Cyber attacks on water infrastructure are growing. Josh Corman of IAmTheCavalry joins us to discuss efforts to secure critical water systems.
The post Cyber Threats to Water Infrastructure: Insights from Josh Corman appeared first on The Security Ledger with Paul F. Roberts.
A cyberattack on fintech firm SitusAMC has major US banks scrambling to assess potential data exposure tied to mortgages and real estate loans.
The post SitusAMC Cyber Breach Sparks Fallout for JPMorgan, Citi, and Morgan Stanley appeared first on TechRepublic.
A cyberattack on fintech firm SitusAMC has major US banks scrambling to assess potential data exposure tied to mortgages and real estate loans.
The post SitusAMC Cyber Breach Sparks Fallout for JPMorgan, Citi, and Morgan Stanley appeared first on TechRepublic.
OPINION — Ransomware attacks conducted by criminals are persistently hitting airports, schools, and 911 dispatch centers, while foreign adversaries probe our critical infrastructure every day. Yet, two programs designed to build national cyber readiness to combat these threats — one that underpins public-private threat sharing, the other that builds local cyber defenses — have now expired. Congress’s inaction amid the government shutdown has left a widening gap in America’s cyber defenses.
Nearly a decade ago, Congress passed the Cybersecurity Information Sharing Act of 2015 (CISA 2015) to encourage private companies and government agencies to voluntarily share cyber threat indicators, which officially expired on September 30. It was a bipartisan response to rising state-sponsored hacking campaigns, and it provided a legal framework — and protections — that still govern how threat data flows across public and private networks today.
This legal framework supports everything from classified alerts and incident reports to real-time information exchange across sectors like energy, transportation, and healthcare. Without it, experts warn that information sharing between companies and the federal government could drop by as much as 80 percent, severely degrading national cyber situational awareness.
Before the shutdown, steps toward a full reauthorization were underway, with bipartisan support in both chambers – but the process has now stalled entirely. One proposal, however, threatened to undermine the goals of the law. Senate Homeland Security Committee Chair Rand Paul’s (R-KY) version of CISA 2015 renewal would gut key legal protections — including liability and FOIA safeguards — and inject surveillance-related restrictions that have no place in cybersecurity law. His version would kill the trusted framework that enables timely, voluntary sharing of threat intelligence data, not improve it.
A more responsible path is already on the table. In early September, the House Homeland Security Committee Chair, Representative Andrew Garbarino (R-NY), introduced the Widespread Information Management for the Welfare of Infrastructure and Government Act, which would reauthorize CISA 2015 for ten years. It also includes a new outreach mandate to ensure that small and rural critical infrastructure owners and operators understand how to participate in information sharing efforts.
Meanwhile, the second program that expired is the State and Local Cybersecurity Grant Program (SLCGP) created through the 2021 bipartisan infrastructure law. Unlike CISA 2015, which supports federal-private coordination, this program was designed to build basic cyber capacity at the state and local level. It pushed state and local governments to create cybersecurity plans, conduct assessments, and adopt best practices – and provided the funding to put those plans into action. For many jurisdictions, this was their first real investment in cyber defense.
So far, the program has backed over 800 projects across 33 states and territories, totaling $838 million. In Utah, grant-funded tools helped stop a ransomware attack on a major airport and a 911 emergency dispatch center. In Maryland, it funded coordinated efforts across 40 counties. The program is not perfect — uneven cost-sharing requirements and bureaucratic restrictions limit its reach to smaller communities. But the results are clear: state officials say these projects “would not have been possible” without the SLCGP funding. This focus on state and local leadership on cybersecurity readiness is exactly what President Trump called for in his May 2025 Executive Order.
The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.
With the SLCGP expired as of August 31, that momentum is now in jeopardy. Without new funding, states and municipalities — especially those without dedicated cybersecurity teams — will be forced to pause cybersecurity initiatives. The result is not just slower progress, but a direct weakening of our national cyber posture. Alongside Rep. Garbarino’s bill, Representative Andy Ogles (R-TN) introduced the Protecting Information by Local Leaders for Agency Resilience Act, which would reauthorize SLCGP for ten years. But the bill lacks a dedicated funding amount.
A robust reauthorization of the SLCGP must do more than simply extend the program on paper. It must ensure sufficient, stable funding over the next decade, remove restrictions that prevent states from using funds for widely relied-upon cybersecurity services, and lower cost-share requirements for small and rural jurisdictions. The “whole-of-state” model — in which state agencies coordinate shared services for local governments — must be preserved and expanded.
