Microsoft said it has observed three threat groups — dubbed Linen Typhoon, Violet Typhoon, and Storm-2603 — targeting internet-facing SharePoint servers using two newly disclosed vulnerabilities that allow attackers to bypass authentication and execute remote code.
SharePoint Server is Microsoft’s collaboration and document management platform designed for businesses and organizations.
Many large organizations use SharePoint as their primary platform for internal collaboration and for storing documents, and is appreciated for working well with other Microsoft products like Office, Teams, and Outlook.
The attacks, which Microsoft said began as early as July 7, affect only on-premises SharePoint installations and do not impact the cloud-based SharePoint Online service, the company said in a security bulletin.
Microsoft warned that it “assesses with high confidence” that the threat actors will continue their assault against vulnerable systems where companies haven’t taken the necessary precautions.
The vulnerabilities allow attackers to spoof authentication credentials and execute malicious code remotely on vulnerable servers.
Microsoft has released comprehensive security updates to address the malware and urged customers to apply the patches immediately.
In their successful attacks, the Chinese hackers deployed malicious code that provides backdoor access to compromised systems. The attackers used these tools to steal machine encryption keys and maintain access to targeted networks.
Linen Typhoon, active since 2012, primarily focuses on intellectual property theft from government, defense, and human rights organizations.
Violet Typhoon, operating since 2015, conducts espionage against former government officials, NGOs, think tanks, and media organizations across the United States, Europe, and East Asia.
Storm-2603, which Microsoft assesses with “medium confidence” to be China-based, has previously deployed ransomware but its current objectives remain unclear.
Research from cybersecurity company Check Point said the campaign began on July 7 against a major Western government and that the attacks intensified dramatically around July 18.
Since then, researchers have confirmed dozens of compromise attempts primarily targeting organizations in North America and Western Europe, Check Point said in a blog post.
