{"id":10437,"date":"2025-07-24T12:32:33","date_gmt":"2025-07-24T05:32:33","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10437"},"modified":"2026-02-05T12:32:39","modified_gmt":"2026-02-05T05:32:39","slug":"lo-hong-nghiem-trong-nhat-nua-dau-nam-2025-khi-tin-tac-di-truoc-doi-phong-thu","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/24\/lo-hong-nghiem-trong-nhat-nua-dau-nam-2025-khi-tin-tac-di-truoc-doi-phong-thu\/","title":{"rendered":"L\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng nh\u1ea5t n\u1eeda \u0111\u1ea7u n\u0103m 2025: Khi tin t\u1eb7c \u0111i tr\u01b0\u1edbc \u0111\u1ed9i ph\u00f2ng th\u1ee7"},"content":{"rendered":"

Ch\u1ec9 v\u00e0i ng\u00e0y sau khi c\u00f3 b\u1ea3n v\u00e1 ch\u00ednh th\u1ee9c, tin t\u1eb7c \u0111\u00e3 t\u00ecm ra c\u00e1ch v\u01b0\u1ee3t qua l\u1edbp b\u1ea3o v\u1ec7 m\u1edbi, c\u00f4ng b\u1ed1 m\u00e3 khai th\u00e1c v\u00e0 b\u1eaft \u0111\u1ea7u t\u1ea5n c\u00f4ng th\u1ef1c t\u1ebf. \u0110\u00e2y kh\u00f4ng c\u00f2n l\u00e0 nguy c\u01a1 ti\u1ec1m \u1ea9n, m\u00e0 l\u00e0 chi\u1ebfn d\u1ecbch c\u00f3 ch\u1ee7 \u0111\u00edch, nh\u1eafm th\u1eb3ng v\u00e0o SharePoint – \u0111i\u1ec3m y\u1ebfu ch\u01b0a \u0111\u01b0\u1ee3c “gia c\u1ed1” chu\u1ea9n ch\u1ec9nh trong nhi\u1ec1u h\u1ec7 th\u1ed1ng n\u1ed9i b\u1ed9.<\/b><\/p>\n

Ng\u00e0y 18\/7\/2025, C\u01a1 quan An ninh H\u1ea1t nh\u00e2n Qu\u1ed1c gia M\u1ef9 (NNSA) thu\u1ed9c B\u1ed9 N\u0103ng l\u01b0\u1ee3ng Hoa K\u1ef3 \u0111\u01b0\u1ee3c x\u00e1c nh\u1eadn l\u00e0 n\u1ea1n nh\u00e2n c\u1ee7a m\u1ed9t v\u1ee5 x\u00e2m nh\u1eadp. D\u00f9 ch\u1ec9 m\u1ed9t s\u1ed1 h\u1ec7 th\u1ed1ng b\u1ecb \u1ea3nh h\u01b0\u1edfng v\u00e0 ch\u01b0a ghi nh\u1eadn r\u00f2 r\u1ec9 d\u1eef li\u1ec7u m\u1eadt, s\u1ef1 vi\u1ec7c v\u1eabn l\u00e0m d\u1ea5y l\u00ean lo ng\u1ea1i trong c\u1ed9ng \u0111\u1ed3ng an ninh m\u1ea1ng to\u00e0n c\u1ea7u.<\/p>\n

T\u1ea1i Vi\u1ec7t Nam, chuy\u00ean gia WhiteHat ch\u01b0a ghi nh\u1eadn tr\u01b0\u1eddng h\u1ee3p t\u01b0\u01a1ng t\u1ef1, nh\u01b0ng nguy c\u01a1 ho\u00e0n to\u00e0n c\u00f3 th\u1eadt, \u0111\u1eb7c bi\u1ec7t v\u1edbi c\u00e1c \u0111\u01a1n v\u1ecb v\u1eabn d\u00f9ng SharePoint Server on-premise (phi\u00ean b\u1ea3n c\u00e0i \u0111\u1eb7t t\u1ea1i ch\u1ed7) ch\u01b0a c\u1eadp nh\u1eadt \u0111\u1ea7y \u0111\u1ee7 b\u1ea3n v\u00e1.<\/p>\n

\n
\"1753351703483.png\"<\/div>\n

(\u1ea2nh: Helpnet Security)<\/i>\u200b<\/div>\n

L\u1ed7 h\u1ed5ng nghi\u00eam tr\u1ecdng nh\u1ea5t n\u1eeda \u0111\u1ea7u 2025<\/b>\u200b<\/h3>\n