The House had done its part, passing both ten-year reauthorizations with bipartisan support and including temporary extensions in the continuing resolution. But the Senate failed to act, leading to an immediate lapse. Unless both measures are included in the National Defense Authorization Act for a full, long-term extension — progress will stall. Anything less is a failure to defend the American people where the threat is already inside the wire — and would amount to more collateral damage from the shutdown.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
EXPERT PERSPECTIVE — When we think about the arteries of global power, images of oil pipelines or shipping lanes often come to mind. They are visible, tangible, and easy to picture on a map. The digital world has its own arteries, equally vital but far less visible: undersea cables, satellites, and semiconductor supply chains. These systems allow our economies to function, our militaries to coordinate, and our societies to remain connected.
We rarely stop to consider how very fragile they are. A fiber-optic cable lying quietly on the seabed, a satellite orbiting high above, or a single Dutch firm making the machines that build the world’s most advanced chips? Each represents a potential point of failure. And when one of them falters, whether by accident or design, the consequences ripple instantly across the globe. What makes this even more concerning is that adversaries understand their potential value. They have studied the geography of our digital world with the same intensity that past powers studied maritime routes. Increasingly, they are testing ways to hold these chokepoints at risk, not in open war, but in the murky space called the gray zone.
Consider the seabed. Nearly all intercontinental internet traffic runs not through satellites, as many imagine, but along the ocean floor. The “cloud” is, in truth, anchored to the seabed. These cables are resilient in some respects, yet highly vulnerable in others. Russia has long deployed specialized vessels (such as the Yantar) to loiter near critical routes, mapping them and raising concerns about sabotage. The People’s Republic of China has taken subtler approaches. On several occasions, cables linking Taiwan’s outlying islands have been cut by Chinese vessels in incidents they described as accidental. Taipei viewed them, by contrast, as deliberate acts of pressure that left communities offline for weeks.
Nature has been no less disruptive. A volcanic eruption severed Tonga’s only international cable in 2022, cutting off connectivity entirely. A landslide off Côte d’Ivoire in 2024 damaged four cables at once, leaving more than a dozen African states scrambling to restore service. These episodes remind us that chokepoints need not be destroyed to reveal their importance.
For China, the issue is a strategic one. Through its Digital Silk Road initiative, Beijing has financed and built cables across Asia, Africa, and Europe. Chinese firms now sit at landing stations and repair depots. In times of peace these investments look like connectivity. In times of crisis, they can become instruments of leverage or coercion.
Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.
The same logic applies in orbit. Satellites and global navigation systems act as the nervous system of modern life. They time banking transactions, guide aircraft, and support military operations. Disrupting them unsettles the rhythms of daily existence. Russia previewed this dynamic in 2022 when it launched a cyberattack against the Viasat KA-SAT network on the first day of its invasion of Ukraine. Thousands of modems across Europe went dark, cutting off critical communications. More routinely, Russian jamming and spoofing around Kaliningrad and Moscow have disoriented navigation systems, with civilian pilots suddenly reporting the loss of GPS mid-flight.
China has created its own path through BeiDou, a rival to GPS that is already woven into infrastructure and commerce across large swaths of the world. Countries adopting BeiDou for civilian uses also create dependencies that, in a crisis, could become channels of influence. China’s so-called inspector satellites, capable of shadowing Western systems in orbit, serve as a reminder that the domain is contested and difficult to police. Jamming, spoofing, or orbital surveillance are rarely attributable in real time. They can be dismissed as interference or technical glitches even when deliberate. That ambiguity is precisely what makes them effective tools of gray-zone leverage.
Vulnerability also extends to the factories that produce the silicon chips powering the digital age. No chokepoint illustrates fragility more starkly than semiconductors. Advanced chips are the foundation of artificial intelligence, modern weapons systems, consumer electronics, modern automobiles, and more. Yet their production is concentrated in very few hands. One company in Taiwan manufactures most of the world’s leading-edge chips. A single Dutch firm produces the extreme ultraviolet lithography machines needed to make them. And China has demonstrated repeatedly how control over upstream minerals can be wielded as leverage. Restrictions on gallium, germanium, and graphite have caused immediate price spikes and sent Western companies scrambling for alternatives.
The global chip shortage during the pandemic provided a glimpse of how disruption can have cascading impacts. Automotive plants shut down, electronics prices soared, and entire supply chains stalled. That was the result of market forces. In a geopolitical crisis, disruption would be intentional, targeted, and likely more devastating.
