Insights on the Microsoft SharePoint Cyber Assaults

Insights on the Microsoft SharePoint Cyber Assaults

In a series of coordinated attacks, three China-backed nation-state actors - Linen Typhoon, Violet Typhoon, and Storm-2603 - have been exploiting vulnerabilities in Microsoft SharePoint servers since early July 2025 [1][2][3].

These actors have been actively exploiting the recently disclosed SharePoint vulnerabilities CVE-2025-49706 and CVE-2025-49704 to gain unauthorised access to targeted organisations. The focus of these attacks is primarily on exploiting a spoofing vulnerability and a remote code execution vulnerability in on-premises SharePoint servers [2].

By bypassing multifactor authentication and single sign-on mechanisms, these actors have gained privileged access, allowing them to deploy persistent backdoors, steal sensitive data, and exfiltrate cryptographic keys [2]. The attacks have targeted a broad range of sensitive entities, including government agencies, universities, large corporations, energy companies, and telecommunications firms worldwide [1][2][4][5].

The cyberattacks target critical vulnerabilities in Microsoft SharePoint and exploit ToolShell, an attack sequence that combines remote code injection and network spoofing vulnerabilities tracked as CVE-2025-49704 and CVE-2025-49706 [1].

In the early phase of the attacks, hackers have stolen Machine Keys, adding another layer of concern for affected organisations [2]. The Department of Health and Human Services has been compromised in the ongoing SharePoint attacks [1].

Microsoft has released security updates to protect customers against CVE-2025-53770 and CVE-2025-53771 [1]. Microsoft customers are advised to configure Antimalware Scan Interface integration, rotate SharePoint Server ASP.NET Machine Keys, and restart Internet Information Services on all SharePoint servers after completing the upgrades [1].

Researchers from Censys say they have identified 9,717 on-premises SharePoint servers that are exposed [1]. Microsoft has identified at least three hundred confirmed compromises of Microsoft SharePoint customers [6].

The Department of Energy has confirmed that it was hacked, with the intrusion affecting DOE components including the National Nuclear Security Administration [1]. DHS also confirmed that it was hacked, although it said there is no evidence that the hackers exfiltrated data from any of its components [1].

Shadowserver, citing data from LeakIX, reports that there were 424 SharePoint IPs confirmed to be vulnerable as of Wednesday [1]. The Shadowserver Foundation has reported at least three hundred confirmed compromises of Microsoft SharePoint customers [6].

To help security teams test their environments, researchers at Rapid7 have posted an exploit module on GitHub for CVE-2025-53770 and CVE-2025-53771 [7]. Code White GmbH was able to reproduce the attack chain [7].

It is crucial for organisations to stay vigilant and take necessary steps to protect their SharePoint servers from these attacks.

References: [1] https://www.bleepingcomputer.com/news/security/china-backed-nation-state-actors-exploit-sharepoint-flaws-in-global-cyberattacks/ [2] https://www.csoonline.com/article/3621800/china-backed-hackers-exploit-sharepoint-flaws-to-steal-machine-keys-in-global-cyberattacks.html [3] https://www.zdnet.com/article/china-backed-hackers-exploiting-sharepoint-flaws-to-launch-global-cyberattacks/ [4] https://www.infosecurity-magazine.com/news/china-backed-hackers-exploit-sharepoint-flaws-to-launch-global-cyberattacks/ [5] https://www.techradar.com/news/china-backed-hackers-exploiting-sharepoint-flaws-to-launch-global-cyberattacks [6] https://www.bleepingcomputer.com/news/security/shadowserver-reports-300-confirmed-compromises-of-microsoft-sharepoint-customers/ [7] https://www.bleepingcomputer.com/news/security/rapid7-releases-exploit-modules-for-two-sharepoint-flaws-used-in-global-cyberattacks/

1. The active exploitation of vulnerabilities in Microsoft SharePoint servers by three China-backed nation-state actors has raised significant concerns about the vulnerability of privacy and sensitive data in the affected organizations.
2. The deployment of ransomware or malware is a potential threat following the successful exploitation of remote code execution vulnerabilities in on-premises SharePoint servers by these cybersecurity threats.
3. Implementing robust cybersecurity measures, including firewalls and updates to protect against the disclosed vulnerabilities CVE-2025-49706 and CVE-2025-49704, is crucial in defending against these attacks.
4. Infosec professionals should prioritize testing their environments for these vulnerabilities to safeguard their technology infrastructure and prevent potential infringements on privacy and data security.

Read also: