Information on the SharePoint Assaults by Microsoft

Information on the SharePoint Assaults by Microsoft

A series of cyberattacks target critical vulnerabilities in Microsoft SharePoint, with three China-backed nation-state actors identified as the main perpetrators: Linen Typhoon, Violet Typhoon, and Storm-2603.

These threat actors have been actively exploiting vulnerabilities in on-premises Microsoft SharePoint servers, targeting internet-facing servers globally. Their primary focus is on organizations across a broad spectrum, including governments, large corporations, universities, energy companies, and U.S. federal and state agencies.

The attacks, which began in early July, have rapidly escalated due to Microsoft releasing incomplete patches for the initial vulnerabilities. The cybercriminals are leveraging these vulnerabilities to bypass multi-factor authentication and single sign-on systems, gain privileged access, deploy persistent backdoors, steal sensitive data, and exfiltrate cryptographic keys.

The vulnerabilities involved include two initial zero-day flaws (CVE-2025-49704 and CVE-2025-49706) and two subsequent patch bypasses (CVE-2025-53770 and CVE-2025-53771). The attacks exploit ToolShell, an attack sequence that combines remote code injection and network spoofing vulnerabilities.

Microsoft has released security updates to protect customers against CVE-2025-53770 and CVE-2025-53771. Researchers at Rapid7 have posted an exploit module on GitHub for these vulnerabilities to help security teams test their environments. Defenders are advised to take immediate action for any SharePoint servers in their environments and apply the vendor patches on an emergency basis.

Linen Typhoon, active since 2012, focuses on stealing intellectual property, targeting governments, defense contractors, and human-rights groups. Storm-2603 has been conducting ransomware attacks with the SharePoint flaws since July 18, using them to conduct ransomware intrusions and steal Machine Keys. Violet Typhoon, active since 2015, is an espionage actor focusing on non-governmental organizations, higher education, media, and finance companies in the U.S., Europe, and East Asia.

The Department of Health and Human Services has been compromised in the SharePoint attacks. The Department of Homeland Security (DHS) is investigating reports that the hacks have compromised multiple federal agencies and state and local government entities. The Shadowserver Foundation has reported at least three hundred confirmed compromises of Microsoft SharePoint customers.

To mitigate the risk, customers should configure Antimalware Scan Interface integration, rotate SharePoint Server ASP.NET Machine Keys, and restart Internet Information Services on all SharePoint servers. Supported products include SharePoint 2016, 2019, and SharePoint Subscription Edition. Code White GmbH was able to reproduce the attack chain.

In summary:

| Actor | Attribution | Exploited CVEs | Primary Targets | Attack Goals | |----------------|---------------------|-----------------------------------|---------------------------------------|---------------------------------------------| | Linen Typhoon | China-backed | CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771 | Governments, large companies, universities, energy sectors | Gain privileged access, persistent backdoors, data theft, key theft | | Violet Typhoon | China-backed | Same as above | Same as above | Same as above | | Storm-2603 | China-linked (medium confidence China attribution) | Same as above | Same as above | Same as above |

These operations highlight a sustained Chinese state interest in compromising sensitive and strategic networks through on-premises Microsoft SharePoint vulnerabilities.

1. A firewall should be installed immediately on all Microsoft SharePoint servers to protect against the identified cyberattacks and the exploited vulnerabilities (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771).
2. Privacy concerns are heightened as results from the cyberattacks indicate a focus on universities, media, and finance companies, potentially compromising sensitive data related to infosec, technology, and, in particular, financial information.
3. Due to the rapid escalation of attacks, cybersecurity teams must ensure the deployment of security updates to mitigate the risk of ransomware infiltration, such as the one observed with Storm-2603 since July 18.
4. Emphasizing the importance of multi-layered cybersecurity, industry professionals have recommended implementing solutions that detect and prevent attacks like ToolShell, which combines remote code injection and network spoofing vulnerabilities.
5. As these cyberattacks continue to pose a threat, it's crucial for organizations across various sectors to prioritize cybersecurity measures and ensure the protection of their privacy and sensitive information.

Read also: