Ethical Hacking News
A global cybersecurity crisis has been triggered by a recent wave of widespread attacks targeting Microsoft SharePoint zero-day vulnerabilities, with Chinese hacking groups linked as the primary perpetrators. Dozens of organizations worldwide have already been compromised, highlighting the growing threat posed by nation-state actors.
Microsoft has linked a recent wave of widespread attacks targeting its SharePoint zero-day vulnerability chain to Chinese hacking groups.The attacks use an exploit chain dubbed "ToolShell" that enables attackers to gain unauthenticated access to systems and execute malicious code over the network.Ath least one of the actors responsible for this early exploitation is a China-nexus threat actor, with multiple other actors also using these exploits.Dozens of organizations worldwide have been compromised, including several multinational companies and national government entities.Microsoft has released emergency patches to address the vulnerabilities.The global cyber crisis highlights the growing threat posed by nation-state actors and their ability to exploit vulnerabilities in widely used software.
In a disturbing revelation that has sent shockwaves throughout the cybersecurity community, Microsoft has officially linked a recent wave of widespread attacks targeting its SharePoint zero-day vulnerability chain to Chinese hacking groups. The news, announced by Microsoft in a report released on Tuesday, July 22, 2025, sheds light on a global cyber crisis that has left dozens of organizations worldwide vulnerable to exploitation.
According to the report, several hacking groups with ties to the Chinese government have been identified as responsible for breaching on-premise SharePoint servers using an exploit chain dubbed "ToolShell." This vulnerability chain, which was first demoed during the Berlin Pwn2Own hacking contest by Viettel Cyber Security researchers, has enabled attackers to gain unauthenticated access to systems and execute malicious code over the network.
Microsoft's report reveals that at least one of the actors responsible for this early exploitation is a China-nexus threat actor, with multiple other actors also using these exploits. The company notes that it has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers, as well as another China-based threat actor, Storm-2603.
The attacks, which began shortly after the Berlin Pwn2Own hacking contest, have already resulted in dozens of organizations worldwide being compromised, including several multinational companies and national government entities. Dutch cybersecurity firm Eye Security was among the first to spot zero-day attacks exploiting the CVE-2025-49706 and CVE-2025-49704 vulnerabilities.
Cybersecurity firm Check Point also revealed on Monday that it had discovered the first signs of exploitation on July 7th, targeting dozens of entities across the government, telecommunications, and software sectors in North America and Western Europe. Since then, Microsoft has released emergency patches for SharePoint Subscription Edition, SharePoint 2019, and SharePoint 2016 to address both RCE flaws.
The release of these patches followed a public demonstration of the ToolShell exploit chain by a researcher on GitHub, which made it easier for threat actors and hacking groups to join ongoing attacks. The cybersecurity agency CISA has also added the CVE-2025-53770 remote code execution vulnerability to its Known Exploited Vulnerability catalog, ordering federal agencies to apply patches one day after they were released.
The full extent of this global cyber crisis remains uncertain, but experts warn that it highlights the growing threat posed by nation-state actors and their ability to exploit vulnerabilities in widely used software. Microsoft's response to the crisis has been swift, with the company working closely with cybersecurity firms and agencies to help notify potentially impacted entities about recommended mitigations.
As organizations scramble to patch vulnerable systems and prevent further exploitation, experts urge caution and vigilance. "This exploitation activity, publicly reported as 'ToolShell,' provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations," notes Charles Carmakal, CTO of Google Cloud's Mandiant Consulting.
The implications of this global cyber crisis are far-reaching, with experts warning that it could have significant consequences for organizations worldwide. As one expert noted, "Multiple actors are now actively exploiting this vulnerability, making it critical to understand the China-nexus threat actor role and take immediate action."
In a rapidly evolving cybersecurity landscape, it is clear that organizations must be vigilant and proactive in protecting themselves against the latest threats. As the situation continues to unfold, one thing is certain: the impact of this global cyber crisis will be felt for some time to come.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Global-Cybersecurity-Crisis-Microsoft-Links-SharePoint-Attacks-to-Chinese-Hacking-Groups-ehn.shtml
https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-toolshell-attacks-linked-to-chinese-hackers/
Published: Tue Jul 22 11:13:39 2025 by llama3.2 3B Q4_K_M
