Posts by CISA
CISA Releases Malware Analysis Report Associated with Microsoft SharePoint Vulnerabilities
CISA published a Malware Analysis Report (MAR) with analysis and associated detection signatures on files related to Microsoft SharePoint vulnerabilities:
- CVE-2025-49704 [CWE-94: Code Injection],
- CVE-2025-49706 [CWE-287: Improper Authentication],
- CVE-2025-53770 [CWE-502: Deserialization of Untrusted Data], and
- CVE-2025-53771 [CWE-287: Improper Authentication]
Cyber threat actors have chained CVE-2025-49704 and CVE-2025-49706 (in an exploit chain publicly known as “ToolShell”) to gain unauthorized access to on-premises SharePoint servers. CISA analyzed six files including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells. Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data.
CISA added CVE-2025-49704 and CVE-2025-49706 to its Known Exploited Vulnerabilities Catalog on July 22, 2025, and CVE-2025-53770 on July 20, 2025.
CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures in this MAR to identify malware.
Downloadable copy of IOCs associated with this malware:
MAR-251132.c1.v1.CLEAR_stix2
(JSON, 84.95 KB
)
Downloadable copies of the SIGMA rule associated with this malware:
CMA SIGMA 251132 1
(YAML, 4.22 KB
)
CMA SIGMA 251132 2
(YAML, 2.86 KB
)
CMA SIGMA 251132
(YAML, 5.55 KB
)
For more information on the malware files and YARA rules for detection, see MAR-251132.c1.v1 Exploitation of SharePoint Vulnerabilities.
Disclaimer:
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
MAR-251132.c1.v1 Exploitation of SharePoint Vulnerabilities
Notification
This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.
This document is marked TLP:CLEAR--Recipients may share this information without restriction. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.
Summary
Description
CISA received six files related to Microsoft SharePoint vulnerabilities: CVE-2025-49704 [CWE-94: Code Injection], CVE-2025-49706 [CWE-287: Improper Authentication], CVE-2025-53770 [CWE-502: Deserialization of Trusted Data], and CVE-2025-53771 [CWE-287: Improper Authentication]. According to Microsoft, cyber threat actors have chained CVE-2025-49706 (a network spoofing vulnerability) and CVE-2025-49704 (a remote code execution (RCE) vulnerability) in an exploit chain known as “ToolShell” to gain unauthorized access to on-premise SharePoint servers. Microsoft has not confirmed exploitation of CVE-2025-53771; however, CISA assesses exploitation is likely because it can be chained with CVE-2025-53770 to bypass previously disclosed vulnerabilities CVE-2025-49704 and
CVE-2025-49706.
The analysis includes two Base64 encoded .NET Dynamic-link Library (DLL) binaries and four Active Server Page Extended [ASPX] files. The decoded DLLs are designed to retrieve machine key settings within an ASP[.]NET application's configuration and add the retrieved machine key values to the Hypertext Transfer Protocol (HTTP) response header.
The first ASPX file is used to retrieve and output machine key information from an ASP[.]NET application’s configuration. The next ASPX file contains a command-line instruction used to execute a PowerShell command. The PowerShell command is designed to Base64 decode and install a malicious ASPX webshell on disk. The webshell is used to handle various web-related operations, including setting and retrieving HTTP cookies, command execution and uploading files. The remaining two ASPX webshells are used to execute a command using PowerShell on the server.
CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures in this Malware Analysis Report to identify malware samples. For more information on these CVEs, see CISA Alert Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities.
Download the PDF version of this report:
-
MAR-251132.c1.v1 (PDF, 2.03 MB )
For a downloadable copy of IOCs associated with this MAR, see:
-
MAR-251132.c1.v1.CLEAR_stix2 (JSON, 84.95 KB )
For a downloadable copy of the SIGMA rules associated with this MAR, see version in .pdf or .yaml format:
-
CMA_SIGMA_251132_CVE_2025_53770_ToolShell_IOCs (PDF, 42.50 KB )
-
CMA SIGMA 251132 (YAML, 5.55 KB )
-
CMA_SIGMA_251132_1_CVE_2025_53770_ToolShell (PDF, 41.03 KB )
-
CMA SIGMA 251132 1 (YAML, 4.22 KB )
-
CMA_SIGMA_251132_2_CVE_2025_53770_ToolShell (PDF, 39.79 KB )
-
CMA SIGMA 251132 2 (YAML, 2.86 KB )
Submitted Files (6)
3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997 (osvmhdfl.dll)
60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7 (stage3.txt)
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 (spinstall0.aspx)
9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7 (info3.aspx)
d0c4d6a4be0a65f8ca89e828a3bc810572fff3b3978ff0552a8868c69f83d170 (spinstallp.aspx)
d9c4dd5a8317d1d83b5cc3482e95602f721d58e3ba624d131a9472f927d33b00 (spinstallb.aspx)
Additional Files (2)
675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc (info3.aspx)
bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72 (bjcloiyq.dll)
Findings
60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7
Details
| Name | stage3.txt |
|---|---|
| Size | 15893 bytes |
| Type | ASCII text, with very long lines |
| MD5 | 921ac86b258fa9ea3da4c39462bad782 |
| SHA1 | b8662c8cc9e383b4a0ac980e0fd94941fe12c31d |
| SHA256 | 60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7 |
| SHA512 | 6fd128a33e432d8fd5ea5dcf419a0b90f09648d7b4b95ceb6a5634fc01d8e0613d6d231bc038e2796f6a4d8fc277ebbea7b90ab773c0020dd2ad67149e52e4ff |
| ssdeep | 384:AQG6NVJiZbXhKth3s0bA2rhvhundOXz5D:AQG6NVJmbX0h3zs21vsndO |
| Entropy | 4.902435 |
Antivirus
No matches found.
YARA Rules
- rule CISA_251132_01 : steals_authentication_credentials exfiltrates_data
{
meta:
author = "CISA Code & Media Analysis"
incident = "251132"
date = "2025-07-21"
last_modified = "20250724_721"
actor = "n/a"
family = "n/a"
capabilities = "steals-authentication-credentials exfiltrates-data"
malware_type = "unknown"
tool_type = "unknown"
description = "Detects Encoded .Net DLL samples"
sha256_1 = "60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7"
strings:
$s0 = { 4E 62 32 52 6C 41 46 4E 30 63 6D 6C 75 5A 77 42 44 62 32 35 6A 59 58 51 }
$s1 = { 41 45 41 55 77 42 30 41 48 49 41 61 51 42 75 41 47 63 41 52 67 42 70 41 }
$s2 = { 59 58 52 76 63 6D 41 79 57 31 74 54 65 58 4E 30 5A 57 30 75 51 6E 6C 30 }
$s3 = { 4A 7A 61 57 39 75 50 54 51 75 4D 43 34 77 4C 6A 41 73 49 45 4E 31 62 48 }
$s4 = { 43 42 57 5A 58 4A 7A 61 57 39 75 50 54 51 75 4D 43 34 77 4C 6A 41 73 49 }
$s5 = { 4D 54 6B 7A 4E 47 55 77 4F 44 6C 64 58 53 42 48 5A 58 52 46 62 6E 56 74 }
$s6 = { 5A 58 4A 68 64 47 39 79 4B 43 6B 49 41 41 41 41 43 67 46 }
$s7 = { 54 65 58 4E 30 5A 57 30 75 52 6E 56 75 59 32 41 79 57 31 }
$s8 = { 74 54 65 58 4E 30 5A 57 30 75 51 32 39 73 62 47 56 6A 64 47 6C 76 62 6E 4D 75 52 }
condition:
all of them
}
SIGMA Rule
## CISA Code & Media Analysis ##
############ README ###############
## Edit rules and queries as needed for your hunt and based on your environment.
## Ensure your EDR/SIEM instance has enough memory to run these AND/OR condition based queries. May take longer to run than conventional Sigma rule query.
## Do not edit "logsource-product:" unless you are editing this rule to meet specific logsources/fields and know your environment.
## TLP GREEN + Please use local installation of Sigma to convert this rule.
## TLP CLEAR may convert rules using online converter of choice.
###################################
title: Detects ToolShell CVE-2025-53770 Exploitation IOCs and Activity
incident: 251133.r1
tlp: CLEAR
id: aba8967f-6613-47a8-87d1-e5d7aae31e9b
status: test
description: Detects ToolShell CVE-2025-53770 Exploitation of SharePoint servers. Previous related CVEs are CVE-2025-49706 and CVE-2025-49704. CVE-2025-53770 is new and stealthy webshell called SharpyShell, that extracts and leaks cryptographic secrets from the SharePoint server using a simple GET request.
references:
- https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770
- https://research.eye.security/sharepoint-under-siege/
- https://x.com/codewhitesec/status/1944743478350557232/photo/1
- 251132.r1
author: CISA Code & Media Analysis
date: 2025-07-21
modified: 2025-07-22
tags:
- cve.2025.53770
logsource:
product: cma
detection:
keywords:
- '92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514'
- '107.191.58.76'
- '104.238.159.149'
- '96.9.125.147'
- 'Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0 /_layouts/SignOut.aspx'
- '-EncodedCommand JABiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0'
- 'TEMPLATE\LAYOUTS\spinstall0.aspx'
- '/_layouts/15/ToolPane.aspx DisplayMode=Edit'
- '/_layouts/15/spinstall0.aspx'
- 'spinstall'
- 'yoserial'
keywords_1:
- 'POST'
- 'GET'
keywords_2:
- '/_layouts/15/ToolPane.aspx'
keywords_3:
- 'DisplayMode=Edit'
keywords_4:
- 'POST'
- 'GET'
- 'curl'
keywords_5:
- '/_layouts/'
- 'layouts'
keywords_6:
- 'ToolPane.aspx'
- 'SignOut.aspx'
- 'spinstall'
- 'info3.aspx'
keywords_7:
- 'HTTP'
keywords_8:
- 'X-TXT-NET'
keywords_9:
- '.exe'
keywords_10:
- '-ap'
keywords_11:
- 'SharePoint'
keywords_12:
- '8080'
keywords_13:
- '.dll'
keywords_14:
- 'pipe'
keywords_15:
- 'inetpub'
keywords_16:
- 'config'
keywords_17:
- 'ysoserial'
keywords_18:
- 'ViewState'
keywords_19:
- 'TypeConfuseDelegate'
keywords_20:
- 'powershell'
keywords_21:
- '-EncodedCommand'
keywords_22:
- 'BiAGEAcwBlADYANABTAHQAcgBpAG4AZwAgAD0'
- 'base64String='
keywords_23:
- 'BkAGUAYwBvAGQAZQBk'
- 'decoded'
keywords_24:
- 'BGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBn'
- 'FromBase64String'
keywords_25:
- 'cwBwAGkAbgBzAHQAYQBsAGwAMAAuAGEAcwBwAHg'
- 'AuAGEAcwBwAHg'
- 'spinstall0.aspx'
- '.aspx'
keywords_26:
- 'V3JpdGUoY2cuVm'
keywords_27:
- 'bisifCIrY2cuRG'
keywords_28:
- 'mFsaW'
condition: keywords or keywords_1 and keywords_2 and keywords_3 or keywords_4 and keywords_5 and keywords_6 or keywords_7 and keywords_8 or keywords_9 and keywords_10 and keywords_11 and keywords_12 and keywords_13 and keywords_14 and keywords_15 and keywords_16 or keywords_17 and keywords_18 and keywords_19 and keywords_20 and keywords_21 or keywords_22 and keywords_23 and keywords_24 and keywords_25 or keywords_26 and keywords_27 and keywords_28
falsepositives:
- Rate of FP moderate with some strings.
- Use this rule in an infected environment/logs.
