Ethical Hacking News
Global cybersecurity alert: China-nexus actors have exploited vulnerabilities in SharePoint versions 2016, 2019, and Subscription Edition, leaving enterprises vulnerable to attacks. Microsoft has linked the attacks to China-linked groups Linen Typhoon, Violet Typhoon, and Storm-2603, and urges immediate patching and mitigation to protect unpatched on-premises SharePoint environments.
Microsoft linked a series of SharePoint attacks to China-nexus actors. The attackers exploited vulnerabilities in SharePoint versions 2016, 2019, and Subscription Edition. Malicious scripts were used to steal sensitive cryptographic keys from targeted servers. Linen Typhoon, Violet Typhoon, and Storm-2603 are China-based actors targeting various sectors. Mitigation measures include patching, enabling AMSI, and deploying Microsoft Defender for Endpoint.
Microsoft has recently linked a series of attacks on SharePoint flaws to China-nexus actors, highlighting the growing threat landscape for enterprises worldwide. The tech giant observed that the attackers, including Linen Typhoon, Violet Typhoon, and Storm-2603, exploited vulnerabilities in SharePoint versions 2016, 2019, and Subscription Edition as early as July 7, 2025.
The attacks, which were carried out by China-linked groups, targeted internet-facing SharePoint servers, bypassing authentication and using malicious scripts to steal sensitive cryptographic keys. In some cases, the attackers renamed the script slightly to avoid detection. Microsoft shared indicators of compromise (IOCs) and hunting tools with security professionals to detect these attacks.
Linen Typhoon, Violet Typhoon, and Storm-2603 are China-based actors that have been active since at least 2012, 2015, and 2020 respectively. Linen Typhoon targets IP in government and defense sectors, while Violet Typhoon focuses on espionage against NGOs, media, and academia. Storm-2603 attempts to steal MachineKeys from SharePoint servers and has ties to ransomware.
The attacks were carried out using a malicious script called ToolPane, which was used to scan and attack on-prem SharePoint servers by sending POST requests to the ToolPane endpoint. If successful, the attackers bypassed authentication and used the malicious script to steal sensitive cryptographic keys. Microsoft observed that more threat actors are adopting SharePoint exploits and expects continued attacks on unpatched on-premise systems.
To mitigate these risks, Microsoft recommends patching or enabling AMSI (Antimalware Scan Interface) in Full Mode and installing Defender Antivirus on all SharePoint servers. It also advises rotating ASP.NET machine keys and restarting IIS on all servers using PowerShell or Central Admin. Additionally, it suggests deploying Microsoft Defender for Endpoint to detect post-exploit activity.
The attribution of the attacks remains ongoing, with SentinelOne researchers identifying three attack clusters with different tactics. However, The Washington Post reported that the attacks targeted SharePoint servers were likely conducted by unnamed China-linked threat actors.
This incident highlights the growing importance of staying up-to-date with security patches and best practices to protect against evolving cyber threats. As the threat landscape continues to evolve, enterprises must remain vigilant and proactive in protecting their networks and systems from sophisticated adversaries.
Related Information:
https://www.ethicalhackingnews.com/articles/Global-Cybersecurity-Alert-China-Nexus-Actors-Exploit-SharePoint-Flaws-Leaving-Enterprises-Vulnerable-ehn.shtml
https://securityaffairs.com/180267/apt/microsoft-linked-attacks-on-sharepoint-flaws-to-china-nexus-actors.html
Published: Wed Jul 23 07:54:52 2025 by llama3.2 3B Q4_K_M