Chu\u1ed7i 0-day m\u1edbi (CVE-2025-53770 v\u00e0 CVE-2025-53771) xu\u1ea5t hi\u1ec7n ngay sau b\u1ea3n v\u00e1 hai l\u1ed7 h\u1ed5ng tr\u01b0\u1edbc \u0111\u00f3 (CVE-2025-49704 v\u00e0 CVE-2025-49706) v\u00e0o ng\u00e0y 8\/7\/2025. \u0110i\u1ec1u \u0111\u00e1ng lo ng\u1ea1i l\u00e0 c\u00e1c l\u1ed7 h\u1ed5ng m\u1edbi \u0111\u00e3 v\u01b0\u1ee3t qua \u0111\u01b0\u1ee3c l\u1edbp b\u1ea3o v\u1ec7 v\u1eeba v\u00e1, cho th\u1ea5y tin t\u1eb7c theo s\u00e1t t\u1eebng thay \u0111\u1ed5i \u0111\u1ec3 khai th\u00e1c theo c\u00e1ch m\u1edbi, nhanh h\u01a1n v\u00e0 nguy hi\u1ec3m h\u01a1n.<\/p>\n

Ch\u1ec9 6 ng\u00e0y sau, v\u00e0o ng\u00e0y 14\/7\/2025, m\u00e3 khai th\u00e1c (PoC) \u0111\u00e3 \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 c\u00f4ng khai. T\u1ed1c \u0111\u1ed9 n\u00e0y khi\u1ebfn c\u00e1c t\u1ed5 ch\u1ee9c g\u1ea7n nh\u01b0 kh\u00f4ng c\u00f3 th\u1eddi gian ph\u00f2ng th\u1ee7 tr\u01b0\u1edbc khi c\u00f4ng c\u1ee5 t\u1ea5n c\u00f4ng lan r\u1ed9ng.<\/p>\n

\u0110\u00e1ng ch\u00fa \u00fd, ho\u1ea1t \u0111\u1ed9ng khai th\u00e1c th\u1ef1c t\u1ebf \u0111\u01b0\u1ee3c ghi nh\u1eadn t\u1eeb 17\/7, tr\u01b0\u1edbc c\u1ea3 khi Microsoft x\u00e1c nh\u1eadn l\u1ed7 h\u1ed5ng v\u00e0o 19\/7. \u0110i\u1ec1u n\u00e0y cho th\u1ea5y c\u00e1c nh\u00f3m t\u1ea5n c\u00f4ng \u0111i tr\u01b0\u1edbc \u0111\u1ed9i ng\u0169 ph\u00f2ng th\u1ee7 \u00edt nh\u1ea5t v\u00e0i ng\u00e0y.<\/p>\n

Tr\u01b0\u1edbc t\u00ecnh h\u00ecnh kh\u1ea9n c\u1ea5p, CISA \u0111\u00e3 y\u00eau c\u1ea7u m\u1ecdi h\u1ec7 th\u1ed1ng b\u1ecb \u1ea3nh h\u01b0\u1edfng ph\u1ea3i v\u00e1 trong v\u00f2ng 24 gi\u1edd k\u1ec3 t\u1eeb ng\u00e0y 22\/7. \u0110\u00e2y l\u00e0 c\u1ea3nh b\u00e1o kh\u1ea9n c\u1ea5p hi\u1ebfm c\u00f3, ph\u1ea3n \u00e1nh m\u1ee9c \u0111\u1ed9 nghi\u00eam tr\u1ecdng \u0111\u1eb7c bi\u1ec7t c\u1ee7a l\u1ed7 h\u1ed5ng.<\/p>\n

T\u00ednh \u0111\u1ebfn h\u00f4m nay 24\/7\/2025, th\u1eddi h\u1ea1n \u0111\u00e3 k\u1ebft th\u00fac. N\u1ebfu b\u1ea1n c\u00f2n ch\u1ea7n ch\u1eeb ch\u01b0a v\u00e1 th\u00ec gi\u1edd kh\u00f4ng c\u00f2n l\u00e0 nguy c\u01a1 ti\u1ec1m \u1ea9n n\u1eefa.<\/p>\n

V\u00ec sao ToolShell nguy hi\u1ec3m h\u01a1n c\u00e1c l\u1ed7 h\u1ed5ng tr\u01b0\u1edbc?<\/b>\u200b<\/h3>\n