- Analyst may need to make adjustments to the query as required.
level: critical
ssdeep Matches
No matches found.
Relationships
| 60a37499f9... | Contains | bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72 |
Description
This artifact is a data file containing the Base64 encoded .NET DLL "bjcloiyq.dll" (bee94b93c1...).
Screenshots
Figure 1 - Screenshot of a snippet of the data file.
bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72
Details
| Name | bjcloiyq.dll |
|---|---|
| Size | 10813 bytes |
| Type | PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5 | 0e36ecda6fc4b5661f9a181984a53bb5 |
| SHA1 | 3a438b239d8451b8e12e9cdd3c24d1240dd758c9 |
| SHA256 | bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72 |
| SHA512 | 033f215fde36025a7ce434daddb70304d1e56f2dd2600e18a44d0af825a348fda388ee8fb1d684c2cdd006cdf042005bb26ab67cdf6c5eaac331650ea0ab9422 |
| ssdeep | 192:fJhh81DzgDZnSxPKgL6YBAxmrFMxmrFARmrF9RmrFj4U0QiKpM9aMg3AxmrFaxmi:xhh81Dz4pSxPKg2YBAxeFMxeFAReF9RL |
| Entropy | 4.986214 |
Antivirus
No matches found.
YARA Rules
- rule CISA_251132_02 : steals_authentication_credentials exfiltrates_data
{
meta:
author = "CISA Code & Media Analysis"
incident = "251132"
date = "2025-07-21"
last_modified = "20250724_721"
actor = "n/a"
family = "n/a"
capabilities = "steals-authentication-credentials exfiltrates-data"
malware_type = "unknown"
tool_type = "unknown"
description = "Detects .Net DLL payload samples"
sha256_1 = "bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72"
strings:
$s0 = { 62 6A 63 6C 6F 69 79 71 2E 64 6C 6C }
$s1 = { 4D 61 63 68 69 6E 65 4B 65 79 53 65 63 74 69 6F 6E 00 54 79 70 65 }
$s2 = { 67 65 74 5F 56 61 6C 69 64 61 74 69 6F 6E 4B 65 79 }
$s3 = { 67 65 74 5F 43 75 72 72 65 6E 74 00 48 74 74 70 52 65 73 70 6F 6E 73 65 }
$s4 = { 67 65 74 5F 44 65 63 72 79 70 74 69 6F 6E 4B 65 79 }
$s5 = { 67 65 74 5F 44 65 63 72 79 70 74 69 6F 6E }
$s6 = { 53 79 73 74 65 6D 2E 57 65 62 2E 43 6F 6E 66 69 67 75 72 61 74 69 6F 6E }
condition:
all of them
}
SIGMA Rule
## CISA Code & Media Analysis ##
############ README ###############
## Edit rules and queries as needed for your hunt and based on your environment.
## Ensure your EDR/SIEM instance has enough memory to run these AND/OR condition based queries. May take longer to run than conventional Sigma rule query.
## Do not edit "logsource-product:" unless you are editing this rule to meet specific logsources/fields and know your environment.
## TLP GREEN + Please use local installation of Sigma to convert this rule.
## TLP CLEAR may convert rules using online converter of choice.
###################################
title: Detects CVE-2025-53770 IOCs and Activity Based on Submitted Files 251132.r2
incident: 251133.r2
tlp: CLEAR
id: a9327942-4cf7-48e4-9ea4-ad0b54db4bf7
status: test
description: Detects ToolShell CVE-2025-53770 Exploitation of SharePoint servers. Detects IOCs and Activity Based on Submitted Files 251132.r2.
references:
- 251132.r2
author: CISA Code & Media Analysis
date: 2025-07-23
modified: 2025-07-23
tags:
- cve.2025.53770
logsource:
product: cma
detection:
keywords_1:
- 'CVAUGFnZSBMYW5ndWFnZT0i'
- '%@Page Language="'
keywords_2:
- 'Jwb3dlcnNoZWxsLmV4ZS'
- 'powershell.exe'
keywords_3:
- 'ItZW5j'
- '-enc'
- 'LUVuY29kZWRDb21tYW5k'
- '-EncodedCommand'
keywords_4:
- '0Jhc2U2NFN0cmluZy'
- 'Base64String'
keywords_5:
- 'FJlcXVlc3QuRm9ybV'
- 'Request.Form'
keywords_6:
- 'sicCJ'
- '"p"'
keywords_7:
- '*.exe'
keywords_8:
- 'powershell*'
keywords_9:
- '-Command'
keywords_10:
- 'Get-ChildItem'
- 'ForEach-Object'
keywords_11:
- '*\TEMPLATE\LAYOUTS\*'
keywords_12:
- '*.exe'
keywords_13:
- 'certutil*'
keywords_14:
- '-decode'
keywords_15:
- 'c:\progra~1\common~1\micros~1\webser~1\16\template\layouts\owa\resources\*'
- 'c:\progra~1\common~1\micros~1\webser~1\16\template\layouts\*'
- '\template\layouts\*'
- '\template\layouts\owa\*'
keywords_16:
- '*.aspx'
- '*.txt'
keywords_17:
- '*\TEMPLATE\LAYOUTS\*'
keywords_18:
- 'spinstall*'
keywords_19:
- '*.aspx'
condition: keywords_1 and keywords_2 and keywords_3 and keywords_4 and keywords_5 and keywords_6 or keywords_7 and keywords_8 and keywords_9 and keywords_10 and keywords_11 or keywords_12 and keywords_13 and keywords_14 or keywords_15 and keywords_16 or keywords_17 and keywords_18 and keywords_19
falsepositives:
- Rate of FP low-moderate with some strings.
- Use this rule in an infected environment/logs.
- Analyst may need to make adjustments to the query as required.
level: critical
ssdeep Matches
No matches found.
PE Metadata
| Compile Date | 2025-07-18 03:25:36+00:00 |
|---|---|
| Import Hash | dae02f32a21e03ce65412f6e56942daa |
| File Description | |
| Internal Name | bjcloiyq.dll |
| Legal Copyright | |
| Original Filename | bjcloiyq.dll |
| Product Version | 0.0.0.0 |
PE Sections
| MD5 | Name | Raw Size | Entropy |
|---|---|---|---|
| 93185bd1019bd277eef9815a17f1d074 | header | 512 | 2.540889 |
| f7cb6b7293c5082045ba423cab20a758 | .text | 2048 | 4.519674 |
| b73c90a61195ef7457efab9d898490d9 | .rsrc | 1024 | 2.172802 |
| 039675253cb6c73f5458348295ff2f28 | .reloc | 512 | 0.081539 |
Packers/Compilers/Cryptors
| Microsoft Visual C# / Basic .NET |
Relationships
| bee94b93c1... | Contained_Within | 60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7 |
Description
This artifact is a 64-bit .NET DLL that contains a class named "E" (Figure 2) used to extract and concatenate machine key configuration settings within an ASP[.]NET application's configuration. The file uses reflection to access the "MachineKeySection" from the "System.Web" assembly, which contains cryptographic keys used for validation and decryption in ASP[.]NET. The file uses reflection to get and invoke the "GetApplicationConfig" method of the "MachineKeySection" class to retrieve the "machineKey" configuration, which holds the actual key values. The file constructs a string containing the "ValidationKey", "Validation", "DecryptionKey", "Decryption", and "CompatibilityMode" properties of the "machineKeySection" and adds it as a custom header named "X-TXT-NET" to the HTTP response.
Screenshots
Figure 2 - Screenshot of the decompiled .NET assembly within a class named "E" used to extract the machine key configuration.
3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997
Details
| Name | osvmhdfl.dll |
|---|---|
| Size | 13373 bytes |
| Type | PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5 | 40e609840ef3f7fea94d53998ec9f97f |
| SHA1 | 141af6bcefdcf6b627425b5b2e02342c081e8d36 |
| SHA256 | 3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997 |
| SHA512 | deaed6b7657cc17261ae72ebc0459f8a558baf7b724df04d8821c7a5355e037a05c991433e48d36a5967ae002459358678873240e252cdea4dcbcd89218ce5c2 |
| ssdeep | 384:cMQLQ5VU1DcZugg2YBAxeFMxeFAReF9ReFj4U0QiKy8Mg3AxeFaxeFAReFLxTYma:ElHh1gtX10u5A |
| Entropy | 4.966672 |
Antivirus
No matches found.
YARA Rules
- rule CISA_251132_08 : steals_authentication_credentials exfiltrates_data
{
meta:
author = "CISA Code & Media Analysis"
incident = "251132"
date = "2025-07-21"
last_modified = "20250725_712"
actor = "n/a"
family = "n/a"
capabilities = "steals-authentication-credentials exfiltrates-data"
malware_type = "unknown"
tool_type = "unknown"
description = "Detects .Net DLL payload samples"
sha256_1 = "3461da3a2ddcced4a00f87dcd7650af48f97998a3ac9ca649d7ef3b7332bd997"
strings:
$s0 = { 47 65 74 4C 6F 67 69 63 61 6C 44 72 69 76 65 73 }
$s1 = { 67 65 74 5F 4D 61 63 68 69 6E 65 4E 61 6D 65 }
$s2 = { 67 65 74 5F 53 79 73 74 65 6D 44 69 72 65 63 74 6F 72 79 }
$s3 = { 67 65 74 5F 43 75 72 72 65 6E 74 44 69 72 65 63 74 6F 72 79 }
$s4 = { 67 65 74 5F 50 72 6F 63 65 73 73 6F 72 43 6F 75 6E 74 }
$s5 = { 67 65 74 5F 55 73 65 72 4E 61 6D 65 }
$s6 = { 67 65 74 5F 4F 53 56 65 72 73 69 6F 6E }
$s7 = { 45 6E 76 69 72 6F 6E 6D 65 6E 74 56 61 72 69 61 62 6C 65 73 }
$s8 = { 53 79 73 74 65 6D 2E 57 65 62 2E 43 6F 6E 66 69 67 75 72 61 74 69 6F 6E }
$s9 = { 4D 61 63 68 69 6E 65 4B 65 79 53 65 63 74 69 6F 6E }
$s10 = { 67 65 74 5F 56 61 6C 69 64 61 74 69 6F 6E 4B 65 79 }
$s11 = { 67 65 74 5F 44 65 63 72 79 70 74 69 6F 6E 4B 65 79 }
$s12 = { 67 65 74 5F 44 65 63 72 79 70 74 69 6F 6E }
$s13 = { 67 65 74 5F 43 6F 6D 70 61 74 69 62 69 6C 69 74 79 4D 6F 64 65 }
condition:
all of them
}
SIGMA Rule
## CISA Code & Media Analysis ##
############ README ###############
## Edit rules and queries as needed for your hunt and based on your environment.
## Ensure your EDR/SIEM instance has enough memory to run these AND/OR condition based queries. May take longer to run than conventional Sigma rule query.
## Do not edit "logsource-product:" unless you are editing this rule to meet specific logsources/fields and know your environment.