The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.
None of these vulnerabilities exist in isolation. Together, they form part of a broader and comprehensive strategy, particularly for China, where digital infrastructure has become a deliberate instrument of national power. Through the Digital Silk Road, through export controls on critical minerals, through investments in semiconductor capacity, through an ambitious national AI strategy, and BeiDou’s global adoption, Beijing is systematically building positions of leverage.
Is this preparation for an open assault on global systems? Maybe not, but it is a strategy designed for options in the gray zone. By holding digital chokepoints at risk, China can complicate allied decision-making and cast doubt on the reliability of critical systems, thereby slowing or obstructing responses at moments when speed is decisive. The ambiguity of each incident – whether it appears to be an accident, a policy choice, or something more calculated – becomes a tool of coercion.
The reality is that these risks cannot be eliminated. The very efficiency of the digital age depends on concentration. A single company leads in chipmaking, a limited set of satellites provides global timing, and relatively few cables carry the world’s data vast distances across the open ocean. Efficiency brings tremendous capability, but it also brings fragility. And fragility invites exploitation.
The counterweight must be resilience. That means redundant routes and suppliers, pre-positioned repair capacity, diversified supply chains, hardened infrastructure, and rehearsed recovery plans. The point is to recover and regain capacity as quickly as possible. To do so requires deeper public-private partnerships and closer coordination among allies, since no nation can protect these domains on its own. Resilience is not a one-time investment but a cultural shift. A culture that assumes disruption will come, prepares for it, and ensures that no single outage or shortage can paralyze us.
History offers some perspective. Nations once fought to control straits, canals, and oil fields. They still do so today, but increasingly our chokepoints are digital, hidden from sight yet just as consequential. Whoever shapes them, shapes the balance of global power.
Global stability today depends on foundations that are often invisible. Fiber-optic cables under the sea, satellites crossing the skies, and factories producing chips with microscopic precision form the backbone of our digital age. They showcase human ingenuity while highlighting profound vulnerabilities. Recognizing the duality of innovation’s promise alongside its fragility may be the most important step toward protecting what matters most in the digital age. And, yes, we must defend these technologies. But it’s about something bigger. It’s about ensuring that the digital world we depend on remains a source of strength, and not a lever of coercion.
All statements of fact, opinion, or analysis expressed are those of the author and do not reflect the official positions or views of the U.S. Government. Nothing in the contents should be construed as asserting or implying U.S. Government authentication of information or endorsement of the author's views.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
The Cipher Brief's Special Report on Nat Sec EDGE 2025
The Nat Sec EDGE 2025 conference took place June 5–6, 2025 in Austin, Texas.
Foreword
The 2025 Nat Sec EDGE Conference brought together a diverse coalition of leaders from government, industry, investment, and innovation to confront a shared reality: America’s national security advantage is eroding-and our ability to adapt at speed will determine the outcome of future conflicts.
Across two days of discussions, senior officials, technologists, operators, and investors delivered a clear message: the U.S. is engaged in an unprecedented strategic competition with near-peer adversaries who are moving faster, with fewer constraints, in an effort to achieve dominance in emerging domains. While the U.S. still holds an innovation edge, our traditional systems for acquisition, classification, and risk management are too slow, too fragmented, and too siloed to respond to the velocity of today’s threats.
What emerged from this gathering in Austin, TX was not just urgency-but clarity. The U.S. needs a new model for national security innovation-one built around speed, trust, integration, and mission-first execution. This means enabling “new primes” that can move at the pace of technology, equipping the defense industrial base with secure pathways to scale, and empowering operators and decision-makers with the tools to bridge policy, procurement, and operational need.
It also means recognizing that the problem is no longer technological- it’s sociological. The innovation exists. The capital exists. The threat is clear. What’s missing are the connective tissues: the incentives, partnerships, and trust frameworks that can accelerate solutions from concept to deployment.
This report captures the most critical messages and moments from Nat Sec EDGE. It is intended as both a record and a roadmap-for those shaping the future of American security.
Suzanne Kelly, Brad Christian, Ethan Masucol and Connor Curfman contributed to this report.
Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.
Varun Uppal, founder and CEO of Shinobi Security Over the weekend, airports across Europe were thrown into chaos after a cyber-attack on one of their technology suppliers rippled through airline...