V\u1ec1 m\u1eb7t k\u1ef9 thu\u1eadt, \u0111\u00e2y l\u00e0 m\u1ed9t bi\u1ebfn th\u1ec3 m\u1edbi c\u1ee7a l\u1ed7 h\u1ed5ng t\u1eebng \u0111\u01b0\u1ee3c c\u00f4ng b\u1ed1 tr\u01b0\u1edbc \u0111\u00f3 (CVE-2025-49704), cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng th\u1ef1c thi m\u00e3 \u0111\u1ed9c t\u1eeb xa tr\u00ean h\u1ec7 th\u1ed1ng m\u00e1y ch\u1ee7 m\u00e0 kh\u00f4ng c\u1ea7n b\u1ea5t k\u1ef3 h\u00ecnh th\u1ee9c x\u00e1c th\u1ef1c n\u00e0o. Vi\u1ec7c k\u1ebft h\u1ee3p bypass x\u00e1c th\u1ef1c v\u00e0 th\u1ef1c thi m\u00e3 t\u1eeb xa (RCE) khi\u1ebfn r\u1ee7i ro t\u0103ng m\u1ea1nh.<\/p>\n

L\u1ed7 h\u1ed5ng n\u00e0y b\u1eaft ngu\u1ed3n t\u1eeb c\u01a1 ch\u1ebf x\u1eed l\u00fd d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o kh\u00f4ng an to\u00e0n (deserialization), t\u1ea1o \u0111i\u1ec1u ki\u1ec7n \u0111\u1ec3 \u0111\u1ed1i t\u01b0\u1ee3ng x\u1ea5u g\u1eedi v\u00e0o h\u1ec7 th\u1ed1ng c\u00e1c \u0111o\u1ea1n m\u00e3 \u0111\u01b0\u1ee3c ng\u1ee5y trang d\u01b0\u1edbi d\u1ea1ng d\u1eef li\u1ec7u h\u1ee3p l\u1ec7, t\u1eeb \u0111\u00f3 chi\u1ebfm quy\u1ec1n \u0111i\u1ec1u khi\u1ec3n m\u00e1y ch\u1ee7.<\/p>\n

\u0110\u1eb7c bi\u1ec7t nguy hi\u1ec3m h\u01a1n, n\u1ebfu k\u1ebb t\u1ea5n c\u00f4ng l\u1ea5y \u0111\u01b0\u1ee3c kh\u00f3a b\u1ea3o m\u1eadt n\u1ed9i b\u1ed9 (MachineKey), ch\u00fang c\u00f3 th\u1ec3 t\u1ea1o ra c\u00e1c payload gi\u1ea3 m\u1ea1o m\u1ed9t c\u00e1ch d\u1ec5 d\u00e0ng, ti\u1ebfn h\u00e0nh di chuy\u1ec3n ngang trong h\u1ec7 th\u1ed1ng v\u00e0 duy tr\u00ec quy\u1ec1n truy c\u1eadp trong th\u1eddi gian d\u00e0i m\u00e0 kh\u00f4ng b\u1ecb ph\u00e1t hi\u1ec7n<\/p>\n

Ngay c\u1ea3 khi h\u1ec7 th\u1ed1ng \u0111\u01b0\u1ee3c v\u00e1, n\u1ebfu kh\u00f4ng xoay v\u00f2ng MachineKey ho\u1eb7c x\u00f3a s\u1ea1ch web shell, tin t\u1eb7c v\u1eabn gi\u1eef \u201cch\u00eca kh\u00f3a quay l\u1ea1i\u201d. Vi\u1ec7c duy tr\u00ec hi\u1ec7n di\u1ec7n l\u00e2u d\u00e0i khi\u1ebfn x\u1eed l\u00fd sau s\u1ef1 c\u1ed1 tr\u1edf n\u00ean ph\u1ee9c t\u1ea1p h\u01a1n nhi\u1ec1u.<\/p>\n

ToolShell c\u0169ng cho ph\u00e9p x\u00e2u chu\u1ed7i 4 l\u1ed7 h\u1ed5ng CVE-2025-53770, CVE-2025-53771, CVE-2025-49704, CVE-2025-49706 \u0111\u1ec3 m\u1edf r\u1ed9ng b\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng, khi\u1ebfn h\u1ec7 th\u1ed1ng kh\u00f3 ph\u00f2ng th\u1ee7.<\/p>\n