## TLP GREEN + Please use local installation of Sigma to convert this rule.
## TLP CLEAR may convert rules using online converter of choice.
###################################
title: Detects CVE-2025-53770 CVE-2025-53771 Updated IOCs and Activity
incident: 251133.r2
tlp: CLEAR
id: 32bba1a1-3900-4cf9-b379-3e71a63998a3
status: test
description: Detects ToolShell CVE-2025-53770 Exploitation of SharePoint servers. Detects updated IOCs and Activity. CVE-2025-49704, CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771. TA - Linen Typhoon, Violet Typhoon, Storm-2603.
references:
- https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/?msockid=3e14885e8c2b643323129d998d366597
- https://socradar.io/toolshell-sharepoint-zero-day-cve-2025-53770/
- https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770/
- https://github.com/kaizensecurity/CVE-2025-53770/blob/master/payload
- https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
- https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html
author: CISA Code & Media Analysis
date: 2025-07-23
modified: 2025-07-23
tags:
- cve.2025.49704
- cve.2025.49706
- cve.2025.53770
- cve.2025.53771
logsource:
product: cma
detection:
keywords:
- '92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514'
- '4a02a72aedc3356d8cb38f01f0e0b9f26ddc5ccb7c0f04a561337cf24aa84030'
- 'b39c14becb62aeb55df7fd55c814afbb0d659687d947d917512fe67973100b70'
- 'fa3a74a6c015c801f5341c02be2cbdfb301c6ed60633d49fc0bc723617741af7'
- '390665bdd93a656f48c463bb6c11a4d45b7d5444bdd1d1f7a5879b0f6f9aac7e'
- '66af332ce5f93ce21d2fe408dffd49d4ae31e364d6802fff97d95ed593ff3082'
- '7baf220eb89f2a216fcb2d0e9aa021b2a10324f0641caf8b7a9088e4e45bec95'
- '8d3d3f3a17d233bc8562765e61f7314ca7a08130ac0fb153ffd091612920b0f2'
- '30955794792a7ce045660bb1e1917eef36f1d5865891b8110bf982382b305b27'
- 'b336f936be13b3d01a8544ea3906193608022b40c28dd8f1f281e361c9b64e93'
- '107.191.58.76'
- '104.238.159.149'
- '96.9.125.147'
- '103.186.30.186'
- '45.77.155.170'
- '139.144.199.41'
- '172.174.82.132'
- '89.46.223.88'
- '45.77.155.170'
- '154.223.19.106'
- '185.197.248.131'
- '149.40.50.15'
- '64.176.50.109'
- '149.28.124.70'
- '206.166.251.228'
- '95.179.158.42'
- '86.48.9.38'
- '128.199.240.182'
- '212.125.27.102'
- '91.132.95.60'
- '134.199.202.205'
- '131.226.2.6'
- '188.130.206.168'
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0'
- 'Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0'
- 'c34718cbb4c6.ngrok-free.app/file.ps1'
keywords_1:
- '*\TEMPLATE\LAYOUTS\*'
keywords_2:
- 'spinstall*'
- 'debug*'
- 'info*'
keywords_3:
- '*.aspx'
- '*.js'
keywords_4:
- 'POST'
- 'GET'
- 'curl'
keywords_5:
- '*/_layouts/*'
- '*/layouts/*'
- '*layouts*'
keywords_6:
- '*ToolPane.aspx'
- '*DisplayMode'
- '*SignOut.aspx'
- '*spinstall*'
- 'VIEWSTATE'
keywords_7:
- 'cmd.exe'
keywords_8:
- 'powershell.exe'
keywords_9:
- '-EncodedCommand'
- '-ec'
- '-enc'
- 'VIEWSTATE'
- 'yoserial*'
keywords_10:
- '*\TEMPLATE\LAYOUTS\*'
keywords_11:
- 'ChildItem'
keywords_12:
- 'targetFile'
keywords_13:
- 'NewLine'
keywords_14:
- '*web.config*'
keywords_15:
- 'Ry2cuVmFsaWRhd'
- 'Validation'
keywords_16:
- 'ifCIRy2cuQ29tc'
- 'Decryption'
keywords_17:
- 'dGlvb'
- 'Key'
keywords_18:
- 'UZtleVNlY3Rpb2'
- 'MachineKey'
keywords_19:
- 'ShudWxsLC'
- 'Invoke'
keywords_20:
- 'XIiIGxhbmd1Y'
- 'language'
keywords_21:
- 'qZWN0WzBdKTsNC'
- 'new object'
keywords_22:
- 'POST'
- 'powershell*'
- '*layouts*'
keywords_23:
- 'ToolPane.aspx'
- '*spinstall*'
condition: keywords or keywords_1 and keywords_2 and keywords_3 or keywords_4 and keywords_5 and keywords_6 or keywords_7 and keywords_8 and keywords_9 or keywords_10 and keywords_11 and keywords_12 and keywords_13 and keywords_14 or keywords_15 and keywords_16 and keywords_17 and keywords_18 and keywords_19 and keywords_20 and keywords_21 or keywords_22 and keywords_23
falsepositives:
- Rate of FP low-moderate with some strings.
- Use this rule in an infected environment/logs.
- Analyst may need to make adjustments to the query as required.
level: critical
ssdeep Matches
No matches found.
PE Metadata
| Compile Date | 2025-07-22 08:33:22+00:00 |
|---|---|
| Import Hash | dae02f32a21e03ce65412f6e56942daa |
| File Description | |
| Internal Name | osvmhdfl.dll |
| Legal Copyright | |
| Original Filename | osvmhdfl.dll |
| Product Version | 0.0.0.0 |
PE Sections
| MD5 | Name | Raw Size | Entropy |
|---|---|---|---|
| 2a11da5809d47c180a7aa559605259b5 | header | 512 | 2.545281 |
| 531ff1038e010be3c55de9cf1f212b56 | .text | 4608 | 4.532967 |
| ef6793ef1a2f938cddc65b439e44ea07 | .rsrc | 1024 | 2.170401 |
| 403090c0870bb56c921d82a159dca5a3 | .reloc | 512 | 0.057257 |
Packers/Compilers/Cryptors
| Microsoft Visual C# / Basic .NET |
Description
This artifact is a 32-bit .NET DLL that contains a class named "E" (Figure 3) used to retrieve system and environment information, along with the machine key configuration settings (Figure 3). This class file is designed to iterate through and collect environment variables as well as retrieve and format .NET and system properties below:
--Begin System Properties--
Number of logical drives
Drive letters
Computer name
Full path of the system directory
Current directory
Processor count
System uptime (milliseconds since start)
Username
Operating system version
.NET version
--End System Properties--
The file uses reflection to access the "MachineKeySection" from the "System.Web" assembly, which contains cryptographic keys used for validation and decryption in ASP[.]NET. The file uses reflection to invoke the "GetApplicationConfig" method of the "MachineKeySection" class to retrieve the "machineKey" configuration, which holds the actual key values. The file constructs a string containing the "ValidationKey", "Validation", "DecryptionKey", "Decryption", and "CompatibilityMode" properties of the "machineKeySection". The gathered information and the "MachineKeySection" details are formatted into a string before written to the HTTP response (current.Response object).
Screenshots
Figure 3 - Screenshot of the decompiled .NET assembly that contains a class named "E" used to retrieve and display system and environment information, along with the machine key configuration settings.
92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
Tags
webshell
Details
| Name | spinstall0.aspx |
|---|---|
| Size | 756 bytes |
| Type | HTML document, ASCII text, with CRLF line terminators |
| MD5 | 02b4571470d83163d103112f07f1c434 |
| SHA1 | f5b60a8ead96703080e73a1f79c3e70ff44df271 |
| SHA256 | 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 |
| SHA512 | 2e6799393458d42acd4586c9792c24edf10b5e4aa761419758fec8da6670197c0e7c21e46dab224673818146ea4811446b4fbeaeed581e98f2add0980eb9d47d |
| ssdeep | 12:iWVx8OaBngupDLI4MKisEKFhbCT5a05MQ+SuEKd2Eswl1HwAbPYMv:5VxWBnrE4JtbCT5f5exB1tbPYMv |
| Entropy | 5.313146 |
Antivirus
No matches found.
YARA Rules
- rule CISA_251132_03 : steals_authentication_credentials exfiltrates_data
{
meta:
author = "CISA Code & Media Analysis"
incident = "251132"
date = "2025-07-21"
last_modified = "20250724_721"
actor = "n/a"
family = "n/a"
capabilities = "steals-authentication-credentials exfiltrates-data"
malware_type = "unknown"
tool_type = "unknown"
description = "Detects aspx payload samples"
sha256_1 = "92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514"
strings:
$s0 = { 4C 6F 61 64 28 22 53 79 73 74 65 6D 2E 57 65 62 }
$s1 = { 43 6F 6E 66 69 67 75 72 61 74 69 6F 6E 2E 4D 61 63 68 69 6E 65 4B 65 79 53 65 63 74 69 6F 6E }
$s2 = { 52 65 73 70 6F 6E 73 65 2E 57 72 69 74 65 }
$s3 = { 63 67 2E 56 61 6C 69 64 61 74 69 6F 6E 4B 65 79 2B 22 7C 22 }
$s4 = { 2B 63 67 2E 56 61 6C 69 64 61 74 69 6F 6E 2B }
$s5 = { 2B 63 67 2E 44 65 63 72 79 70 74 69 6F 6E 4B 65 79 2B }
$s6 = { 2B 63 67 2E 44 65 63 72 79 70 74 69 6F 6E 2B }
$s7 = { 2B 63 67 2E 43 6F 6D 70 61 74 69 62 69 6C 69 74 79 4D 6F 64 65 }
condition:
all of them
}
SIGMA Rule
No associated rule.
ssdeep Matches
No matches found.
Description
This artifact is a malicious ASPX file used to retrieve and output machine key information from the "MachineKeySection" of the System[.]Web[.]Configuration namespace (Figure 4). This file uses reflection to dynamically load the "System.Web" assembly and access the "MachineKeySection" class within "System.Web.Configuration". The file invokes "GetApplicationConfig" to retrieve the "MachineKeySection" object and writes its properties including, ValidationKey, Validation, DecryptionKey, Decryption, and CompatibilityMode to the HTTP response using the "Response.Write()" method.
Screenshots
Figure 4 - Screenshot of the contents of the ASPX file used to extract configuration information from the machine key section of a web application's Web.config file.
9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7
Tags
dropper
Details
| Name | info3.aspx |
|---|---|
| Size | 5026 bytes |
| Type | ASCII text, with very long lines, with no line terminators |
| MD5 | 1f5c8df6bd296ebf68acda951a004a5b |
| SHA1 | d80722b335806cb74ee27af385abc6c9b018e133 |
| SHA256 | 9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7 |
| SHA512 | 54a82a9d9747f872f21f20ac4acea25218ed38a61fd9c611fb858f3f0c2941d4bf7ed35bf93fc0432aa3ac5a891277754a4a9468ae03cf31ca11281a589bc224 |
| ssdeep | 96:orFTPkPoXHIBvUr7F13mw3UhoQgW0970Eq90WtPKLiOKMT:orVPkPRBvaJ13r3eA709JPKGOKMT |
| Entropy | 5.515141 |
Antivirus
No matches found.
YARA Rules
- rule CISA_251132_04 : dropper installs_other_components
{
meta:
author = "CISA Code & Media Analysis"
incident = "251132"
date = "2025-07-21"
last_modified = "20250724_721"
actor = "n/a"
family = "n/a"
capabilities = "installs-other-components"
malware_type = "dropper"
tool_type = "unknown"
description = "Detects Base64 encoded PowerShell dropper samples"
sha256_1 = "9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7"
strings:
$s0 = { 63 6D 64 2E 65 78 65 5C 22 20 2F 63 20 70 6F 77 65 72 73 68 65 6C 6C 20 2D 43 6F 6D 6D 61 6E 64 }
$s1 = { 46 72 6F 6D 42 61 73 65 36 34 53 74 72 69 6E 67 }
$s2 = { 4F 75 74 2D 46 69 6C 65 20 2D 46 69 6C 65 50 61 74 68 }
$s3 = { 69 6E 66 6F 33 2E 61 73 70 78 }
$s4 = { 2D 45 6E 63 6F 64 69 6E 67 20 55 54 46 38 }
condition:
all of them
}
SIGMA Rule
No associated rule.
ssdeep Matches
No matches found.