The post When Airports Go Dark: What The Weekend’s Cyber-attacks Tell Us About Business Risk appeared first on Cyber Defense Magazine.
Cybersecurity researcher Noam Moshe of Claroty met up with The Security Ledger Podcast at this year's Black Hat Briefings to discuss his presentation on critical Axis IP camera vulnerabilities that could let hackers spy, manipulate video feeds, and pivot into sensitive networks—and what organizations can do to defend against these (and other) IoT threats.
The post How Hackers Take Over Security Cameras (and What You Can Do About It): A Conversation With Claroty’s Noam Moshe appeared first on The Security Ledger with Paul F. Roberts.
PinnacleOne recently partnered with a leading UK construction company to analyze the cybersecurity risks shaping the sector in 2025. This new report explores how evolving threats intersect with the construction industry’s unique challenges, including tight project timelines, complex supply chains, sensitive data, and high-value transactions. Aimed at CISOs and security leaders, it provides actionable guidance to balance opportunity with resilience, ensuring construction firms stay secure while building the nation’s future.
The UK construction sector is a vital part of the national economy, contributing approximately 5.4% of GDP and employing around 1.4 million people. However, this critical industry is increasingly the target of cyber threat actors seeking financial gains and espionage.
PinnacleOne recently collaborated with a UK construction company to review these trends and bolster their cyber strategy. In a new report, PinnacleOne synthesizes key recommendations for construction sector cyber strategy to help CISOs stay ahead of the threat.
The construction industry’s core characteristics make it a uniquely enticing target for cyber threat actors:
For construction companies, cyber risk is inherently business risk. Cyber incidents can directly impact project timelines, budgets, and even the safety and structural integrity of the built environment. The interconnected nature of the construction ecosystem means that attackers can leverage any exposed point of entry. This, combined with slim profit margins and inconsistent cybersecurity investments, elevates the risk profile for the entire industry.
By adopting a proactive, risk-based cybersecurity approach, construction firms can strengthen their resilience and protect operational continuity and client trust. Read the full report here.
by Gary Miliefsky, Publisher, Cyber Defense Magazine Every year, Black Hat showcases not just the latest innovations and products from the cybersecurity industry but also the presence of major government...
The post Federal Agency Makes Steampunk Appearance at Black Hat 2025 appeared first on Cyber Defense Magazine.
EXPERT Q&A — Reports of damage to undersea cables across the world are on the rise, with suspected foul play in many of these incidents. These cables are crucial conduits for communications, financial transactions, Internet traffic and even intelligence, making them prime targets of gray zone tactics, from suspected Russian sabotage of Baltic Sea cables to alleged Chinese severing of cables in the Taiwan Strait. The Federal Communications Commission voted last Thursday to update U.S. rules on subsea cable development, aiming to streamline construction and better protect this critical undersea infrastructure.
The Cipher Brief spoke with Rear Admiral (Ret.) Mike Studeman, who served as Commander of the Office of Naval Intelligence, about what he says is an ongoing assault on undersea cables — including “outside-in” attacks like sabotage and “inside-out” attacks from embedded exploits — and how the U.S. and its allies can better defend the cables they rely on. Our conversation has been edited for length and clarity.
The Cipher Brief: What is the perceived danger that we're talking about here that the Congress is perhaps seeking to address?
RADM Studeman: It's very clear that the adversaries of the United States, the Chinas and the Russias of the world, are very keen on trying to get leverage in various ways against the United States and the West through critical infrastructure. The subsea cables are just one element of critical infrastructure.
But frankly, the statistics would blow people's minds. Ninety-nine percent of our Internet traffic goes through the undersea environment. When you think about the capacity of those cables, it's terabytes of information versus gigabytes of information through satellites. So essentially, when you go through satellites, it's like drinking a glass of water in terms of the amount of data throughput you get. But undersea cables, it's like trying to drink a large swimming pool worth of data. So we're highly dependent on those. $22 trillion of financial transactions are processed through undersea cables every day. We also have our defense, our national security, our intelligence riding those cables like everybody else with their streaming videos and emails and all the rest. So the threat there is significant, just like it would be on land-based sites with people trying to get into your communications, manipulate them, outright disrupt them through severing and cutting.
The Cipher Brief: The implication of the request made by the House would appear that this is less of a concern about the severing and cutting of cables, but more that Chinese companies, particularly the maintenance and repair companies, may be getting access to these cables,and then doing what? Is it tapping? What are we talking about here?
