Understanding and Mitigating a Recent Advanced Attack Campaign Targeting Sitecore
A elegant cyberattack campaign has recently targeted organizations utilizing Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC).mandiant’s investigation revealed a multi-stage attack, demonstrating a steadfast and capable adversary. This article details the attack’s progression and provides critical steps you can take to protect your habitat, particularly concerning a specific vulnerability (CVE-2025-53690).
Initial Access and Reconnaissance
the attackers began by gaining initial access to compromised systems. they then performed extensive reconnaissance, gathering information about your environment. Specifically, they executed common commands like whoami, hostname, tasklist, ipconfig /all, and netstat -ano. These commands help attackers understand the system’s identity, network configuration, and running processes.
Deployment of Malicious tools
Following reconnaissance,the attackers deployed several malicious tools to further their objectives.These included:
Earthworm: A powerful network tunneling and reverse SOCKS proxy, enabling covert communication and lateral movement.
Dwagent: A remote access tool providing persistent control over compromised systems.
7-Zip: Used to compress and archive stolen data,preparing it for exfiltration.
Privilege Escalation and Persistence
Once inside, the attackers focused on escalating their privileges to gain administrative control. They achieved this through:
Creating new local administrator accounts, specifically asp$ and sawadmin.
Dumping credentials from the Security Account Manager (SAM) and SYSTEM hives.
Attempting token impersonation using GoTokenTheft.
To maintain long-term access, they established persistence by:
Disabling password expiration for the newly created administrator accounts.
Enabling remote Desktop Protocol (RDP) access. Registering Dwagent as a SYSTEM service, ensuring it automatically restarts with the operating system.
Addressing CVE-2025-53690: A Critical Vulnerability
A key component of this campaign exploits CVE-2025-53690, impacting Sitecore XM, XP, and XC (and Managed Cloud) versions up to 9.0. This vulnerability stems from the use of a sample ASP.NET machine key included in older documentation (pre-2017).
It’s important to note that certain Sitecore products are not* affected: XM Cloud, Content Hub, CDP, Personalize, ordercloud, Storefront, Send, Discover, Search, and Commerce Server.
A security bulletin has been released to coincide with this report, highlighting the risk to multi-instance deployments using static machine keys. You should treat this as a high-priority issue.
Recommended Mitigation Steps
Immediately take the following actions to secure your Sitecore environment:
- Replace static Machine Keys: Replace all static
web.configfiles with new, unique keys. - Encrypt Machine Key Element: Ensure the
web.configfile is encrypted. - Implement Regular Rotation: Adopt a schedule for regular static machine key rotation as an ongoing security best practice.
Further guidance on protecting your ASP.NET machine keys is available through dedicated resources.
Staying Ahead of Evolving Threats
Cyberattacks are constantly evolving. Proactive security measures, including vulnerability management, robust access controls, and continuous monitoring, are essential. By understanding the tactics employed in this campaign and implementing the recommended mitigations, you can significantly reduce your risk and protect your valuable data. Remember, a layered security approach is your best defense against sophisticated adversaries.
![DC Data Center: Fueling the US AI Boom | [Year]](https://i0.wp.com/www.slashgear.com/img/gallery/this-unassuming-dc-building-is-powering-americas-ai-movement/l-intro-1766977742.jpg?resize=330%2C220&ssl=1 "DC Data Center: Fueling the US AI Boom | [Year]")