Relationships
| 9340bf7378... | Contains | 675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc |
Description
This artifact contains command-line instruction used to execute a PowerShell command (Figure 5). The PowerShell command decodes a Base64 encoded string into a Unicode Transformation Format-8 (UTF-8) string. The decoded content is then written to a file named "info3.aspx" (675a10e87c24....) located at c:\progra~1\\common~1\micros~1\webser~1\l16\template\layouts\. The output file is encoded using UTF8.
Screenshots
Figure 5 - Screenshot of the contents of the file containing command-line instruction used to execute a PowerShell command.
675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc
Tags
webshell
Details
| Name | info3.aspx |
|---|---|
| Size | 3582 bytes |
| Type | HTML document, ASCII text |
| MD5 | 7e09e837805c55dc5643cc21a87ff2a8 |
| SHA1 | 27f154765054fbe0f5c234cd2c7829b847005d2a |
| SHA256 | 675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc |
| SHA512 | 83aa141fd090172fb9a22855c18f2aea8b37f663f0093edd675a7499186fe46b3f953edda9477ca8918cf2af82c8b723d07a6912a9d7aa62b26391d15a83c44d |
| ssdeep | 48:H9zBW074shunsBjsm/ITETo1YWOW5uq+Z8QZ+ThJSCyiH12:HJBG2jsmI4lPeWiOo3SCyiV2 |
| Entropy | 4.789465 |
Antivirus
No matches found.
YARA Rules
- rule CISA_251132_05 : webshell exfiltrates_data fingerprints_host
{
meta:
author = "CISA Code & Media Analysis"
incident = "251132"
date = "2025-07-21"
last_modified = "20250724_721"
actor = "n/a"
family = "n/a"
capabilities = "exfiltrates-data fingerprints-host"
malware_type = "webshell"
tool_type = "unknown"
description = "Detects aspx webshell samples"
sha256_1 = "675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc"
strings:
$s0 = { 43 75 72 72 65 6E 74 2E 52 65 71 75 65 73 74 2E 46 6F 72 6D }
$s1 = { 20 48 74 74 70 43 6F 6F 6B 69 65 20 6E 65 77 63 6F 6F 6B }
$s2 = { 6E 65 77 63 6F 6F 6B 2E 45 78 70 69 72 65 73 20 }
$s3 = { 52 65 73 70 6F 6E 73 65 2E 53 65 74 43 6F 6F 6B 69 65 28 6E 65 77 63 6F 6F 6B 29 }
$s4 = { 43 6F 6D 70 75 74 65 48 61 73 68 }
$s5 = { 44 26 46 72 69 32 6B 26 78 35 64 4D 49 53 54 6E 61 46 71 40 }
$s6 = { 2A 68 75 5E 4D 23 6C 23 4C 72 6C 4E 6F 39 21 37 4B 4C 66 }
$s7 = { 22 63 6D 22 20 2B 20 22 64 2E 65 22 20 2B 20 22 78 65 22 }
$s8 = { 57 72 69 74 65 4C 69 6E 65 28 22 65 78 69 74 22 29 }
$s9 = { 50 61 73 73 77 6F 72 64 }
$s10 = { 43 6F 6D 6D 61 6E 64 }
$s11 = { 55 70 6C 6F 61 64 }
$s12 = { 74 79 70 65 3D 22 66 69 6C 65 22 }
$s13 = { 74 79 70 65 3D 22 74 65 78 74 22 }
condition:
all of them
}
SIGMA Rule
No associated rule.
ssdeep Matches
No matches found.
Relationships
| 675a10e87c... | Contained_Within | 9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7 |
Description
This artifact is a malicious ASP[.]NET web page (.aspx) that contains ASP[.]NET code embedded within an HTML structure. This file is a webshell installed by "info3.aspx" (9340bf73782....). The file handles various operations based on submitted form data or HTTP cookies. The file contains HTML code used to create forms. The forms allow the Threat Actor (TA) to enter a password and submit it using a "Login" button, enter a command into a text field, which can then be executed by clicking an "Execute" button, and upload files that includes two input fields: one for selecting a file (type="file") and another for text input (type="text") (Figure 7).
The password form element is configured for POST method and the input field is named "nYOmkVTYH2". If the HTML form with a password is received from the TA via an HTTP POST request, the file checks if the submission form field parameter named "nYOmkVTYH2" is not null or empty. If the parameter is present and not empty, the file sets an HTTP Cookie named "wY1DC6wH4u" with a value from the form field "nYOmkVTYH2" and sets the HTTP Cookie expiration date to four days from the current time. This cookie is then added to the response. The file verifies if the HTTP cookie exists in the current HTTP request. If the cookie exists, its value is concatenated with a long hard-coded string "D&Fri2k&x5dMISTnaFq@ssyKk@rEM!98KzSKWpL4Nc8NvaA9AKdJVOtfdJ45FvbyYHxTql6kkc%qOZevc*hu^M#l#LrlNo9!7KLf". This combined string is then hashed using SHA512. The computed hash is converted to a Base64 string and compared against a predefined Base64 encoded string "9gYs0W/reXzR+KO6J/zP6naMU9AQwZCwhmXuPyGeY2VwMkxNGBZaJQAxGS6GvQZJLSAPk8LT0PgJVU1kQQJd2zW9w==" (Figure 6). This process determines whether a user or request is authorized.
The command form element is configured for POST method and the input field is named "GTaRkhJ9wz". If the HTML form with a command is received from the TA via an HTTP POST request, the file checks if the submission form field parameter named "GTaRkhJ9wz" is not null or empty. If the parameter is present and not empty, the file creates a new process to execute a command-line utility "cmd.exe". The file redirects standard input, output, and error streams to capture the results of the executed command. The code writes the value of the "GTaRkhJ9wz" form parameter to the process's standard input, executing the value as a command, and then writes "exit" to terminate the process (Figure 6).
The file upload form element is configured for POST method and "enctype"="multipart/form-data" to handle file uploads. It includes an input type="file" for selecting a file (input field named "0z3H8H8ato") and an input type="text" for providing a destination path or filename ( input field named "7KAjlfecWF"). If the HTML form for file upload is received from the TA, the file checks if the submission form field parameter named "7KAjlfecWF" (intended to be the file path or name) is not null or empty. The file retrieves the uploaded file through the "0z3H8H8atO" input using "HttpContext.Current[.]Request[.]Files["Oz3H8H8ato"]". If the file exists and has content (content length is greater than zero), the file saves the uploaded file using the path provided in the "7KAjlfecWF" field. Upon successful upload, the "InnerText" of an element named "Result" is set to "uploaded", indicating the file has been saved. If an error occurs during the process, the file captures the exception and displays its details in "Result.InnerText" (Figure 6). The file displays server-side generated output or messages to the TA.
Screenshots
Figure 6 - Screenshot of the code snippet designed for handling various web-related operations, including setting and retrieving HTTP cookies, calculating a SHA512 hash of a request form value, starting an external cmd process and capturing its output, handling uploaded files from a request.
Figure 7 - Screenshot of the form that allows the TA to enter a password and submit it using a "Login" button, to enter a command, which can then be executed by clicking an "Execute" button, and a field for uploading files, featuring a file input (type="file") and a text input, both submitted using an "Upload" button.
d9c4dd5a8317d1d83b5cc3482e95602f721d58e3ba624d131a9472f927d33b00
Tags
webshell
Details
| Name | spinstallb.aspx |
|---|---|
| Size | 676 bytes |
| Type | HTML document, ASCII text, with very long lines, with no line terminators |
| MD5 | 7d2f36f4cb82c75b83c210e655649b5d |
| SHA1 | 37d1d1913d758f7d71020c08d4a7dae3efe83b68 |
| SHA256 | d9c4dd5a8317d1d83b5cc3482e95602f721d58e3ba624d131a9472f927d33b00 |
| SHA512 | c52ab55753ae7fcfca46e869b805f3aa2d19c45e7526a61f79b20b8cd38eccc09f1b7a06acbd8d77e936f68fea9ee3bba7b7c42d6f93cf0c27a22cf7555d70d3 |
| ssdeep | 12:XrVcins8q/KF2C2DRbqtP6LoGM8AWLaWF1nM9OiDGiOVKeL84GYb:7Vds8q/KF2C2qPWHAW+WF9M9OiDm/b |
| Entropy | 5.466082 |
Antivirus
No matches found.
YARA Rules
- rule CISA_251132_06 : webshell fingerprints_host installs_other_components exfiltrates_data
{
meta:
author = "CISA Code & Media Analysis"
incident = "251132"
date = "2025-07-21"
last_modified = "20250725_712"
actor = "n/a"
family = "n/a"
capabilities = "fingerprints-host installs-other-components exfiltrates-data"
malware_type = "webshell"
tool_type = "unknown"
description = "Detects ASPX Webshell samples"
sha256_1 = "d9c4dd5a8317d1d83b5cc3482e95602f721d58e3ba624d131a9472f927d33b00"
strings:
$s0 = { 3D 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B 22 70 22 5D }
$s1 = { 46 72 6F 6D 42 61 73 65 36 34 53 74 72 69 6E 67 28 65 6E 63 29 }
$s2 = { 46 69 6C 65 4E 61 6D 65 3D 22 70 6F 77 65 72 73 68 65 6C 6C 2E 65 78 65 }
$s3 = { 2D 45 6E 63 6F 64 65 64 43 6F 6D 6D 61 6E 64 }
$s4 = { 2C 55 73 65 53 68 65 6C 6C 45 78 65 63 75 74 65 3D 66 61 6C 73 65 }
$s5 = { 76 61 72 20 70 6C 3D 6E 65 77 20 62 79 74 65 }
$s7 = { 36 38 39 30 31 61 33 39 34 61 37 36 64 63 35 30 36 34 66 62 61 39 36 62 38 36 }
$s8 = { 32 36 36 35 65 65 35 39 36 62 31 61 31 34 36 38 62 64 63 36 }
$s9 = { 31 38 31 35 37 64 37 63 63 61 30 31 33 30 39 30 32 65 }
condition:
all of them
}
SIGMA Rule
No associated rule.
ssdeep Matches
No matches found.
Description
This artifact is a malicious ASPX file with a "Page_Load" event handler that constructs and executes a command using PowerShell on the server (Figure 8). Upon execution, the file takes a Base64-encoded string from a form parameter named "p". The Base64 encoded string is decoded and Exclusively-OR (XOR) decrypted using a hard-coded XOR key "68901a394a76dc5064fba96b862665ee596b1a1468bdc618157d7cca0130902e". The output of the XOR decrypted bytes are converted to a Unicode Transformation Format-8 (UTF-8) string and then Base64 encoded. The Base64 encoded string is passed as an argument to the PowerShell process "powershell.exe" using the "-EncodedCommand flag". The file redirects the standard output of the PowerShell process and reads it into a variable "o", which is then written back to the HTTP response.
Screenshots
Figure 8 - Screenshot of the contents of the ASPX file.
d0c4d6a4be0a65f8ca89e828a3bc810572fff3b3978ff0552a8868c69f83d170
Tags
webshell
Details
| Name | spinstallp.aspx |
|---|---|
| Size | 706 bytes |
| Type | HTML document, ASCII text, with very long lines, with no line terminators |
| MD5 | 7768feda9d79ef6f87410c02e981f066 |
| SHA1 | 1b8432fcda4c12b64cdf4918adf7880aecf054ec |
| SHA256 | d0c4d6a4be0a65f8ca89e828a3bc810572fff3b3978ff0552a8868c69f83d170 |
| SHA512 | c9ee5d32a59fad386570923df7950b562e1d4c000c7f4a20aebc214477f737815a401858a11d4e9139a80152afd5ddc8655ad804e71544e50f5a23cc9888eeba |
| ssdeep | 12:XrVTO6LjxB5QnnsJz3kH+XWLaWF1n5OiD5RKF2UIdiOVKeLxnHdYT:7VTOYZWsJz3+WW+WF95OiDbKF2xP6T |
| Entropy | 5.432916 |
Antivirus
No matches found.
