Echoes in the Shell: Legacy Tooling Behind Ongoing SharePoint 'ToolShell' Exploitation

Description

Chinese nation-state actors are exploiting vulnerabilities in Microsoft SharePoint on-premises infrastructure. The attacks chain together multiple recently disclosed vulnerabilities, collectively known as 'ToolShell', to perform unauthenticated code execution, extract cryptographic keys, and deploy web shells. The threat actors demonstrate high proficiency in abusing SharePoint's internal mechanisms, using techniques such as authentication bypass, deployment of malicious ASP.NET pages, and exploitation of deserialization flaws. Post-exploitation activities include reconnaissance, credential harvesting, and establishment of command and control channels. The attackers employ tools like China Chopper and AntSword web shells, and abuse legitimate services like RequestRepo for data exfiltration. While definitive attribution remains inconclusive, there are overlaps with previously observed Chinese APT group activities.