Close Menu
Cyberattacks

Microsoft Links Ongoing SharePoint Exploits to Chinese Hacker Groups

Staff WriterBy No Comments3 Mins Read0 Views

Top Highlights

  1. Microsoft links security flaws in SharePoint Server to three Chinese hacking groups—Linen Typhoon, Violet Typhoon, and Storm-2603—highlighting an ongoing threat to unpatched systems.

  2. The vulnerabilities exploit incomplete fixes for critical flaws (CVE-2025-49706 and CVE-2025-49704), enabling authentication bypass and remote code execution via POST requests to the ToolPane endpoint.

  3. Attackers deploy a web shell named "spinstall0.aspx" to steal sensitive data, using techniques to blend malicious traffic with legitimate update traffic, complicating detection.

  4. Urgent mitigation steps include applying latest SharePoint updates, rotating machine keys, utilizing Microsoft Defender, and enabling AMSI to prevent exploitation by additional threat actors.

Key Challenge

On July 22, 2025, Microsoft publicly attributed a series of cyberattacks exploiting vulnerabilities in on-premises SharePoint Server instances to three China-based hacking groups: Linen Typhoon, Violet Typhoon, and a newly recognized entity, Storm-2603. These groups have a history of sophisticated cyber operations, with Linen Typhoon operational since 2012 and Violet Typhoon since 2015. The attacks stemmed from the exploitation of security flaws—specifically the spoofing vulnerability CVE-2025-49706 and the remote code execution flaw CVE-2025-49704—where hackers utilized crafted POST requests to bypass authentication and deploy malicious web shells, such as “spinstall0.aspx,” which facilitated the exfiltration of sensitive data.

Rakesh Krishnan, a notable cybersecurity researcher, reported on the complex behavior exhibited by these attacks, detailing how the hacking entities employed multiple processes within Microsoft Edge to mask their malicious actions. Microsoft’s advisory underscores the urgency for organizations to apply security updates, rotate machine keys, and adopt additional protective measures, given the high likelihood of continued exploitation against unpatched SharePoint systems. This report not only highlights a significant security concern involving well-documented Chinese threat actors but also parallels previous incidents like the 2021 Silk Typhoon campaign, illustrating an ongoing trend in targeting Microsoft products for cyber offensives.

Critical Concerns

The recent exploitation of vulnerabilities in on-premises SharePoint Server instances by Chinese hacking groups poses significant risks to other businesses, users, and organizations due to their potential for widespread compromise. As these threat actors, notably Linen Typhoon and Violet Typhoon, actively weaponize these flaws, they create a cascading threat environment where unpatched systems become prime targets, subsequently leading to data breaches and operational disruptions. Organizations that fail to promptly implement security updates or mitigate these vulnerabilities risk not only compromising their proprietary information but also jeopardizing their reputations, as interconnected supply chains and partnerships may inadvertently be affected. This ripple effect can undermine consumer trust and lead to substantial financial ramifications, further emphasizing the urgency for comprehensive cybersecurity measures across all affected entities. Thus, the interconnected nature of modern digital infrastructure necessitates immediate preventative action to safeguard against the ramifications of such targeted cyber threats.

Possible Actions

The urgency of addressing vulnerabilities in software frameworks cannot be overstated, particularly when they are linked to nefarious entities like hacking groups. This has profound implications not only for individual organizations but also for broader cybersecurity architecture.

Mitigation Steps

  • Apply Security Updates
  • Enhance Network Monitoring
  • Perform Vulnerability Assessments
  • Implement Access Controls
  • Educate Employees
  • Strengthen Incident Response

NIST CSF Guidance
The NIST Cybersecurity Framework (CSF) underscores the criticality of proactive risk management and timely remediation of identified vulnerabilities. Organizations should reference NIST Special Publication 800-53 for detailed guidelines on safeguarding information systems against such threats.

Continue Your Cyber Journey

Discover cutting-edge developments in Emerging Tech and industry Insights.

Understand foundational security frameworks via NIST CSF on Wikipedia.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.