RADM Studeman: There's the outside-in and then the inside-out threats and it's worth bifurcating it in the beginning. So if you're talking about the six sea cables that were more than likely purposely cut by Russia and China since November 2024 in the Baltics and the Taiwan Strait, it shows you what can happen. Now there are natural ways cables get cut; 150 to 200 times each year cables are damaged by underwater volcanoes, dredging, fishing vessels accidentally dragging their anchors. But these are more purposeful nation state threats that we're seeing that are emerging. So there's no doubt about the outside-in, which means we got to track suspicious vessels.
But the inside out threat is just as significant and we need to be mindful of it. There's a lot of different equipment that can be at the terminal landing sites in between the subsea segments from optical repeaters to other junction points on sea cables that could potentially have malware in them that could perform a variety of functions when directed. So part of it is about espionage and the ability to shunt information into a place where Chinese and Russian intelligence can go through it, even if it's encrypted. They're hoping that later on with decryption capabilities they are working on that they could end up having all this data that they can back cast and decrypt to learn all sorts of secrets. So there's the shunting and the access to data. And there's also the ability to potentially exploit and disrupt from the inside with whatever functionality exists anywhere along the full length of those cables.
Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.
The Cipher Brief: How easy is it to say, we're not going to use those repair companies because they're associated with China, and we're just going to pivot and do it ourselves or figure out some other way? Is that something that can be changed on a dime? How hard is that?
RADM Studeman: We'll have to ask Microsoft, Google, Meta, and some other companies that question because the extent to which they're dependent and whether or not they have alternate ways of providing those services is really known better to them. But the report that got this going in the first place was that Microsoft was using Chinese companies to be involved in some of the maintenance work here.
I think we're doing the right thing. I think that there are alternate companies that can in fact provide these services and we need to get really wise about this and then hold the companies accountable to the national security requirements, which are legitimate, that we need them to be cooperative in to be safer and frankly more resilient because our adversaries wouldn't hesitate to use some of these exploitation techniques in the future. We can't be naive about this.
The Cipher Brief: Is there any evidence to your knowledge that this is more than a concern at the moment? In other words, any evidence that China has gotten into that big data fire hose that comes into this country or anywhere else for nefarious purposes?
RADM Studeman: I think it's 100% safe to say that the Chinese have been grabbing big data from all forms of communication that traverse the earth, including a substantial amount of U.S. and allied data that they have sitting there, which has been examined by their intelligence services, and could in the future, if encryption is broken, depending on what level it is, potentially also be something that they can analyze and go through. This is not some kind of theoretical threat. This is trying to stop something that's underway.
The Cipher Brief: And other than getting American or non-Chinese entities to do that work at the bottom of the ocean floor on the maintenance and repair side, is there anything else that you think ought to be done to address the threat?
RADM Studeman: I do think that when it comes to the manufacture of some of these cables that they're going, and discussions already exist about this, to put sensors of various types on there. There are normal anomalies and then other anomalies that could indicate that somebody's up to no good. There's signal distortions, there could be latency delays, there could be some anomalies after work is done in a certain segment of your cables. All those things deserve to have more sensors and therefore more analysis and more awareness because then you will know how to act appropriately to nip something in the bud, ideally, or to stop it soon after you detect it. But many cables are essentially dumb cables; they don't have enough of that sensing capability. So the newer ones should incorporate that technology that exists today. It's not hard, although it drives up the expense a little bit.
When it comes to the inside-out too, I do think that there are probably some software types and analytics that you could run against the data that the sensors provide. There's a different kind of tailored, maybe agentic AI which could be focused in this area too, to make sure you're not chasing your tail with false alarms. Trying to distinguish something that's truly, legitimately a concern versus something environmental or endemic to the running of the cable system altogether.
And then of course, you've already talked about steps to take with regard to identifying suspicious vessels that may be operating over these cables that may be up to no good. How do you deter that or how do you respond to that?
I also think that in terms of some of the resiliency efforts, we're gonna need to have more essentially underwater flyers, underwater drones. If you think about the Chinese and the Russian deep sea programs that have intent to go after cables, you need to examine them to make sure there's not a box that's been laid on top of them. Having some regular patrols, the Baltic states are currently doing that at the sort of air and surface level. And they're thinking about the desire for the undersea. We need to have more essentially drone flyers that are cheap, that can fly over the most critical cables out there. That to me is also where the future is going with all of these dangers that exist.