V\u00ec sao SharePoint tr\u1edf th\u00e0nh m\u1ee5c ti\u00eau?<\/b>\u200b<\/h3>\n

Kh\u00f4ng ri\u00eang Vi\u1ec7t Nam, SharePoint l\u00e0 n\u1ec1n t\u1ea3ng qu\u1ea3n l\u00fd v\u00e0 chia s\u1ebb t\u00e0i li\u1ec7u ph\u1ed5 bi\u1ebfn, \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i t\u1ea1i c\u00e1c c\u01a1 quan nh\u00e0 n\u01b0\u1edbc, t\u1ed5 ch\u1ee9c gi\u00e1o d\u1ee5c, b\u1ec7nh vi\u1ec7n, doanh nghi\u1ec7p v\u00e0 nhi\u1ec1u t\u1ed5 ch\u1ee9c l\u1edbn tr\u00ean th\u1ebf gi\u1edbi.<\/p>\n

Khi b\u1ecb x\u00e2m nh\u1eadp, n\u00f3 kh\u00f4ng ch\u1ec9 l\u00e0 n\u01a1i b\u1ecb \u0111\u00e1nh c\u1eafp d\u1eef li\u1ec7u m\u00e0 c\u00f2n l\u00e0 b\u00e0n \u0111\u1ea1p \u0111\u1ec3 di chuy\u1ec3n s\u00e2u v\u00e0o h\u1ec7 th\u1ed1ng. \u1ede c\u00e1c m\u00f4 h\u00ecnh on-premise, vi\u1ec7c c\u1eadp nh\u1eadt b\u1ea3n v\u00e1 th\u01b0\u1eddng b\u1ecb tr\u00ec ho\u00e3n do c\u1ea5u h\u00ecnh t\u00f9y bi\u1ebfn, h\u1ec7 th\u1ed1ng l\u1ed7i th\u1eddi v\u00e0 thi\u1ebfu quy tr\u00ecnh c\u1eadp nh\u1eadt k\u1ecbp th\u1eddi t\u1ea1o c\u01a1 h\u1ed9i cho tin t\u1eb7c.<\/p>\n

B\u1ec1 m\u1eb7t t\u1ea5n c\u00f4ng r\u1ed9ng, nhi\u1ec1u endpoint nh\u01b0 \/ToolPane.aspx \u00edt \u0111\u01b0\u1ee3c gi\u00e1m s\u00e1t c\u0169ng c\u00f3 th\u1ec3 tr\u1edf th\u00e0nh \u201cbackdoor\u201d l\u00fd t\u01b0\u1edfng khi t\u1ed3n t\u1ea1i l\u1ed7 h\u1ed5ng.<\/p>\n

Cu\u1ed1i c\u00f9ng, kho\u1ea3ng c\u00e1ch gi\u1eefa SharePoint on-premise v\u00e0 b\u1ea3n cloud khi\u1ebfn c\u00e1c h\u1ec7 th\u1ed1ng ch\u01b0a chuy\u1ec3n \u0111\u1ed5i d\u1ec5 tr\u1edf th\u00e0nh m\u1ee5c ti\u00eau r\u00f5 r\u00e0ng trong c\u00e1c cu\u1ed9c qu\u00e9t quy m\u00f4 l\u1edbn tr\u00ean Internet.<\/p>\n

T\u1ea1m k\u1ebft<\/b>\u200b<\/h3>\n

S\u1ef1 c\u1ed1 l\u1ea7n n\u00e0y cho th\u1ea5y c\u00e1c n\u1ec1n t\u1ea3ng c\u1ed9ng t\u00e1c n\u1ed9i b\u1ed9 kh\u00f4ng c\u00f2n l\u00e0 v\u00f9ng an to\u00e0n. Ch\u00fang l\u00e0 c\u00e1nh c\u1ed5ng v\u00e0o d\u1eef li\u1ec7u l\u00f5i v\u00e0 khi b\u1ecb x\u00e2m nh\u1eadp, thi\u1ec7t h\u1ea1i kh\u00f4ng ch\u1ec9 n\u1eb1m \u1edf t\u00e0i li\u1ec7u.<\/p>\n

