Microsoft Ties Sharepoint Attacks to Chinese Hackers
▼ Summary
– Chinese hacking groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, exploited a Microsoft SharePoint zero-day vulnerability chain called “ToolShell” to target global organizations.
– At least 54 organizations, including multinational companies and government entities, were compromised using vulnerabilities CVE-2025-49706 and CVE-2025-49704.
– Microsoft patched the flaws in July updates and assigned new CVE IDs (CVE-2025-53770 and CVE-2025-53771) after attacks on fully patched SharePoint servers.
– A proof-of-concept exploit for CVE-2025-53770 was released on GitHub, increasing the risk of wider exploitation by other threat actors.
– CISA added CVE-2025-53770 to its Known Exploited Vulnerability catalog and urged organizations to patch immediately, while Microsoft shared indicators of compromise (IOCs) to help detect attacks.
Microsoft has identified Chinese state-linked hacking groups exploiting critical SharePoint vulnerabilities to infiltrate organizations globally. Security researchers have uncovered a sophisticated attack campaign targeting unpatched SharePoint servers, with evidence pointing to multiple China-based threat actors.
The operation, codenamed “ToolShell”, leverages a chain of zero-day flaws to gain unauthorized access to corporate and government networks. Microsoft’s Threat Intelligence team confirmed the involvement of two known Chinese hacking collectives, Linen Typhoon and Violet Typhoon, alongside a third group tracked as Storm-2603. These actors have systematically breached internet-facing SharePoint servers, compromising sensitive data and deploying malicious payloads.
The vulnerabilities, initially demonstrated at the Berlin Pwn2Own contest, were weaponized shortly after disclosure. Dutch cybersecurity firm Eye Security reported at least 54 organizations falling victim, including multinational corporations and government agencies. Check Point Research later confirmed attacks across North America and Western Europe, focusing on telecommunications, software, and public sector entities.
Microsoft responded by releasing emergency patches for affected SharePoint versions, including Subscription Edition, 2019, and 2016, addressing remote code execution (RCE) risks. The company assigned new CVE identifiers (CVE-2025-53770 and CVE-2025-53771) to track exploits used against fully updated systems.
With a proof-of-concept exploit now circulating on GitHub, the threat landscape has escalated. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) swiftly added the flaw to its Known Exploited Vulnerabilities catalog, mandating federal agencies to implement fixes within 24 hours. Attackers leveraging ToolShell gain unfettered access to SharePoint environments, enabling data theft, backdoor installations, and lateral movement across networks.
Microsoft has published critical indicators of compromise (IOCs) to assist defenders, including malicious IP addresses and web shell filenames like spinstall0.aspx. Organizations are urged to inspect their systems for signs of intrusion, particularly connections to domains like c34718cbb4c6.ngrok-free[.]app, which delivers PowerShell scripts to command-and-control servers.
The rapid weaponization of these vulnerabilities underscores the importance of immediate patching. Security teams should prioritize updating SharePoint deployments and monitor for suspicious activity linked to the disclosed IOCs. As investigations continue, experts warn that additional threat actors may adopt these exploits, amplifying the risk for unpatched systems worldwide.
(Source: Bleeping Computer)