Opinions expressed are those of the interviewee and do not represent the views or opinions of The Cipher Brief.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
A new, critical zero-day vulnerability dubbed “ToolShell” (CVE-2025-53770) poses a significant threat to on-premises SharePoint Server deployments. This vulnerability enables unauthenticated remote code execution (RCE), posing a significant risk to organizations worldwide. SentinelOne has detected exploitation in the wild, elevating the active threat posed by this new attack and the importance of organizations taking mitigative action as soon as possible.
In this blog, we outline ways to defend against ToolShell and how SentinelOne keeps you ahead of the curve for this critical vulnerability. For a comprehensive technical breakdown of this threat, we published a detailed analysis on the SentinelOne blog.
ToolShell is a critical zero-day remote code execution vulnerability impacting on-premises SharePoint Servers. Its severity stems from several key characteristics:
At SentinelOne, our commitment to proactive security means we are constantly working to identify and neutralize emerging threats, such as ToolShell, often before they become widespread news. SentinelOne was aware and working to defend our customers from ToolShell two days prior to the public announcement of the vulnerability. This integrated approach ensures that SentinelOne customers are protected from the outset:
Given the critical nature of ToolShell, we strongly recommend that organizations implement a multi-layered defense strategy. Proactive measures are crucial to mitigate the risk of compromise:
Immediate Mitigation & Patching:
Enhanced Detection and Monitoring:
ToolShell represents a significant vulnerability that leaves many organizations running on-premises SharePoint Server at considerable risk. The potential for unauthenticated remote code execution, coupled with observed in-the-wild exploitation, underscores the urgent need for organizations to take decisive action to maintain their security posture. This includes diligently applying patches, implementing robust monitoring, and leveraging advanced threat detection capabilities to mitigate the risk.
For SentinelOne customers, you can rest assured that you are protected. Our dedicated threat research and MDR teams work tirelessly to stay one step ahead of adversaries, ensuring that our platform provides immediate and effective defense against emerging threats, such as ToolShell. Our proactive identification, rapid deployment of detection logic, and continuous sharing of intelligence empower our customers to maintain a resilient security posture.
Contact SentinelOne today to learn how our AI-powered security platform can provide the comprehensive protection and peace of mind your organization deserves. Don’t wait for the next zero-day; secure your future today.
SHA-1
f5b60a8ead96703080e73a1f79c3e70ff44df271 – spinstall0.aspx webshell
fe3a3042890c1f11361368aeb2cc12647a6fdae1 – xxx.aspx webshell
76746b48a78a3828b64924f4aedca2e4c49b6735 – App_Web_spinstall0.aspx.9c9699a8.avz5nq6f.dll, a compiled version of spinstall0.aspx
IP Addresses
96.9.125[.]147 – attacker IP from “no shell” cluster
107.191.58[.]76 – attacker IP used in 1st wave of spinstall0.aspx cluster
104.238.159[.]149 – attacker IP used in 2nd wave of spinstall0.aspx cluster
//Suspicious SharePoint Activity dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.parent.name contains "svchost.exe" and src.process.name contains "w3wp.exe" and tgt.process.name contains "cmd.exe" and src.process.cmdline contains "SharePoint" //spinstall0.aspx execution traces dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.name contains "csc.exe" and tgt.file.path contains "App_Web_spinstall0.aspx"
All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.
On July 19th, Microsoft confirmed that a 0-day vulnerability impacting on-premises Microsoft SharePoint Servers, dubbed “ToolShell” (by researcher Khoa Dinh @_l0gg), was being actively exploited in the wild. This flaw has since been assigned the identifier CVE‑2025‑53770, along with an accompanying bypass tracked as CVE‑2025‑53771. These two new CVEs are being used alongside the previously patched CVEs (49704/49706) which were patched on July 8th, with PoC code surfacing by July 14th.
The advisory also confirmed emergency patches for on-prem SharePoint Subscription Edition and SharePoint Server 2019, with updates scheduled for version 2016 as well. We strongly recommend immediate patching, and following Microsoft’s recommendations of enabling AMSI detection, rotating ASP.NET machine keys, and isolating public-facing SharePoint servers until defenses are in place.
SentinelOne first observed ToolShell exploitation on July 17th, ahead of official Microsoft advisories. Since then, we’ve identified three distinct attack clusters, each with unique tradecraft and objectives. In this blog, we unpack the timeline, explore these clusters, and equip defenders with best-practice mitigation strategies. At this time, we provide no attribution beyond this early clustering as research is ongoing.