YARA Rules
- rule CISA_251132_07 : webshell fingerprints_host installs_other_components exfiltrates_data
{
meta:
author = "CISA Code & Media Analysis"
incident = "251132"
date = "2025-07-21"
last_modified = "20250725_712"
actor = "n/a"
family = "n/a"
capabilities = "fingerprints-host installs-other-components exfiltrates-data"
malware_type = "webshell"
tool_type = "unknown"
description = "Detects ASPX Webshell samples"
sha256_1 = "d0c4d6a4be0a65f8ca89e828a3bc810572fff3b3978ff0552a8868c69f83d170"
strings:
$s0 = { 61 38 35 39 66 30 32 30 38 37 37 37 34 36 32 38 39 39 64 66 36 37 62 33 64 38 31 61 37 62 38 62 }
$s1 = { 70 6F 77 65 72 73 68 65 6C 6C 2E 65 78 65 }
$s2 = { 41 72 67 75 6D 65 6E 74 73 3D 22 2D 65 6E 63 20 22 }
$s3 = { 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B 22 70 22 5D }
$s4 = { 55 73 65 53 68 65 6C 6C 45 78 65 63 75 74 65 3D 66 61 6C 73 65 }
$s5 = { 52 65 64 69 72 65 63 74 53 74 61 6E 64 61 72 64 4F 75 74 70 75 74 3D 74 72 75 65 }
$s6 = { 53 74 61 6E 64 61 72 64 4F 75 74 70 75 74 }
$s7 = { 52 65 73 70 6F 6E 73 65 2E 57 72 69 74 65 }
$s8 = { 47 65 74 42 79 74 65 73 28 6F 29 }
condition:
all of them
}
SIGMA Rule
No associated rule.
ssdeep Matches
No matches found.
Description
This artifact is a malicious ASPX file with a "Page_Load" event handler that constructs and executes a command using PowerShell on the server (Figure 9). Upon execution, the file constructs a PowerShell command that decodes a Base64 string from the request form parameter "p". The decoded string is decrypted using the XOR function with the hard-coded key "a859f0208777462899df67b3d81a7b8b". The decrypted bytes (command) is executed using a PowerShell command. The standard output of the executed PowerShell command is converted to a UTF-8 string, then encrypted using the XOR function with the same hard-coded key. The encrypted bytes data is Base64 encoded before written to the HTTP response using "Response.Write".
Screenshots
Figure 9 - Screenshot of the contents of the ASPX file.
Relationship Summary
| 60a37499f9... | Contains | bee94b93c1796981a55d7bd27a32345a61304a88ed6cd70a5f7a402f1332df72 |
| bee94b93c1... | Contained_Within | 60a37499f9b02c203af24c2dfd7fdb3834cea707c4c56b410a7e68376938c4b7 |
| 9340bf7378... | Contains | 675a10e87c248d0f629da864ba8b7fd92b62323c406a69dec35a0e6e1552ecbc |
| 675a10e87c... | Contained_Within | 9340bf7378234db5bca0dc5378bf764b6a24bb87a42b05fa21a996340608fbd7 |
Recommendations
CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
- Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
- Enforce a strong password policy and implement regular password changes.
- Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
- Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
- Disable unnecessary services on agency workstations and servers.
- Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
- Monitor users' web browsing habits; restrict access to sites with unfavorable content.
- Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
- Scan all software downloaded from the Internet prior to executing.
- Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".
Contact Information
- 1-888-282-0870
- CISA Service Desk (UNCLASS)
- CISA SIPR (SIPRNET)
- CISA IC (JWICS)
CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback
Document FAQ
What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.
Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.
Can I submit malware to CISA? Malware samples can be submitted via the methods below:
- Web: https://www.cisa.gov/resources-tools/services/malware-next-generation-analysis
- For larger files (over 100MB), please reach out to CISA for instructions.
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.cisa.gov.
Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange Deployments
Note: This Alert may be updated to reflect new guidance issued by CISA or other parties.
CISA is aware of the newly disclosed high-severity vulnerability, CVE-2025-53786, that allows a cyber threat actor with administrative access to an on-premise Microsoft Exchange server to escalate privileges by exploiting vulnerable hybrid-joined configurations. This vulnerability, if not addressed, could impact the identity integrity of an organization’s Exchange Online service.
While Microsoft has stated there is no observed exploitation as of the time of this alert’s publication, CISA strongly urges organizations to implement Microsoft’s Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability guidance outlined below, or risk leaving the organization vulnerable to a hybrid cloud and on-premises total domain compromise.
- If using Exchange hybrid, review Microsoft’s guidance Exchange Server Security Changes for Hybrid Deployments to determine if your Microsoft hybrid deployments are potentially affected and available for a Cumulative Update (CU).
- Install Microsoft’s April 2025 Exchange Server Hotfix Updates on the on-premise Exchange server and follow Microsoft’s configuration instructions Deploy dedicated Exchange hybrid app.
- For organizations using Exchange hybrid (or have previously configured Exchange hybrid but no longer use it), review Microsoft's Service Principal Clean-Up Mode for guidance on resetting the service principal’s
keyCredentials.
- Upon completion, run the Microsoft Exchange Health Checker to determine if further steps are required.
CISA highly recommends entities disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet. For example, SharePoint Server 2013 and earlier versions are EOL and should be discontinued if still in use.
Organizations should review Microsoft’s blog Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptions for additional guidance as it becomes available.
Disclaimer:
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
CISA Adds Three Known Exploited Vulnerabilities to Catalog
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
- CVE-2020-25078 D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability
- CVE-2020-25079 D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability
- CVE-2022-40799 D-Link DNR-322L Download of Code Without Integrity Check Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Releases Two Industrial Control Systems Advisories
CISA released two Industrial Control Systems (ICS) advisories on August 5, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
- ICSA-25-217-01 Mitsubishi Electric Iconics Digital Solutions Multiple Products
- ICSA-25-217-02 Tigo Energy Cloud Connect Advanced
CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
Mitsubishi Electric Iconics Digital Solutions Multiple Products
1. EXECUTIVE SUMMARY
- CVSS v4 4.1
- ATTENTION: Low attack complexity
- Vendor: Mitsubishi Electric Iconics Digital Solutions, Mitsubishi Electric
- Equipment: ICONICS Product Suite and Mitsubishi Electric MC Works64
- Vulnerability: Windows Shortcut Following (.LNK)
2. RISK EVALUATION
Successful exploitation of this vulnerability could result in information tampering.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of ICONICS Product Suite and Mitsubishi Electric MC Works64 are affected:
- GENESIS64: All versions
- GENESIS: Version 11.00
- Mitsubishi Electric MC Works64: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 Windows Shortcut Following (.LNK) CWE-64
An information tampering vulnerability due to Windows Shortcut Following exists in multiple processes in GENESIS64, MC Works64, and GENESIS. An attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability. By creating a symbolic link, an attacker can cause the processes to make unauthorized writes to arbitrary files on the file system in any location that is accessible to the user under which the elevated processes are running, resulting in a denial-of-service (DoS) condition on the PC if the modified file is necessary for the operation of the PC.
CVE-2025-7376 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-7376. A base score of 4.1 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
Mitsubishi Electric reported this vulnerability to CISA.
4. MITIGATIONS
Mitsubishi Iconics Digital Solutions recommends users upgrade to GENESIS Version 11.01, which contains a fix for this vulnerability. For the highest level of security, it is recommended that users upgrade their system to the latest version and keep it up-to-date with the latest releases. Consult Mitsubishi Electric Iconics Digital Solutions Support for upgrade assistance.
Users who remain on affected versions should be aware of this information tampering vulnerability and take any necessary precautions to keep the system safe from potential attackers such as:
- Configure the PCs with the affected product installed so that only an administrator can log in.
- PCs with the affected product installed should be configured to block remote logins from untrusted networks and hosts, and from non-administrator users.
- Block unauthorized access by using a firewall or virtual private network (VPN), etc., and allow remote login only to administrators when connecting the PCs with the affected product installed to the Internet.
- Restrict physical access to the PC with the affected product installed and the network to which the PC is connected to prevent unauthorized physical access.
- Do not click on web links in emails from untrusted sources. Also, do not open attachments in untrusted emails.
Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommends updating the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here (login required).
For more information, see Mitsubishi Electric's security advisory.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY
- August 5, 2025: Initial Publication
Tigo Energy Cloud Connect Advanced
1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Tigo Energy
- Equipment: Cloud Connect Advanced
- Vulnerabilities: Use of Hard-coded Credentials, Command Injection, Predictable Seed in Pseudo-Random Number Generator (PRNG).
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative access using hard-coded credentials, escalate privileges to take full control of the device, modify system settings, disrupt solar energy production, interfere with safety mechanisms, execute arbitrary commands via command injection, cause service disruptions, expose sensitive data, and recreate valid session IDs to access sensitive device functions on connected solar inverter systems due to insecure session ID generation.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Cloud Connect Advanced are affected:
- Cloud Connect Advanced: Versions 4.0.1 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 Use of Hard-coded Credentials CWE-798
Tigo Energy's Cloud Connect Advanced (CCA) device contains hard-coded credentials that allow unauthorized users to gain administrative access. This vulnerability enables attackers to escalate privileges and take full control of the device, potentially modifying system settings, disrupting solar energy production, and interfering with safety mechanisms.
CVE-2025-7768 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-7768. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-77
Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure.
CVE-2025-7769 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-7769. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 Predictable Seed in Pseudo-Random Number Generator (PRNG) CWE-337
Tigo Energy's CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on the current timestamp, allowing attackers to recreate valid session IDs. When combined with the ability to circumvent session ID requirements for certain commands, this enables unauthorized access to sensitive device functions on connected solar optimization systems.
CVE-2025-7770 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-7770. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Anthony Rose and Jacob Krasnov of BC Security and Peter Kariuki of Ovanova reported these vulnerabilities to CISA.
4. MITIGATIONS
Tigo Energy is aware of these vulnerabilities and is actively working on a fix to address them.
Visit Tigo Energy's Help Center for more specific security recommendations.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
- CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- August 5, 2025: Initial Publication
DHS Launches Over $100 Million in Funding to Strengthen Communities’ Cyber Defenses
CISA and USCG Identify Areas for Cyber Hygiene Improvement After Conducting Proactive Threat Hunt at US Critical Infrastructure Organization
Summary
The Cybersecurity and Infrastructure Security Agency (CISA) and U.S. Coast Guard (USCG) are issuing this Cybersecurity Advisory to present findings from a recent CISA and USCG hunt engagement. The purpose of this advisory is to highlight identified cybersecurity issues, thereby informing security defenders in other organizations of potential similar issues and encouraging them to take proactive measures to enhance their cybersecurity posture. This advisory has been coordinated with the organization involved in the hunt engagement.
CISA led a proactive hunt engagement at a U.S. critical infrastructure organization with the support of USCG analysts. During hunts, CISA proactively searches for evidence of malicious activity or malicious cyber actor presence on customer networks. The organization invited CISA to conduct a proactive hunt to determine if an actor had been present in the organization’s environment. (Note: Henceforth, unless otherwise defined, “CISA” is used in this advisory to refer to the hunt team as an umbrella for both CISA and USCG analysts).
During this engagement, CISA did not identify evidence of malicious cyber activity or actor presence on the organization’s network, but did identify cybersecurity risks, including:
- Insufficient logging;
- Insecurely stored credentials;
- Shared local administrator (admin) credentials across many workstations;
- Unrestricted remote access for local admin accounts;
- Insufficient network segmentation configuration between IT and operational technology (OT) assets; and
- Several device misconfigurations.
