Particle.news
Download on the App Store
49 ARTICLES
·
yesterday

SharePoint Exploit Campaign Hits Over 400 Organizations in Ongoing China-Linked Attacks

Coordinated action by Microsoft alongside CISA has produced comprehensive fixes to close ToolShell backdoors, prompting widespread mitigation and incident reviews.

Microsoft signage is seen at the company's headquarters in Redmond, Washington, U.S., January 18, 2023. REUTERS/Matt Mills McKnight/File Photo
Image
Image

Overview

  • Security firm Eye Security reports that more than 400 organizations across government, energy, finance and education have been compromised through on-premises SharePoint servers since early July.
  • Microsoft has attributed the breaches to China-linked groups Linen Typhoon, Violet Typhoon and Storm-2603, which chained critical zero-day flaws dubbed ToolShell to harvest credentials and deploy persistent webshells.
  • The US Cybersecurity and Infrastructure Security Agency has notified critical infrastructure operators and published mitigation guidance in response to active exploitation.
  • The Department of Energy confirmed on July 18 that the National Nuclear Security Administration was breached with no classified data stolen, and multiple other federal and state agencies have also reported intrusions.
  • Forensic teams caution that patches alone may not eradicate persistent backdoors or stolen cryptographic keys, driving calls for deeper investigations and additional security measures.