, Microsoft provides early access to some security vendors via the Microsoft Active Protections Program (MAPP). These vendors are required to sign a non-disclosure agreement about the soon-to-be-disclosed bugs, and Microsoft gives them early access to the vulnerability information so that they can provide updated protections to customers faster....
>
> One researcher suggests a leak may not have been the only pathway to exploit. " [4]Soroush Dalili was able to use Google's Gemini to help reproduce the exploit chain, so it's possible the threat actors did their own due diligence, or did something similar to Dalili, working with one of the frontier large language models like Google Gemini, o3 from OpenAI, or Claude Opus, or some other LLM, to help identify routes of exploitation," Tenable Research Special Operations team senior engineer Satnam Narang told The Register. "It's difficult to say what domino had to fall in order for these threat actors to be able to leverage these flaws in the wild," Narang added.
>
> Nonetheless, Microsoft did not release any MAPP guidance for the two most recent vulnerabilities, [5]CVE-2025-53770 and [6]CVE-2025-53771 , which are related to the previously disclosed CVE-2025-49704 and CVE-2025-49706. "It could mean that they no longer consider MAPP to be a trusted resource, so they're not providing any information whatsoever," Childs speculated. [He adds later that "If I thought a leak came from this channel, I would not be telling that channel anything."]
>
> "It also could mean that they're scrambling so much to work on the fixes they don't have time to notify their partners of these other details.
[1] https://en.wikipedia.org/wiki/Zero_Day_Initiative
[2] https://www.theregister.com/2025/07/26/microsoft_sharepoint_attacks_leak/
[3] https://www.theregister.com/2025/07/08/microsoft_patch_tuesday/
[4] https://x.com/irsdl/status/1946166765316161634
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770
[6] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771
Chinese Engineers (Score:3, Interesting)
Surely it has nothing to do with all of the earlier posts about Chinese engineers being used by Microsoft. And China *totally* wouldn't take advantage of that.
Re: (Score:2)
That obviously cannot be it. No. No. Really not. And there for sure are no Chinese backdoors into MS infrastructure left and right and no Chinese spies that could leak stuff or tell the attackers how Microsoft does things. Not possible.
As long as we are all just speculating (Score:3)
Going after the ASP.NET keys is not an unknown technique. It may not be popular bug bounty fodder because in most cases the attack will be highly application specific but they are target on anyone doing targeted operations radar.
Once you have that you have a vector to send serialized payloads that are encrypted not by TLS but inside the protocol envelope. That means it will be opaque even to relatively high-end IDS/IPS/WAF solutions. Importantly you can use it while making requests to resources paths that are likely normally seen, key point monitoring and detection is not going to see the channel even if it is pretty darn good.
Now imagine you could discover and develop such an exploit offline in your own share point environment, it works unauthenticated and across a range of versions, pretty nice tool to go after some high value targets until...
A patch comes out. You look at the patch, its easy even easier than usual to reverse engineer it with or without LLMs tools, because you already understand the problem. You know you can evade it and get an exploit chain going again.. fine but now it has all sorts of eyes on it. Maybe not something you want to risk using anymore depending on exactly what kind of operator you are and what your real objectives are but... you do have an clandestine operation to fund, and the ransomware boys will buy an exploit like that for middle six figures... or maybe you are the DPRK or something and everyone ones you do ransomware to acquire money and maybe just disrupt your enemies economies already, perhaps your 'A' team turns over the details to the 'B' team to make some bank with and embarrass the US government without revealing the 'A' team's real capabilities or operations.
We absolutely know patches get reversed and exploits generated from them to attack the slow to patch. Plenty of history of that, but it is not hard to imagine that certain threat groups were holding onto a high value exploit like this given the range of targets and just saw it got "burned" went for getting as much residual value as possible too.
Microsoft is busy (Score:2)
> It also could mean that they're scrambling so much to work on the fixes they don't have time to notify their partners of these other details.
It's not just that. They are right in the middle of a major [1]system software release [theregister.com].
[1] https://www.theregister.com/2025/07/25/systemd_258_first_rc_here/
Alternative possibility (Score:4, Interesting)
The patch by Microsoft may have been laughably primitive and did not really fix things. They did that often enough before. The attackers may just have anticipated that (no AI needed) from past observations and may have developed their exploit one or two steps further than needed in anticipation of Microsoft doing only the absolute minimum.
Not saying this is what happened, but it may well be. It is really time to stop assuming Microsoft does anything right in the security space.
Re: (Score:3)
Interesting point, I would it formulate a bit differently,
when Microsoft issues a patch that is exploited just right after that,
then this patch did just cover up the vulnerability without either fixing the core problem, or introducing another vulnerability.
And here I would say Microsoft deserves the full blame,
because one thing that needs to be understood, is that there are many many talented people outthere doing reverse engineering, code analysis, as well as exploit creation, and just by the numbers China
Re:Alternative possibility (Score:5, Interesting)
Well, you are certainly more careful in how to phrase it. But I really thing the time to go easy on Microsoft is long past. They had a ton of 2nd, 3rd, 4th and more chances and they continue to fuck it up. This is not even a pattern anymore, this is a fundamental incapability we are seeing. Yes, there are others that do not do much better. But the cost to society is just getting far too high and this has to stop.
Re: (Score:2)
Especially when they are the golden child of the US government's information systems.
From what I am seeing, the early 2020s will be the high water mark of the "cloud" and things are just going to start reverting back to closed down networks. There is too much at risk for companies with sensitive designs, and too many companies like Microsoft attached to their secure clouds that can open up a leak path.
An absolutely real national security risk is the push to the cloud of common design and manufacturing softw
Re: (Score:1)
I am not sure if corporate leaders really consider this that seriously. They are more worried about the short-term. Asking them to re-invest money to insource just hurts their quarterly and annual financial statements. My guess is that top level execs figure if something bad happens, they may get fired but they will leave with a nice payout and move on to some other company. Their pitch is always, I reduced costs and raised quarterly returns. Sadly, information security and cyber-security are seen as cost