We have observed initial ToolShell exploitation against high value organizations, with victims primarily in technology consulting, manufacturing, critical infrastructure, and professional services tied to sensitive architecture and engineering organizations. The early targets suggest that the activity was initially carefully selective, aimed at organizations with strategic value or elevated access.
The attacks that we describe in this report were targeted in nature and occurred before public disclosure of the vulnerability spurred mass exploitation efforts from a wider set of actors. We expect broader exploitation attempts to accelerate, driven by both state-linked and financially motivated actors seeking to capitalize on unpatched systems.
SentinelOne has observed multiple state-aligned threat actors, unrelated to the first wave of exploitation, beginning to engage in reconnaissance and early-stage exploitation activities. Additionally, we’ve also identified actors possibly standing up decoy honeypot environments to collect and test exploit implementations , as well as sharing tooling and tradecraft across known sharing platforms. As awareness spreads within these communities, we expect further weaponization and sustained targeting of vulnerable SharePoint infrastructure.
Both previously patched CVEs (49704/49706) were first disclosed at Pwn2Own Berlin. It was later discovered that these two flaws could be paired together to produce the full RCE ‘ToolShell’ attack chain. The name ‘ToolShell’ refers to the initial abuse of SharePoint’s /ToolPane.aspx (CVE-2025-49704), a system page used for website configuration and management.
This vulnerability chain enables unauthenticated remote code execution by sending a crafted POST request to the URI /layouts/15/ToolPane.aspx?DisplayMode=Edit, exploiting a logic flaw in the Referer header validation. This bypass allows attackers to access SharePoint’s ToolPane functionality without authentication, ultimately leading to code execution via uploaded or in-memory web components.
On July 18th, 2025 at 09:58 GMT, SentinelOne observed a single exploitation attempt where the attacker dropped a custom password-protected ASPX webshell named xxx.aspx. This activity appears to be hands-on and exploratory in nature, likely performed by a human operator rather than an automated script.
The webshell was written to the following path:
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\xxx.aspx
This webshell provides a basic HTML interface allowing three primary functions:
LoginGTaRkhJ9wz parameter, which are run via cmd.exe and returned to the client.0z3H8H8atO (file) and 7KAjlfecWF (destination path).The shell leverages basic obfuscation and validation mechanisms, including cookie-based authentication and a hardcoded SHA512 hash to restrict access. The password check logic suggests the actor anticipated repeated or remote usage of the shell.
After the webshell was dropped, the attacker issued the following commands:
cmd.exe /c whoami > c:\progra~1\common~1\micros~1\webser~1\16\template\layouts\info.js
The first attempt to redirect the whoami output failed due to a typo (\templa), indicating the activity was likely manual and exploratory. The corrected second command successfully writes the output of whoami into a web-accessible .js file, a common tactic for validating command execution and potentially retrieving output through a browser.
While this activity was limited to a single observed instance, the customized tooling and interactive behavior suggest a deliberate post-exploitation attempt by a threat actor testing or preparing for broader operations.
SentinelOne observed two distinct waves of activity involving a consistent final payload, spinstall0.aspx, dropped across SharePoint environments from different attacker infrastructure on July 18 and 19, 2025. While the initial dropper scripts varied slightly between waves, both resulted in deployment of the same webshell, designed to extract and expose sensitive cryptographic material from the host.
Source IP: 107.191.58[.]76
This initial wave involved PowerShell-based payload delivery. A base64-encoded blob was decoded and written to the SharePoint LAYOUTS directory:
$base64String = [REDACTED] $destinationFile = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx" $decodedBytes = [System.Convert]::FromBase64String($base64String) $decodedContent = [System.Text.Encoding]::UTF8.GetString($decodedBytes) $decodedContent | Set-Content -Path $destinationFile -ErrorAction Stop
The resulting file, spinstall0.aspx, is not a traditional command webshell but rather a reconnaissance and persistence utility:
<%@ Import Namespace="System.Diagnostics" %> <%@ Import Namespace="System.IO" %>
This code extracts and prints the host’s MachineKey values, including the ValidationKey, DecryptionKey, and cryptographic mode settings—information critical for attackers seeking to maintain persistent access across load-balanced SharePoint environments or to forge authentication tokens.
