Casmer Labs monitors the dynamic landscape of cybersecurity, cloud security, and particularly cloud data security. Our mission is to ensure that our customers and the public are informed about critical security developments, incidents, and updates.

In our Q2 threat report, the Casmer Labs team anticipated continuing growth in popularity of data breaches, particularly related to cloud misconfigurations, vulnerabilities, and lack of activity monitoring.

Microsoft SharePoint Vulnerability Wreaks Havoc

First detected in mid July 2025, Microsoft SharePoint vulnerabilities CVE-2025-49706 and CVE-2025-49704 has allowed cyber actors to access on-premise SharePoint servers. Spoofing and RCE techniques, corresponding with these vulnerabilities, allowed cyber actors to gain full access to SharePoint content, including file systems and boot configurations. After initial access, cyber actors have been observed by CISA as encrypting files manually and distributing Warlock ransomware throughout the compromised systems.

• Apply the necessary security updates released by Microsoft.
• Configure Antimalware Scan Interface (AMSI) in SharePoint as indicated by Microsoft and deploy Microsoft Defender AV on all SharePoint servers.
• If AMSI cannot be enabled, disconnect affected products from service that are public-facing on the internet until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions.
• Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
• For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Disrupting active exploitation of on-premises SharePoint vulnerabilities and advisory for CVE-2025-49706. CISA encourages organizations to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.
• Beyond patching, it is critical for organizations to further investigate systems for signs of exploitation. Malware deployed via .dll payloads in particular are difficult to detect, and can be used to obtain machine keys.
• Rotate ASP.NET machine keys, then after applying Microsoft’s security update, rotate ASP.NET machine keys again, and restart the IIS web server.
• Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) from the internet. For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use.  
• Monitor suspicious requests to the sign-out page: /_layouts/SignOut.aspx is the exact HTTP header used by threat actors to exploit ToolPane.aspx for initial access
• Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
• Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
• Update intrusion prevention system and web-application firewall (WAF) rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation.
• Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
• Employ robust cyber hygiene and hardening measures to prepare for, prevent, and mitigate ransomware incidents. For more information, see CISA and partners’ #StopRansomware Guide.
• Audit and minimize layout and admin privileges.

Another Major Misconfiguration Incident

HireClick, a popular job search platform, has exposed over 5 million resumes as a result of a misconfigured and publicly accessible Amazon S3 bucket. Similar to the majority of the misconfiguration incidents in the first half of 2025, the information compromised by attackers will likely be used to supplement social engineering efforts, including phishing campaigns. 

Some evidence suggests that some of the data has been publicly accessible since as early as 2016. The scope of the leaked information includes:

• Full names
• Phone numbers
• Home addresses
• Email addresses
• Employment details

The HireClick incident comes after a number of similar recent incidents, including another recruitment platform beWanted, which exposed the data of 1.1 million job applications across Europe and Latin America.

About Casmer Labs

Casmer Labs is a division of Cloud Storage Security (CSS) focused on threat intelligence and research concerning cloud computing, especially the storage layer in the cloud.

Casmer Labs provides threat intelligence, security education, trend reports, and other information important to modern organizations. We provide this information free of charge and aim to educate the public and reduce the frequency of cyberattacks across all industries. The Casmer Labs team is composed of engineering, product, support, and dedicated threat research personnel.

Casmer Labs is dedicated to Ed Casmer, founder and Chief Technology Officer at CSS, who passed away in 2023.