Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Microsoft linked attacks on SharePoint flaws to China-nexus actors

Microsoft linked SharePoint exploits to China-nexus groups Linen Typhoon, Violet Typhoon, and Storm-2603, active since July 7, 2025. Microsoft confirmed that China-linked groups Linen Typhoon, Violet Typhoon, and Storm-2603 exploited SharePoint flaws for initial access as early as July 7, 2025. “As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon […]

China-linked APT Salt Typhoon

Microsoft linked SharePoint exploits to China-nexus groups Linen Typhoon, Violet Typhoon, and Storm-2603, active since July 7, 2025.

Microsoft confirmed that China-linked groups Linen Typhoon, Violet Typhoon, and Storm-2603 exploited SharePoint flaws for initial access as early as July 7, 2025.

“As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers.” reads a report published by Microsoft. “In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities.”

The tech giant warns that more threat actors are adopting SharePoint exploits and expects continued attacks on unpatched on-premise systems.

Microsoft observed threat actors scanning and attacking on-prem SharePoint servers by sending POST requests to the ToolPane endpoint. If successful, the attackers bypassed authentication and used a malicious script (like spinstall0.aspx) to steal sensitive cryptographic keys (MachineKey data). In some cases, the attackers renamed the script slightly to avoid detection. Microsoft shared indicators of compromise (IOCs) and hunting tools to detect these attacks.

Below is a short description of China-nexus groups that exploited the ToolShell flaws:

  • Linen Typhoon (aka APT27, Bronze Union, Emissary Panda, TG-3390Bronze Union, Lucky Mouse, and UNC215) targets IP in government and defense sectors; Linen Typhoon is a China-based actor that has been active since at least 2012 and targets foreign embassies to collect data on government, defence, and technology sectors.
  • Violet Typhoon (aka APT31, BRONZE VINEWOOD, JUDGMENT PANDA, Red keres, TA412, ZIRCONIUM) focuses on espionage against NGOs, media, and academia. Violet Typhoon is a China-linked actor that has been active since at least 2015.
  • Storm-2603, though distinct, attempts to steal MachineKeys from SharePoint servers and has ties to ransomware. These actors exploit exposed systems to install web shells. With more attackers likely to adopt these methods, Microsoft urges immediate patching and mitigation to protect unpatched on-premises SharePoint environments.

Microsoft provides the following mitigations for CVE-2025-53770/53771:

  • After patching or enabling AMSI, rotate ASP.NET machine keys and restart IIS on all servers using PowerShell or Central Admin.
  • Apply latest security updates for supported SharePoint versions (2016, 2019, Subscription Edition) immediately.
  • Enable AMSI (Antimalware Scan Interface) in Full Mode and install Defender Antivirus on all SharePoint servers.
  • If AMSI can’t be enabled, disconnect servers from the internet or limit access using VPN/proxy/authentication gateway.
  • Deploy Microsoft Defender for Endpoint to detect post-exploit activity.

SentinelOne researchers also identified three attack clusters with different tactics, while the attribution remains ongoing. All clusters targeted high-value SharePoint deployments, with a clear emphasis on persistence and access via cryptographic key theft, rather than immediate system control.

While SentinelOne did not attribute the attack to a specific threat actor, The Washington Post, citing its source, reported that the attacks targeted SharePoint servers were likely conducted by unnamed China-linked threat actors.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, China)