Overview
- China-linked groups Linen Typhoon, Violet Typhoon and Storm-2603 bypassed Microsoft’s initial July 8 patches to exploit a zero-day vulnerability in on-premises SharePoint servers
- More than 100 servers worldwide, including those at the U.S. National Nuclear Security Administration, were compromised without evidence of sensitive data theft
- Microsoft released comprehensive security updates and advised customers to rotate server machine keys and deploy anti-malware tools to eradicate persistent backdoors
- CISA urged agencies and private organizations to disconnect vulnerable on-premises SharePoint deployments amid warnings that thousands of servers remain unpatched
- Ongoing investigations by Microsoft and cybersecurity firms have detected new intrusion attempts as unpatched systems continue to face active exploitation