In coordination with the organization where the hunt was conducted, CISA and USCG are sharing cybersecurity risk findings and associated mitigations to assist other critical infrastructure organizations with improving their cybersecurity posture. Recommendations are listed for each of CISA’s findings, as well as general practices to strengthen cybersecurity for OT environments. These mitigations align with CISA and the National Institute for Standards and Technology’s (NIST) Cross-Sector Cybersecurity Performance Goals (CPGs), and with mitigations provided in the USCG Cyber Command’s (CGCYBER) 2024 Cyber Trends and Insights in the Marine Environment (CTIME) Report.
Although no malicious activity was identified during this engagement, critical infrastructure organizations are advised to review and implement the mitigations listed in this advisory to prevent potential compromises and better protect our national infrastructure. These mitigations include the following (listed in order of importance):
-
Do not store passwords or credentials in plaintext. Instead, use secure password and credential management solutions such as encrypted password vaults, managed service accounts, or built-in secure features of deployment tools.
- Ensure that all credentials are encrypted both at rest and in transit. Implement strict access controls and regular audits to securely manage scripts or tools accessing credentials.
- Use code reviews and automated scanning tools to detect and eliminate any instances of plaintext credentials on hosts or workstations.
- Enforce the principle of least privilege, only granting users and processes the access necessary to perform their functions.
- Avoid sharing local administrator account credentials. Instead, provision unique, complex passwords for each account using tools like Microsoft’s Local Administrator Password Solution (LAPS) that automate password management and rotation.
- Enforce multifactor authentication (MFA) for all administrative access, including local and domain accounts, and for remote access methods such as Remote Desktop Protocol (RDP) and virtual private network (VPN) connections.
- Implement and enforce strict policies to only use hardened bastion hosts isolated from IT networks equipped with phishing-resistant MFA to access industrial control systems (ICS)/OT networks, and ensure regular workstations (i.e., workstations used for accessing IT networks and applications) cannot be used to access ICS/OT networks.
-
Implement comprehensive (i.e., large coverage) and detailed logging across all systems, including workstations, servers, network devices, and security appliances.
- Ensure logs capture information such as authentication attempts, command-line executions with arguments, and network connections.
- Retain logs for an appropriate period to enable thorough historical analysis (adhering to organizational policies and compliance requirements) and aggregate logs in an out-of-band, centralized location, such as a security information event management (SIEM) tool, to protect them from tampering and facilitate efficient analysis.
For more detailed mitigations addressing the identified cybersecurity risks, see the Mitigations section of this advisory.
Download the PDF version of this report:
AA25-212A CISA and USCG Identify Areas for Cyber Hygiene Improvement
(PDF, 537.67 KB
)
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See Appendix: MITRE ATT&CK Tactics and Techniques for a table of potential activity mapped to MITRE ATT&CK tactics and techniques.
Overview
Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard (USCG) analysts (collectively referred to as CISA in this report) conducted a threat hunt engagement at a critical infrastructure organization. During this hunt, CISA proactively searched for evidence of malicious activity or the presence of a malicious cyber actor on the customer’s network using host, network, industrial control system (ICS), and commercial cloud and open-source analysis tools. CISA searched for evidence of activity by looking for specific exploitation tactics, techniques, and procedures (TTPs) and associated artifacts.
While CISA did not find evidence of threat actor presence on the organization’s network, the team did identify several cybersecurity risks. These findings are listed below in order of risk. Technical details of each identified cyber risk are included, along with the potential impact from threat actor exploitation of each risk (recommendations for mitigating each risk are listed in the Mitigations section below).
Several of these findings align with those observed during similar engagements conducted by US Coast Guard Cyber Command (CGCYBER), which are documented in their 2024 Cyber Trends and Insights in the Marine Environment (CTIME) report. The authoring agencies encourage critical infrastructure organizations to review the CTIME report to understand trends in the techniques/attack paths threat actors are using to compromise at-risk organizations, and what mitigations organizations should implement to prevent a successful attack.
Key Findings
Shared Local Admin Accounts with Non-Unique Passwords Stored as Plaintext
Details: CISA identified a few local admin accounts with non-unique passwords; these accounts were shared across many hosts. The credentials for each account were stored plaintext in batch scripts. CISA discovered these authorized scripts were configured to create user accounts with local admin privileges and then set identical, non-expiring passwords—these passwords were stored in plaintext in the script. One script was configured to create an admin account (set with a password stored in the script in plaintext) and automatically add to the admin group. The account was set as the local admin account on many other hosts.
Potential Impact: The storage of local admin credentials in plaintext scripts across numerous hosts increases the risk of widespread unauthorized access, and the usage of non-unique passwords facilitates lateral movement throughout the network. Malicious actors with access to workstations with either of these batch scripts could obtain the passwords for these local admin accounts by searching the filesystem for strings like net user /add, identifying scripts containing usernames and passwords [T1552.001], and accessing these accounts to move laterally.
For example, during a controlled security validation exercise (with explicit permission from the customer), CISA used the credentials found in one of the scripts to log into its associated admin account locally on a workstation [T1078.003], and then establish a Remote Desktop Protocol (RDP) connection to another workstation [T1021.001]. This demonstrated that the credentials allowed local login to an admin account and enabled lateral movement to any workstation with the account. While using this account, the user had local admin privileges on many workstations. Upon initiating the RDP session, the system issued out a notification that another user was currently logged in and that continuing the session would disconnect the existing user, confirming that the account can be accessed remotely via RDP.
The uniform use of local admin accounts with identical, non-expiring passwords across numerous hosts, coupled with the storage of these credentials in plaintext within accessible scripts, elevates the risk of unauthorized access and lateral movement throughout the network.
With local admin access, malicious cyber actors can:
- Modify existing accounts or create new accounts [T1098], potentially escalating privileges or maintaining persistent access.
- Install malicious browser extensions on compromised systems [T1112].
- Communicate with compromised systems using standard application layer protocols [T1071], which may bypass certain security monitoring tools.
- Modify local policies to escalate privileges or disable security features [T1484].
- Alter system configurations or install software that executes at startup [T1547], ensuring continued access and persistence.
- Hijack the execution flow of applications to inject malicious code [T1574].
The widespread distribution of plaintext credentials and the use of identical passwords across hosts increases the risk of unauthorized access throughout the network. This vulnerability heightens the potential for attackers to conduct unauthorized activities, which may impact the confidentiality, integrity, and availability of the organization’s assets.
Note: This finding was associated with workstations only; servers and other devices were not affected.
Insufficient Network Segmentation Configuration Between IT and Operational Technology Environments
Details: While assessing interconnectivity between the customer’s IT and operational technology (OT) environments, CISA identified that the OT environment was not properly configured. Specifically, standard user accounts could directly access the supervisory control and data acquisition (SCADA) virtual local area network (VLAN) directly from IT hosts.
First, CISA determined it was possible to establish a connection via port 21 from a user workstation in the IT network to a system within the SCADA VLAN. The test established that a network path was available, the remote host was reachable, the port was open and listening for connections, and that the port was directly accessible between the IT and SCADA VLANs, with misconfigured network-level restrictions—for example, firewalls or access control lists (ACLs)—blocking the Transmission Control Protocol (TCP) connection on the port. This test was conducted using a standard user account on a regular IT workstation without administrative privileges [T1078].
Second, CISA discovered that the customer did not have sufficient secured bastion hosts dedicated for accessing SCADA and heating, ventilation, and air conditioning (HVAC) systems. A bastion host—sometimes referred to as a jump box or jump server—is a specialized, highly secured system (often a server or dedicated workstation) that serves as the sole access point between a network segment (such as an internal IT network) and a protected internal network (like an OT or ICS environment). By inspecting and filtering all inbound and outbound traffic, a bastion host is designed to prevent unauthorized access and lateral movement, ensuring that only authenticated and authorized users can interact with internal systems. Though several hosts were designated as bastion hosts for remote access to SCADA and HVAC systems, they lacked the enhanced security configuration, dedicated monitoring, and specialized scrutiny expected of bastion hosts.
Potential Impact: Insufficient OT network segmentation configuration, network access control (NAC), and the ability of a non-privileged user within the IT network to use their credentials to access the critical SCADA VLAN [T1078] presents a security and safety risk. Given that SCADA and HVAC systems control physical processes, compromises of these systems can have real-world consequences, including risks to personnel safety, infrastructure integrity, and equipment functionality.
Malicious actors could further exploit potentially unsecured workstations with access to OT systems, and insufficient network segmentation configuration between IT and OT systems, in the following ways:
- Use RDP or Secure Shell (SSH) protocols to move laterally from compromised IT workstations to OT systems [T1021.001] [T1021.004].
- Execute commands and scripts using scripting languages like PowerShell to attack OT systems [T1059].
- Map network connections to identify paths to OT systems [T1049].
- Gather information about network configurations to plan attacks on OT systems [T1016].
By exploiting these weaknesses, attackers can potentially gain unauthorized access to critical OT systems, manipulate physical processes, disrupt operations, and cause harm.
Insufficient Log Retention and Implementation
Details: CISA was unable to hunt for every MITRE ATT&CK® procedure in the scoped hunt plan partly because the organization’s event logging system was insufficient for this analysis. For example, Windows event logs from workstations were not being forwarded to the organization’s security information event management (SIEM), verbose command line auditing was not enabled (meaning command line arguments were not being captured in Event ID 4688), logging in the SIEM was not as comprehensive as required for the analysis, and log retention did not allow for a thorough analysis of historical activity.
Potential Impact: The absence of comprehensive and detailed logs, along with a lack of an established baseline for normal network behavior, prevented CISA from performing thorough behavior and anomaly-based detection. This limitation hindered the ability to hunt for certain TTPs, such as living-off-the-land techniques, the use of valid accounts [T1078], and other TTPs used by sophisticated threat actors. Such techniques often do not produce discrete indicators of compromise or trigger alerts from antivirus software, intrusion detection systems (IDS), or endpoint detection and response (EDR) solutions. Further, the lack of workstation logs in the organization’s SIEM meant CISA could not analyze authentication events to identify anomalous activities, such as unauthorized access using local administrator credentials. This gap exposes networks to undetected lateral movement and unauthorized access.
Insufficient logging can prevent the detection of malicious activity by hindering investigations, which makes detection of threat actors more challenging and leaves the network susceptible to undetected threats.
Additional Findings
Misconfigured sslFlags on a Production Server
Details: CISA used PowerShell to examine the ApplicationHost.config file[1]—a central configuration file for Internet Information Services (IIS) that governs the behavior of the web server and its applications and websites—on a production IIS server. CISA observed an HTTPS binding configured with sslFlags==“0”, which keeps IIS in its legacy “one-certificate-per-IP” mode. This mode disables modern certificate-management features, and because mutual Transport Layer Security (TLS) (client-certificate authentication) must be enabled separately in “SSL Settings” or by adding <access sslFlags=“Ssl, SslRequireCert” />, the binding leaves the client-certificate enforcement off by default, allowing any TLS client to complete the handshake anonymously. Moreover, sslFlags does not control protocol or cipher selection, so outdated protocols or weak cipher suites (e.g., SSL 3.0, TLS 1.0/1.1) may still be accepted unless Secure Channel (Schannel)[2] has been explicitly hardened.
Potential Impact: The misconfigured sslFlags could enable threat actors to attempt an adversary-in-the-middle attack [T1557] to intercept credentials and data transmitted between clients and the IIS server. Malicious actors could also exploit vulnerabilities in older Secure Sockets Layer (SSL)/TLS protocols, as well as weak cipher suites, increasing the risk for protocol downgrade attacks in which an attacker forces the server and client to negotiate the use of weaker encryption standards [T1562.010]. This compromises the confidentiality and integrity of data transmitted over this channel. Furthermore, the absence of client certificate enforcement meant the server did not validate the identity of the connecting clients beyond the basic SSL/TLS handshake. This deficiency exposed the server to risks where unauthorized or malicious clients could impersonate legitimate users, potentially gaining access to sensitive resources without proper verification.
