At least three Chinese groups are attacking on-premises SharePoint servers via a couple of recently disclosed Microsoft bugs, according to Redmond.
Two of the crews behind the zero-day attacks are government-backed: Linen Typhoon (aka Emissary Panda, APT27) and Violet Typhoon (aka Zirconium, Judgment Panda, APT31), Microsoft’s threat intel team wrote in a Tuesday blog.
Linen Typhoon typically steals intellectual property, and primarily targets organizations related to government, defense, strategic planning, and human rights.
Violet Typhoon focuses on espionage and targets former government and military personnel, non-governmental organizations, think tanks, higher education, digital and print media, financial and health-related sectors in the US, Europe, and East Asia.
The third group, Storm-2603, is likely China-based but not necessarily a nation-state gang.
“Storm,” according to Microsoft’s attacker naming taxonomy, is a temporary designation for a newly discovered or emerging cluster of malicious cyber activity.
“Although Microsoft has observed this threat actor [Storm-2603] deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” the software giant said, noting that it’s still investigating other gangs exploiting these vulnerabilities.
“Additional actors may use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately,” the threat intel analysts wrote.
The good news: all three versions of SharePoint Server (Subscription Edition, 2019, and 2016) finally have fixes, so if you are running any of these, apply the updates immediately.
The bad news, as Unit 42 CTO and head of threat intel Michael Sikorski told The Register yesterday: “If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised.”
Plus, as of Monday, “multiple proofs of concept have been posted on GitHub,” according to Palo Alto Networks Unit 42 threat hunting team, so expect ransomware gangs and all manner of miscreants to join the fray.
The software fixes address CVE-2025-53770, which is related to the previously disclosed vulnerability CVE-2025-49704, and CVE-2025-53771, a security bypass vulnerability for the previously disclosed CVE-2025-49706. Microsoft disclosed both of the earlier bugs in its July Patch Tuesday, but neither fix fully worked.
CVE-2025-53770 allows unauthenticated remote code execution, and CVE-2025-53771 is a spoofing bug. Chaining the two allows miscreants to bypass authentication and execute malicious code over the network.
After exploiting the CVEs, Microsoft says the attackers deploy a web shell:
There’s also a whole list of compromise indicators in the blog, so check that out to help with hunting for baddies on your network.
Microsoft’s attribution echoes Mandiant Consulting CTO Charles Carmakal’s assessment from yesterday, when he told The Register that “at least one of the actors responsible for this early exploitation is a China-nexus threat actor.”
However, as he noted in a subsequent LinkedIn post: “Multiple threat actors are actively exploiting this vulnerability now. New threat actors with diverse motivations will continue to exploit these vulnerabilities over time.” ®
Click Here For The Original Source.