B\u1ea3n v\u00e1 l\u00e0 \u0111i\u1ec1u ki\u1ec7n c\u1ea7n, nh\u01b0ng ch\u01b0a \u0111\u1ee7. C\u1ea7n ki\u1ec3m tra hi\u1ec7u qu\u1ea3 v\u00e1, ph\u00e1t hi\u1ec7n bypass, l\u1eadp k\u1ebf ho\u1ea1ch c\u1eadp nh\u1eadt b\u00f9 n\u1ebfu c\u1ea7n. C\u00e1c kh\u00f3a b\u00ed m\u1eadt nh\u01b0 MachineKey ph\u1ea3i \u0111\u01b0\u1ee3c xoay v\u00f2ng \u0111\u1ecbnh k\u1ef3, ki\u1ec3m so\u00e1t nghi\u00eam ng\u1eb7t nh\u01b0 t\u00e0i kho\u1ea3n admin.<\/p>\n

N\u1ebfu bu\u1ed9c ph\u1ea3i c\u00f4ng khai SharePoint, c\u1ea7n \u0111\u1eb7t sau WAF, gi\u00e1m s\u00e1t ch\u1eb7t, t\u00e1ch m\u1ea1ng, gi\u1ea3m quy\u1ec1n truy c\u1eadp. Ph\u00f2ng th\u1ee7 hi\u1ec7n \u0111\u1ea1i kh\u00f4ng th\u1ec3 ch\u1ec9 d\u1ef1a v\u00e0o ch\u1eef k\u00fd h\u00e3y theo d\u00f5i h\u00e0nh vi, ph\u00e1t hi\u1ec7n b\u1ea5t th\u01b0\u1eddng t\u1eeb PowerShell, file ASPX, \u0111\u1ebfn l\u01b0u l\u01b0\u1ee3ng outbound l\u1ea1.<\/p>\n

Lo\u1ea1i b\u1ecf c\u00e1c h\u1ec7 th\u1ed1ng \u0111\u00e3 h\u1ebft v\u00f2ng \u0111\u1eddi nh\u01b0 SharePoint 2013. V\u00e0 quan tr\u1ecdng kh\u00f4ng k\u00e9m, c\u00e1c t\u1ed5 ch\u1ee9c h\u00e3y di\u1ec5n t\u1eadp tr\u01b0\u1edbc k\u1ecbch b\u1ea3n b\u1ecb chi\u1ebfm quy\u1ec1n SharePoint v\u00ec khi s\u1ef1 c\u1ed1 x\u1ea3y ra, t\u1ed1c \u0111\u1ed9 ph\u1ea3n \u1ee9ng l\u00e0 y\u1ebfu t\u1ed1 s\u1ed1ng c\u00f2n.<\/p>\n

C\u00f4ng c\u1ee5 t\u1ea5n c\u00f4ng \u0111\u00e3 c\u00f3. B\u1ea3n v\u00e1 c\u0169ng \u0111\u00e3 c\u00f3. V\u1ea5n \u0111\u1ec1 c\u00f2n l\u1ea1i l\u00e0: h\u1ec7 th\u1ed1ng c\u1ee7a b\u1ea1n \u0111\u00e3 s\u1eb5n s\u00e0ng \u0111i tr\u01b0\u1edbc tin t\u1eb7c ch\u01b0a?<\/b><\/p>\n

WhiteHat<\/i><\/b>\u200b<\/div>\n
Theo: https:\/\/whitehat.vn\/threads\/lo-hong-nghiem-trong-nhat-nua-dau-nam-2025-khi-tin-tac-di-truoc-doi-phong-thu.18600\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"

Ch\u1ec9 v\u00e0i ng\u00e0y sau khi c\u00f3 b\u1ea3n v\u00e1 ch\u00ednh th\u1ee9c, tin t\u1eb7c \u0111\u00e3 t\u00ecm ra c\u00e1ch v\u01b0\u1ee3t qua l\u1edbp b\u1ea3o v\u1ec7 m\u1edbi, c\u00f4ng b\u1ed1 m\u00e3 khai th\u00e1c v\u00e0 b\u1eaft \u0111\u1ea7u t\u1ea5n c\u00f4ng th\u1ef1c t\u1ebf. \u0110\u00e2y kh\u00f4ng c\u00f2n l\u00e0 nguy c\u01a1 ti\u1ec1m \u1ea9n, m\u00e0 l\u00e0 chi\u1ebfn d\u1ecbch c\u00f3 ch\u1ee7 \u0111\u00edch, nh\u1eafm th\u1eb3ng v\u00e0o SharePoint – \u0111i\u1ec3m […]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10437","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10437","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10437"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10437\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10437"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10437"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10437"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}