Misconfigured Structured Query Language Connections on a Production Server
Details: CISA reviewed machine.config file on a production server and identified that it was configured with a centralized database connection string, LocalSqlServer, for both profile and role providers. This configuration implies that, unless overridden in each application’s web.config files, every ASP.NET site on the server connects to the same Structured Query Language (SQL) Express or aspnetdb database and shares the same credentials context.
Additionally, CISA identified that the machine.config file set the minRequiredPasswordLength to be less than 15 characters, which is CISA’s recommended password length.
Potential Impact: Using a centralized database approach increases risk, as a single breach or misconfiguration in this central SQL database server can compromise all applications dependent on the server. This creates a single point of failure and could be exploited by attackers aiming to gain broad access to the system.
Additionally, setting the minimum password length to any password under 15 characters is more vulnerable to various forms of brute-force attacks, such as password guessing [T1110.001], cracking [T1110.002], spraying [T1110.003], and credential stuffing [T1110.004]. If a threat actor successfully cracked these weak passwords, they could gain unauthorized access to user or application accounts and leverage vulnerabilities within applications to further escalate privileges, potentially leading to unauthorized access to the backend SQL Server databases. This could result in data breaches, data manipulation, or a loss of database integrity.
Mitigations
CISA and USCG recommend that critical infrastructure organizations implement the mitigations below to improve their organization’s cybersecurity posture. Recommendations to reduce cyber risk are listed for each of CISA’s findings during this engagement and are ordered starting from the highest to lowest importance for organizations to implement. CISA and USCG also include general practices to strengthen cybersecurity for OT environments that are not tied to specific findings.
These mitigations align with the Cross-Sector Cybersecurity Performance Goals jointly developed by CISA and the National Institute for Standards and Technology (NIST). The Cybersecurity Performance Goals (CPGs) provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful TTPs. Visit CISA’s CPGs webpage for more information.
Many of these mitigations also align with recommendations made by CGCYBER in their 2024 CTIME report. The report provides relevant information and lessons learned about cybersecurity risks gathered through operations similar to this threat hunt engagement, and best practices to mitigate these risks. Please see the 2024 CTIME report for additional recommendations for critical infrastructure organizations to implement to harden their environments against malicious activity.
Implement Unique Credentials and Access Control Measures for Administrator Accounts
-
Provision unique and complex credentials for local administrator accounts [CPG 2.C] on all systems. Do not use shared or identical administrative credentials across systems. Ensure service accounts/machine accounts have passwords unique from all member user accounts.
- For example, organizations can deploy Microsoft LAPS (see Microsoft Learn’s Windows LAPS Overview for more information) to ensure each machine has a unique, complex local administrator password; passwords are rotated automatically within Microsoft Active Directory, reducing the window of vulnerability; and that password retrieval is limited to authorized personnel only.
- Require phishing-resistant multifactor authentication (MFA) [CPG 2.H] in addition to unique passwords for all administrative access, including local- and domain-level administrator accounts, RDP sessions, and VPN connections.
-
Use privileged access workstations (PAWs) dedicated solely for administrative tasks and isolate them from the internet and general network to reduce exposure to threats and lateral movement.
- Harden PAWs by applying CIS Benchmarks: limit software to essential administrative functions, disable unnecessary services and ports, and ensure regular updates and patches.
- Enforce strict access controls to restrict PAW access to authorized administrators only.
-
Conduct continuous auditing of privileged accounts by regularly collecting and analyzing logs of administrative activities, such as login attempts, command executions, and configuration changes [CPG 2.T].
- Configure automated alerts for anomalous behaviors, including logins outside standard hours, access from unauthorized locations, and repeated failed logins.
- Periodically review all administrator accounts to confirm the necessity and appropriateness of access levels; align these auditing practices with NIST SP 800-53 Rev. 5 Controls AU-2 (Auditable Events) and AU-12 (Audit Record Generation).
-
Apply the principle of least privilege by limiting administrative privileges to the minimum required for users to perform their roles [CPG 2.E].
- Create individual administrative accounts with unique credentials and role-specific permissions and disable or rename built-in local administrator accounts to reduce common attack vectors.
- Avoid using shared administrator accounts to improve accountability and auditability, and ensure administrators use standard accounts for non-administrative tasks to minimize credential exposure.
- Implement Role-Based Access Control (RBAC) to assign permissions based on job functions, as aligned with NIST SP 800-53 Rev. 5 Control AC-5 (Separation of Duties).
- Identify and remove unauthorized or unnecessary local administrator accounts, maintain oversight by documenting and tracking all authorized accounts, and enforce strict account management policies by restricting account creation privileges and implementing approval workflows for new administrator accounts.
Securely Store and Manage Credentials
- Purge credentials from the System Center Configuration Manager (SCCM). Review SCCM packages, task sequences, and scripts to ensure that no plaintext credentials are embedded, and update or remove any configurations that deploy scripts with plaintext credentials.
-
Do not store plaintext credentials in scripts. Instead, store credentials in a secure manner, such as with a credential/password manager or vault, or other privileged account management solution [CPG 2.L].
- Leverage SCCM’s built-in capabilities to run tasks with administrative privileges without exposing credentials (for further guidance, refer to Microsoft’s best practices for secure SCCM configuration).
- Use encrypted communication. If scripts must retrieve credentials at runtime, use encrypted channels and protocols (e.g., TLS 1.3) to communicate with secure credential stores. Ensure that credentials are not written to disk or exposed in logs.
-
Use unique local administrator passwords, such as by deploying Microsoft LAPS. Set appropriate permissions on Active Directory attributes used by LAPS (
ms-MCS-AdmPwdandms-MCS-AdmPwdExpirationTime) per Microsoft’s security recommendations.
Establish Network Segmentation Between IT and OT Environments
-
Assess the existing network architecture to ensure effective segmentation between the IT and OT networks [CPG 2.F]—this process should evaluate both logical and physical segmentation, ensuring clear boundaries between IT and OT assets.
- Use NIST SP 800-82 Rev. 3 (Guide to OT Security) and International Electrotechnical Commission (IEC) 62443 standards as guides for network segmentation best practices.
- Network segmentation is essential for containing breaches within isolated segments and preventing them from spreading across networks. Depending on your environment, consider implementing the following segmentation:
- Implement VLAN segmentation with inter-VLAN access controls.
- Create separate VLANs for IT and OT systems, specifically isolating OT components such as SCADA systems from IT network VLANs.
- Configure inter-VLAN access controls, including Layer 3 ACLs, to restrict traffic between IT and SCADA VLANs.
- Deploy firewalls with application-layer filtering capabilities to monitor and control data flow between the VLANs, ensuring that only authorized protocols and devices can communicate across segments.
-
Implement a demilitarized zone (DMZ) between IT and OT environments to provide an additional security layer.
- Position firewalls at both the IT-DMZ and OT-DMZ boundaries to filter traffic and enforce strict communication policies.
- Configure the DMZ to act as an intermediary, with only essential communications permitted between IT and OT networks.
- Ensure the DMZ hosts shared services (e.g., bastion hosts, jump servers, or data historians) that require limited interaction with both environments, with access controls and monitoring in place.
-
Consider a full network re-architecture if current segmentation methods cannot effectively separate IT and OT networks.
- Collaborate with cybersecurity and network experts to design an architecture that meets ICS-specific security requirements—this redesign may involve transitioning to a micro-segmented or zero trust architecture, which includes strict identity verification for all users and devices attempting to access OT assets.[3]
- Implement unidirectional gateways (data diodes) where appropriate to prevent bidirectional communication.
- Keep network diagrams, configuration files, and asset inventories up to date.
-
Regularly test segmentation controls to validate their effectiveness in restricting unauthorized access by conducting penetration testing and security assessments.
- Include simulated breach scenarios to confirm that segmentation contains threats within isolated zones.
- Ensure compliance with NIST SP 800-53 Rev. 5 Control AC-4 (Information Flow Enforcement) to align segmentation measures with best practices for controlled information flow.
Prevent Unauthorized Access via Port 21
- Disable File Transfer Protocol (FTP) services on SCADA devices and servers if they are not required. Replace FTP with secure alternatives, such as SSH FTP (SFTP) or FTP over TLS/SSL (FTPS).
-
Block inbound and outbound FTP traffic on port
21using firewalls and ACLs.- Implement restrictive ACL policies at network boundaries to control FTP access across all network layers.
- As outlined in CIS Control 9.2 (Limit Unnecessary Ports, Protocols, and Services), close any unused ports to strengthen network defenses.
- Implement IDS/Intrusion Prevention System (IPS) technologies to monitor traffic between the IT network and SCADA VLAN, use signature and anomaly detection, and integrate IDS/IPS with a SIEM system for centralized monitoring.
- Enhance authentication and encryption mechanisms. Require MFA for SCADA access, use secure remote access technologies when necessary, securely encrypt communications (using protocols such as TLS 1.2 or higher, preferably TLS 1.3), and establish VPN tunnels to communicate between IT networks and SCADA systems.
-
Perform network traffic filtering and deep packet inspection.
- Use SCADA-aware firewalls capable of understanding SCADA protocols and inspecting and filtering traffic at the application layer.
- Only allowlist authorized protocols and command structures to SCADA operations. Use one-way communication devices to prevent data from flowing back into the SCADA network.
Establish Secure Bastion Hosts for OT Network Access
-
Ensure bastion hosts are dedicated secure access points exclusively used to access the OT network and deployed as exclusive management gateways for all devices within a network.
- Make bastion hosts the single access points for conducting all administrative tasks, system management, and configuration changes; this centralizes access control and ensures any interaction with the OT system passes through a rigorously monitored and secure environment, minimizing the potential for unauthorized access.
-
Do not allow staff to use bastion hosts as regular workstations.
- Provide staff with separate workstations for accessing email, internet browsing, etc., on the IT network.
- Establish and enforce policies that prohibit non-administrative activities on bastion hosts, ensuring they remain dedicated to OT network access.
- Regularly audit and monitor bastion hosts to maintain security integrity, prevent unauthorized use, and quickly address any vulnerabilities or policy non-compliance.
- Configure comprehensive logging of all activities on bastion hosts, including authentication attempts, command executions, configuration changes, and file transfers. Aggregate logs into a SIEM.
-
Isolate bastion hosts from the IT network; bastion hosts should reside in a separate security zone with restricted communication pathways (see CISA’s infographic on Layering Network Security Through Segmentation).
- Deploy bastion hosts in a DMZ, imposing physical and logical isolation from other networks.
- Configure firewalls between the IT network, bastion hosts, and the OT network, enforcing strict access control policies to allow only necessary traffic.
- Ensure secure configuration and hardening of bastion hosts: Comply with NIST SP 800-123 and CIS Benchmarks and CNSSI 4009-2015, remove nonessential applications and services to reduce the attack surface, configure system settings to be secure, conduct effective patch management, enforce the principle of least functionality, and disable unused ports and protocols.
-
Implement access control policies: remove any access permissions to the OT network from IT workstations and ensure only bastion hosts have access to the OT network.
- Implement NAC solutions to enforce policy-driven access control decisions based on device compliance and user authentication to provide dynamic access control and real-time visibility into the devices on the network.
-
Equip each bastion host with robust authentication mechanisms, including phishing resistant MFA [CPG 2.H], to verify the identity of users accessing the network.
