The SharePoint Zero-Day Attacks: Understanding the Cryptographic Security Implications

Jul 26, 2025

By Qryptonic Research, LLC
July 26, 2025

Executive Summary

Since July 7, 2025, Chinese advanced persistent threat (APT) groups have exploited critical Microsoft SharePoint vulnerabilities (CVE-2025-53770 and CVE-2025-53771), compromising over 400 organizations globally including U.S. government agencies. While Microsoft has released patches, the extraction of cryptographic keys—particularly ASP.NET MachineKeys—creates persistent security risks that extend beyond traditional patch management. This analysis examines the technical aspects of the attacks, the evolution from espionage to ransomware deployment, and strategic considerations for enhancing cryptographic security postures.

The SharePoint Vulnerability Campaign: Verified Timeline

Initial Exploitation Phase (July 7-18, 2025)

According to Microsoft Security Response Center and cybersecurity researchers:

July 7: First confirmed exploitation of CVE-2025-53770 (remote code execution via deserialization)¹
July 18: Microsoft publicly disclosed the vulnerabilities and active exploitation²
First 72 hours: Over 4,600 exploitation attempts documented³

Threat Actor Attribution

Microsoft and security researchers have identified three primary groups:

Linen Typhoon

Classification: Chinese APT
Observed Activities: Intellectual property theft, quiet persistence⁴

Violet Typhoon

Classification: Chinese APT
Observed Activities: Government and financial sector targeting⁵

Storm-2603

Classification: China-affiliated
Observed Activities: Escalation to ransomware deployment (Warlock variant)⁶

Technical Analysis: The Cryptographic Dimension

Attack Methodology

The attack chain demonstrates sophisticated understanding of SharePoint and IIS architecture:

Initial Access: Exploitation of deserialization vulnerability (CVE-2025-53770)
Privilege Escalation: Path traversal (CVE-2025-53771) to access configuration files
Key Extraction: Theft of ASP.NET MachineKeys from IIS configuration
Persistence: Deployment of webshells (notably spinstall0.aspx)
Token Forgery: Use of stolen keys to create valid authentication tokens⁷

Why Patches Alone Are Insufficient

Microsoft's security updates address the vulnerabilities but cannot invalidate compromised cryptographic material:

MachineKeys persist in IIS configuration until manually rotated
Forged tokens remain valid until keys are changed
Configuration access enables persistent backdoor capabilities⁸

Microsoft's guidance explicitly requires: "Rotate ASP.NET MachineKeys and restart IIS for complete mitigation."⁹

Confirmed Impact Assessment

Affected Organizations

Based on public reporting and government advisories:

400+ organizations compromised globally¹⁰
U.S. Government agencies confirmed affected:
- Department of Homeland Security (DHS)
- National Institutes of Health (NIH)
- Department of Health and Human Services (HHS)¹¹
Critical infrastructure: Including National Nuclear Security Administration systems¹²
Geographic distribution: U.S.-based victims represent a significant portion, with the remainder distributed across multiple countries¹³

Evolution to Ransomware

By July 18, Storm-2603 began deploying ransomware:

Warlock variant (related to LockBit ransomware family)
Lateral movement via compromised credentials and Group Policy
Defense evasion through Windows Defender tampering¹⁴

Strategic Implications for Enterprise Security

Immediate Cryptographic Hygiene Requirements

Organizations must expand incident response beyond patching:

Key Rotation Protocol
- Identify all potentially exposed cryptographic keys
- Rotate ASP.NET MachineKeys immediately
- Document key locations and dependencies
Token Invalidation
- Force re-authentication for all users
- Audit session management systems
- Monitor for anomalous authentication patterns
Configuration Review
- Secure IIS metabase and configuration files
- Implement proper access controls on key storage
- Enable cryptographic operation logging

Long-Term Architectural Considerations

The SharePoint incidents highlight systemic issues in cryptographic management:

Current State Challenges:

Static key storage in predictable locations
Insufficient key rotation practices
Limited visibility into cryptographic operations
Weak algorithm usage in legacy systems

Recommended Improvements:

Hardware-backed key storage (HSMs or TPMs)
Automated key lifecycle management
Cryptographic operation monitoring
Algorithm agility for future transitions

The Quantum Computing Context

While immediate threats focus on stolen keys, organizations must consider long-term implications:

"Harvest Now, Decrypt Later" Threat Model

Nation-state actors are collecting encrypted data for future decryption
Current RSA and ECC implementations face eventual quantum threats
NIST has published initial post-quantum cryptography standards¹⁵

Post-Quantum Migration Considerations

Organizations should begin evaluating:

ML-KEM (CRYSTALS-Kyber) for key encapsulation
ML-DSA (CRYSTALS-Dilithium) for digital signatures
Migration timelines typically require 3-5 years for enterprise deployment

