Chinese Hacking Groups Exposed: Microsoft Links Them to SharePoint Attacks

Microsoft recently announced that they have detected two Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities in internet-facing SharePoint servers. Additionally, another threat actor known as Storm-2603, based in China, has also been observed exploiting these vulnerabilities. Investigations are ongoing to uncover other actors utilizing these exploits.

Eye Security has reported that 54 organizations, including a private university, a private energy operator in California, and a federal government health organization, have been breached. According to The Washington Post, some of the attacks have been traced back to IP addresses within China.

Microsoft has released a patch update for SharePoint 2016 servers to address the vulnerabilities. The update covers all affected versions of SharePoint impacted by the zero-day exploit. Microsoft warns that threat actors are likely to continue exploiting unpatched server systems now that the vulnerability is widely known. The exploit, disclosed by researchers at Eye Security, enables hackers to infiltrate certain on-premises versions of SharePoint to steal sensitive data, gather passwords, and navigate through connected services.