- Align with AAL3 as defined in NIST SP 800-63B. AAL3 requires hardware-based authenticators and proof of possession of cryptographic keys through secure authentication protocols.
- Implement stringent access controls that restrict access to authorized personnel only using RBAC principles, ensuring that personnel can only access information and perform tasks pertinent to their roles and duties. This reduces the risk of internal threats or lateral movement and prevents unauthorized access.
-
Securely configure remote access tools, including by using secure protocols and disabling remote access tools on IT workstations to the OT network, enforcing that all remote access occurs through bastion hosts.
- Disable insecure protocols like Telnet and unencrypted VNC to prevent interception and unauthorized access.
- Log all remote access sessions and monitor for unauthorized or anomalous activities.
Implement Comprehensive Logging, Log Retention, and Analysis
-
Implement comprehensive and verbose (i.e., detailed) logging across all systems, including workstations, servers, network devices, and security appliances [CPG 2.T].
- Enable logging of critical events such as authentication attempts, command-line executions with command arguments (Event ID
4688), and network connections.
- Enable logging of critical events such as authentication attempts, command-line executions with command arguments (Event ID
- Aggregate logs in an out-of-band, centralized location [CPG 2.U] where adversaries cannot tamper with them, such as a dedicated SIEM, in order to facilitate behavior analytics, anomaly detection, and proactive threat hunting [CPG 2.T, 2.U]. For more information on behavior- and anomaly-based detection techniques, see joint guidance Identifying and Mitigating Living off the Land.
-
Ensure comprehensive logging on bastion hosts for all activities. Capture detailed records of login attempts [CPG 2.G], commands executed (with command arguments enabled), configurations changed, and files transferred.
- Integrate bastion hosts with a centralized SIEM (NIST SP 800-137).
- Continuously monitor logs for early detection of anomalous activities. Configure the SIEM to generate automatic alerts for suspicious activity and implement behavior analysis techniques to detect anomalies.
- Securely store log backups and use tamper resistant storage [CPG 2.U] to prevent a threat actor from altering or purging logs to conceal malicious activity.
For additional guidance on logging, see joint guidance Best Practices for Event Logging and Threat Detection.
Securely Configure HTTPS Bindings and LocalSqlServer Connection String
- Enforce both client certificate verification and secure renegotiation in IIS by configuring the
sslFlagssetting to“3”in theApplicationHost.configfile. SettingsslFlags=“3”requires clients to present validX.509certificates for authentication and implements the TLS Renegotiation Indication Extension (RFC 5746). To implement this, perform the following steps:- Locate the
<binding>element for the HTTPS site withinApplicationHost.config. - Set the
sslFlagsattribute to“3”:<binding protocol=“https” bindingInformation=“*:443:” sslFlags=“3” />. - Restart IIS to apply the changes:
iisreset.
- Locate the
-
Restrict the server to use only secure and up-to-date SSL/TLS protocols and cipher suites.
- Disable deprecated protocols like SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 to prevent protocol downgrade attacks that compromise the confidentiality and integrity of data.
-
Override the global settings in
machine.configby modifying each application’sweb.configfile to define its own connection strings and providers. This isolates applications at the database level and allows for tailored security configurations for each application. -
Create dedicated SQL Server database accounts for each application with permissions limited to necessary operations (e.g., SELECT, INSERT, UPDATE), and avoid granting excessive privileges.
- Do not assign roles like
db_owneror sysadmin to application accounts. This reduces the risk of privilege escalation and enhances accountability through segregated access logs.
- Do not assign roles like
-
Use
machine.configonly for configurations that must be applied globally across all applications on the server.- Audit the
machine.configfile to ensure no application-specific settings are present.
- Audit the
Enforce Strong Password Policies
-
Implement a system-enforced policy that requires a minimum password length of 15 or more characters for all password-protected IT assets and all OT assets, when technically feasible [CPG 2.B].
- Consider leveraging passphrases and password managers to make it easier for users to maintain sufficiently long passwords.
- In instances where minimum password lengths are not technically feasible, apply and record compensating controls, such as rate-limiting login attempts, account lockout thresholds, and strong network segmentation. Prioritize these systems for upgrade or replacement.
- Implement MFA [CPG 2.H] in addition to strong passwords (i.e., passwords 15 characters or longer).
Additional Mitigation Recommendations to Strengthen Cybersecurity
CISA and USCG recommend critical infrastructure organizations implement the following additional mitigations (not tied to specific findings from the engagement) to improve the cybersecurity of their IT and OT environments:
-
Secure RDP from the IT to OT environments by deploying dedicated VPNs for all remote interactions with the OT network. Using RDP without strong authentication practices can lead to credential theft. Additionally, RDP does not inherently segregate or closely monitor user sessions, which can allow a compromised session to affect other parts of the network.
- Deploy VPNs with strong encryption protocols such as SSL/TLS or Internet Protocol Security (IPsec) [CPG 2.K] to safeguard data integrity and confidentiality; use MFA [CPG 2.H] at all VPN access points to ensure only authorized personnel can gain access.
-
Configure VPN gateways to perform rigorous security checks and manage traffic destined for the OT network, ensuring comprehensive validation of all communications through pre-defined security policies.
- VPN gateways should function as the primary enforcement points for access controls, scrutinizing every data packet to detect and block unauthorized access attempts.
- Align the VPN traffic monitoring with the DMZ’s capabilities to regulate and inspect the data flow between IT and OT environments.
- As part of the broader network architecture review, ensure the VPN infrastructure is correctly segmented from other network resources [CPG 2.F] to prevent any spillover effects from the IT environment to the OT network, containing potential breaches within isolated network zones.
- Within the VPN configuration, enforce strict routing rules that require all remote access requests to pass through the DMZ and be authenticated by bastion hosts. This minimizes the risk of unauthorized access and ensures that all remote interactions with the OT network are monitored and controlled.
- If wireless technology is employed within the OT environment, implement Wi-fi Protected Access 3 (WPA3)-Enterprise encryption with strong authentication protocols like Extensible Authentication Protocol (EAP)-TLS to ensure data confidentiality and integrity.
- Deploy and continuously monitor Wireless Intrusion Prevention Systems (WIPS) to detect, prevent, and respond to unauthorized access attempts and anomalous activities within the wireless network infrastructure.
- Disable unnecessary features like Service Set Identifier (SSID) broadcasting and peer-to-peer networking, enable Media Access Control (MAC) filtering as an additional layer, and keep wireless firmware updated.
Validate Security Controls
In addition to applying mitigations, CISA and USCG recommend exercising, testing, and validating your organization's security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA and USCG recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
- Select an ATT&CK technique described in this advisory (see Table 1 to Table 9).
- Align your security technologies against the technique.
- Test your technologies against the technique.
- Analyze your detection and prevention technologies’ performance.
- Repeat the process for all security technologies to obtain a set of comprehensive performance data.
- Tune your security program—including people, processes, and technologies—based on the data generated by this process.
CISA and USCG recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Contact Information
Critical infrastructure organizations are encouraged to report suspicious or criminal activity related to information in this advisory to:
- CISA via CISA’s 24/7 Operations Center (SOC@mail.cisa.dhs.gov or 888-282-0870) or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the name of the submitting company or organization; and a designated point of contact.
- Coast Guard, for Maritime Transportation System Subsector organizations. Report malicious activities to the Coast Guard’s National Response Center (1-800-424-8802) per Navigation and Vessel Inspection Circular (NVIC) 02-24 when facilities observe any unusual activity or interruptions to their network. For additional Coast Guard resources, please visit the Coast Guard Maritime Industry Cybersecurity Resource Center website. CGCYBER can also be contacted at maritimecyber@uscg.mil.
Additional Resources
For more information on improving cyber hygiene for critical infrastructure IT and OT environments, please see the following additional resources authored by CISA, CGCYBER, and international partners:
- CGCYBER 2024 CTIME Report
- Joint Guidance Best Practices for Event Logging and Threat Detection
- Joint Guidance Principles of Operational Technology Cyber Security
Disclaimer
The information in this report is being provided “as is” for informational purposes only. CISA and USCG do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and USCG.
Version History
July 31, 2025: Initial version.
Appendix: MITRE ATT&CK Tactics and Techniques
See Table 1 to Table 9 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
| Technique Title | ID | Use |
|---|---|---|
| Valid Accounts | T1078 | Malicious actors could use access to valid accounts for access to IT and OT networks. |
| Valid Accounts: Local Accounts | T1078.003 | Threat actors could use credentials obtained for local administrator accounts to gain administrator access to workstations or services that use the account. |
| Account Manipulation | T1098 | Malicious actors could modify existing accounts or create new accounts to maintain access or escalate privileges. |
| Technique Title | ID | Use |
|---|---|---|
| Command and Scripting Interpreter | T1059 | Malicious actors could use script interpreters like PowerShell to execute commands and scripts. |
| Technique Title | ID | Use |
|---|---|---|
| Boot or Autostart Execution | T1547 | Malicious actors could configure autostart execution paths to ensure persistence. |
| Hijack Execution Flow | T1574 | Malicious actors could hijack the execution flow of applications and inject malicious code. |
| Technique Title | ID | Use |
|---|---|---|
| Domain or Tenant Policy Modification | T1484 | Malicious actors could modify domain policies to escalate privileges or evade defenses. |
| Technique Title | ID | Use |
|---|---|---|
| Modify Registry | T1112 | Malicious actors could install malicious browser extensions on compromised systems. |
| Impair Defenses: Downgrade Attack | T1562.010 | Malicious actors could exploit vulnerabilities in older systems to force a downgrade to a less secure mode of operation. |
| Technique Title | ID | Use |
|---|---|---|
| Unsecured Credentials: Credentials in Files | T1552.001 | Malicious actors could search for and exploit credentials stored in unsecured files. |
| OS Credential Dumping | T1003 | Malicious actors could extract credentials from memory or storage from unsecured workstations. |
| Adversary-in-the-Middle | T1557 | Malicious actors could position themselves between networked devices to intercept credentials and other data. |
| Brute Force: Password Guessing | T1110.001 | Malicious actors could systematically guess possible passwords. |
| Brute Force: Password Cracking | T1110.002 | Malicious actors could recover plaintext credentials after obtaining password hashes or other similar credential material. |
| Brute Force: Password Spraying | T1110.003 | Malicious actors could attempt to use a common password against different accounts to try to obtain account access. |
| Brute Force: Credential Stuffing | T1110.004 | Malicious actors could try to use credentials gained from an unrelated account to gain access to a desired account in the victim’s environment. |
| Technique Title | ID | Use |
|---|---|---|
| System Network Connections Discovery | T1049 | Malicious actors could map network connections to identify paths to OT systems from an unsecured IT workstation with access to the OT network. |
| System Network Configuration Discovery | T1016 | Malicious actors could use an unsecured workstation to discover network configurations. |
| Technique Title | ID | Use |
|---|---|---|
| Remote Services: Remote Desktop Protocol | T1021.001 | Malicious actors could use valid credentials to establish an RDP connection to access a workstation. |
| Remote Services: SSH | T1021.004 | Malicious actors could use valid accounts to establish an SSH connection to a workstation. |
| Technique Title | ID | Use |
|---|---|---|
| Application Layer Protocol | T1071 | Malicious actors could use application layer protocols to communicate with systems they compromised while blending in with existing network traffic. |
[1] While CISA used PowerShell to review these configuration settings, they can also be identified by running a search in any text editor.
[2] For more information, see Schannel – Microsoft Learn.
[3] Reference the Purdue Model for ICS Security as a guide for layered security zones and assess compliance with IEC 62443 network and system security standards; organizations may use this version of the model developed by Department of Energy (DOE) as a guide: Purdue Model Framework for Industrial Control Systems & Cybersecurity Segmentation.