Source IP: 104.238.159[.]149
Roughly 12 hours later, a second wave used nearly identical logic to deliver the same spinstall0.aspx payload. The key difference was in the PowerShell staging script:
$b = [REDACTED] $c = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\15\TEMPLATE\LAYOUTS\spinstall0.aspx" $d = [System.Convert]::FromBase64String($b) $e = [System.Text.Encoding]::UTF8.GetString($d) $e | Set-Content -Path $c -ErrorAction Stop Start-Sleep -s 3
While the encoded payload was marginally different in form, it decoded to the same spinstall0.aspx shell. The change in target directory, from 16\TEMPLATE to 15\TEMPLATE, may reflect testing across different SharePoint versions or environments.
Unlike more interactive webshells observed in this campaign, spinstall0.aspx does not support command execution or file upload. Instead, its singular purpose appears to be information gathering, specifically targeting cryptographic secrets that could be reused to forge authentication or session tokens across SharePoint instances.
Given the uniqueness and strategic value of the MachineKey data harvested by this shell, we assess this cluster to be part of a broader effort to establish durable access into high-value SharePoint deployments.
This activity cluster, tracked as “no shell”, represents a more advanced and stealthy approach compared to others in this campaign. SentinelOne observed this cluster operating between July 17, 2025 10:35:04 GMT and July 18, 2025 03:51:29 GMT, making it our earliest known exploitation of CVE-2025-53770 in the wild.
Unlike the other clusters, no persistent webshells were written to disk. Instead, telemetry and behavioral indicators suggest the attackers relied on in-memory .NET module execution, avoiding traditional file-based artifacts entirely. This approach significantly complicates detection and forensic recovery, underscoring the threat posed by fileless post-exploitation techniques.
All observed activity in this cluster originated from a single IP address: 96.9.125[.]147. Despite the lack of file system artifacts, compromised hosts exhibited patterns consistent with SharePoint exploitation, followed by encoded payload delivery and dynamic assembly loading via PowerShell or native .NET reflection.
Given the timing, just days after public proof-of-concept chatter began, and the sophistication of the fileless execution chain, we assess this cluster to be either a skilled red team emulation exercise or the work of a capable threat actor with a focus on evasive access and credential harvesting.
Defenders should be especially vigilant for memory-resident activity following SharePoint exploitation attempts and should employ EDR solutions capable of detecting anomalous .NET execution patterns and assembly loading.
Modern threat actors are maximizing gains from patch diffing, n-day adoption, and iterative development of exploits through fast adoption. SharePoint servers are attractive to threat actors for the high likelihood that they store sensitive organizational data. Beyond their value as a knowledge store, vulnerable SharePoint servers can be used to stage and deliver additional attack components to the victim organization for internal watering hole attacks. The ease of exploitation and potential value of the data hosted on these servers make ‘ToolShell’ a potent and dangerous attack chain.
As of this writing, SharePoint Online for Microsoft 0365 is not impacted. Our research teams have provided out-of-the-box Platform Detection rules and Hunting Queries to assist in discovering and isolating related behavior. We recommend that vulnerable organizations apply the available security updates released by Microsoft (released July 21, 2025) to mitigate the related vulnerabilities as soon as possible. SentinelOne is actively monitoring its customer base for impact and is notifying those affected as they are identified.
SHA-1
f5b60a8ead96703080e73a1f79c3e70ff44df271 - spinstall0.aspx webshell
fe3a3042890c1f11361368aeb2cc12647a6fdae1 - xxx.aspx webshell
76746b48a78a3828b64924f4aedca2e4c49b6735 - App_Web_spinstall0.aspx.9c9699a8.avz5nq6f.dll, a compiled version of spinstall0.aspx
IP Addresses
96.9.125[.]147 - attacker IP from “no shell” cluster
107.191.58[.]76 - attacker IP used in 1st wave of spinstall0.aspx cluster
104.238.159[.]149 - attacker IP used in 2nd wave of spinstall0.aspx cluster
//Suspicious SharePoint Activity dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.parent.name contains "svchost.exe" and src.process.name contains "w3wp.exe" and tgt.process.name contains "cmd.exe" and src.process.cmdline contains "SharePoint" //spinstall0.aspx execution traces dataSource.name = 'SentinelOne' and endpoint.os = "windows" and event.type = "Process Creation" and src.process.name contains "csc.exe" and tgt.file.path contains "App_Web_spinstall0.aspx"
All third-party product names, logos, and brands mentioned in this publication are the property of their respective owners and are for identification purposes only. Use of these names, logos, and brands does not imply affiliation, endorsement, sponsorship, or association with the third-party.