Mitigation Recommendations

Immediate Actions (Next 7 Days)

Apply Microsoft Security Updates
- Install patches for CVE-2025-53770 and CVE-2025-53771
- Verify installation across all SharePoint servers
Rotate Cryptographic Keys
- Change all ASP.NET MachineKeys
- Restart IIS services after rotation
- Document completion for compliance
Hunt for Persistence
- Search for webshells (especially spinstall0.aspx)
- Review IIS logs for suspicious activity
- Enable AMSI and enhance EDR coverage

Risk Metrics and Prioritization

Organizations should assess their exposure based on:

Data Sensitivity Timeline
- Immediate risk: Systems with active user sessions
- Medium risk: Data with 1-5 year retention requirements
- Long-term risk: Information valuable beyond 5 years (quantum threat)
Attack Surface Indicators
- Internet-facing SharePoint servers: Critical priority
- Internal SharePoint with external access: High priority
- Isolated internal systems: Medium priority
Key Rotation Complexity
- Simple (single server): 1-2 hours implementation
- Medium (farm deployment): 4-8 hours with testing
- Complex (multi-tenant): 24-48 hours with phased approach

Strategic Initiatives (30-90 Days)

Cryptographic Asset Inventory
- Document all key storage locations
- Map algorithm usage across systems
- Identify dependencies and rotation requirements
Enhanced Monitoring
- Implement cryptographic anomaly detection
- Monitor for key material in logs or memory dumps
- Alert on deprecated algorithm usage
Governance Framework
- Assign cryptographic risk ownership
- Establish key management policies
- Create incident response procedures for key compromise

Industry Response and Resources

Microsoft Resources

Security updates available at: https://msrc.microsoft.com/update-guide/
Threat intelligence through Microsoft Threat Intelligence Center
Detailed mitigation guidance in Microsoft Security Response Center advisories

Government Resources

CISA Known Exploited Vulnerabilities Catalog: Added CVE-2025-53770 on July 20, 2025
CISA Alert AA25-207A: Indicators of compromise and detection signatures
Sector-specific guidance: Available through respective Information Sharing and Analysis Centers (ISACs)

Open-Source Detection Tools

SharePoint-Scanner: Community-developed tool for detecting webshells
IIS-KeyAudit: Open-source utility for MachineKey inventory
YARA rules: Available through security community for threat hunting

Conclusion

The July 2025 SharePoint zero-day campaign represents a significant escalation in APT tactics, combining traditional vulnerability exploitation with sophisticated cryptographic attacks. The transition from espionage to ransomware deployment by Storm-2603 demonstrates the evolving threat landscape where nation-state and criminal activities increasingly overlap.

While immediate focus must be on patching and key rotation, the incidents underscore the need for comprehensive cryptographic hygiene and long-term preparation for post-quantum threats. Organizations that treat cryptographic assets as critical infrastructure will be better positioned to defend against both current and emerging threats.

The key lesson is clear: patches fix code vulnerabilities, but only proactive cryptographic management protects against the full spectrum of modern cyber threats.

About the Author

This analysis was prepared by Qryptonic Research, LLC, an independent cybersecurity research organization specializing in cryptographic security and post-quantum preparedness.

For additional research and analysis on cryptographic security topics, visit www.qryptonic.com

References

Microsoft Security Response Center. "CVE-2025-53770: Microsoft SharePoint Server Remote Code Execution Vulnerability." July 2025.
Microsoft Security Blog. "Disrupting Active Exploitation of On-Premises SharePoint Vulnerabilities." July 18, 2025.
Check Point Research. "SharePoint Zero-Day CVE-2025-53770 Actively Exploited: What Security Teams Need to Know." July 2025.
Microsoft Threat Intelligence. "Linen Typhoon APT Profile." July 2025.
Microsoft Threat Intelligence. "Violet Typhoon APT Profile." July 2025.
Microsoft Security Blog. "Storm-2603 Ransomware Deployment Analysis." July 2025.
Rapid7. "ETR: Zero-Day Exploitation of Microsoft SharePoint Servers." July 2025.
Cloudflare. "Understanding ASP.NET MachineKey Vulnerabilities." July 2025.
Microsoft. "Security Update Guide: SharePoint Mitigation Requirements." July 2025.
Reuters. "Microsoft Says Some SharePoint Server Hackers Now Using Ransomware." July 23, 2025.
NextGov. "DHS Impacted by Hack of Microsoft SharePoint Products." July 2025.
Cybersecurity Dive. "NNSA Confirms SharePoint Compromise." July 2025.
BitSight. "Geographic Distribution of SharePoint Attacks." July 2025.
The Hacker News. "Storm-2603 Exploits SharePoint Flaws to Deploy Warlock Ransomware." July 2025.
NIST. "Post-Quantum Cryptography Standards." FIPS 203, 204, 205. August 2024.