Tech giant Microsoft revealed on Tuesday that Chinese state-sponsored hacking groups have been actively exploiting vulnerabilities in the company’s SharePoint collaboration software to launch widespread cyber attacks against various organizations.
The company identified three distinct Chinese threat actors – Linen Typhoon, Violet Typhoon, and Storm-2603 – who have been targeting SharePoint servers by exploiting security weaknesses. These attacks involve bypassing authentication systems and executing malicious code remotely on vulnerable servers.
In its detailed blog post, Microsoft expressed high confidence that malicious actors will continue attempting to breach unpatched SharePoint systems. The company urged customers to immediately install the latest security updates to protect against these exploits.
According to Microsoft’s analysis, each hacking group has distinct target preferences. Linen Typhoon primarily focuses on stealing intellectual property and infiltrating organizations involved in human rights, government operations, defense, and strategic planning. Meanwhile, Violet Typhoon concentrates its efforts on compromising systems belonging to former government and military officials, educational institutions, media organizations, think tanks, and NGOs.
The U.S. Department of Justice previously took action against members of Linen Typhoon (also known as APT27) in March, when it indicted two Chinese nationals for their alleged involvement in hacking operations that caused millions of dollars in damages to U.S. organizations.
The current situation became critical enough for Microsoft to issue an emergency security patch on Saturday, addressing what they termed a “zero-day” vulnerability – a previously unknown security flaw. While self-hosted SharePoint servers were affected, Microsoft confirmed that cloud-based SharePoint instances running on their servers remained secure.
The Cybersecurity and Infrastructure Security Agency has issued warnings about the potentially widespread impact of these
vulnerabilities. The agency strongly recommends disconnecting affected servers from the internet before applying security updates.
Security researchers have emphasized the severe implications of these exploits. Eye Security, a Netherlands-based research firm, warned that successful breaches could give attackers comprehensive access to SharePoint content, system files, and configurations. The firm noted that due to SharePoint’s integration with other essential services like Outlook, Teams, and OneDrive, compromised systems could lead to extensive data theft, password harvesting, and unauthorized network access.
Microsoft’s response includes multiple recommended security measures. The company advises enabling Microsoft Defender Antivirus and the Antimalware Scan Interface, or equivalent security solutions, alongside implementing the latest patches. The tech giant emphasized that additional threat actors may attempt to exploit these
vulnerabilities, making immediate security updates crucial for all organizations using on-premises SharePoint systems.
While Microsoft has not disclosed specific details about which organizations have been targeted through these SharePoint
vulnerabilities, the widespread use of the collaboration software across various sectors makes this security threat particularly concerning. The company continues to monitor the situation and provide updates to help organizations protect their systems against these sophisticated state-sponsored cyber attacks.
These developments highlight the ongoing challenges organizations face in protecting their digital infrastructure against state-sponsored cyber threats, particularly those originating from China. The incident underscores the critical importance of maintaining up-to-date security measures and responding promptly to security advisories from technology providers.