{"id":1530,"date":"2025-07-23T07:55:24","date_gmt":"2025-07-23T07:55:24","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/07\/23\/sharepoint-toolshell-vulnerabilities-exploited-by-chinese-nation-state-hackers\/"},"modified":"2025-07-23T07:55:24","modified_gmt":"2025-07-23T07:55:24","slug":"sharepoint-toolshell-vulnerabilities-exploited-by-chinese-nation-state-hackers","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/07\/23\/sharepoint-toolshell-vulnerabilities-exploited-by-chinese-nation-state-hackers\/","title":{"rendered":"SharePoint ‘ToolShell’ Vulnerabilities Exploited by Chinese Nation-State Hackers"},"content":{"rendered":"
\n

Microsoft has confirmed three Chinese-based threat groups have been actively exploiting CVE-2025-53770 and CVE-2025-53771, two critical and high-severity vulnerabilities in internet-facing SharePoint servers.<\/p>\n

The chained exploitation of these two bugs has been dubbed \u2018ToolShell\u2019 by the cybersecurity community.<\/p>\n

In a new blog posted on July 22, Microsoft Threat Intelligence confirmed that these groups include Linen Typhoon and Violet Typhoon, two China-based advanced persistent threat (APT) groups and Storm-2603, another China-based threat actor whose motivations and identity are unclear at this time.<\/p>\n

Who is Behind Linen Typhoon, Violet Typhoon and Storm-2603<\/strong><\/h2>\n

Linen Typhoon (APT27) is a Chinese state-backed actor that has been active since at least 2010. It typically targets foreign embassies to collect data on government, defense, technology and human rights organizations, using techniques such as drive-by compromises and existing exploits to compromise organizations.<\/p>\n

The group is also known by many other names, including Bronze Union, Circle Typhoon, Budworm, Emissary Panda, Earth Smilodon, GreedyTaotie, Iron Taurus, Iron Tiger, Lucky Mouse and Red Phoenix.<\/p>\n

In March 2025, the US indicted and charged two Chinese nationals believed to be operating within the APT27 group. The two individuals were accused of hacking several US companies, institutions and municipalities for profit, causing millions of dollars\u2019 worth of damages.<\/p>\n

Violet Typhoon (APT31) is a Chinese state-backed actor that has been active since at least 2012.<\/p>\n

Also known as Bronze Vinewood, Judgment Panda, Red keres and Zirconium, Violet Typhoon has minimal overlaps with another group with unclear attribution, tracked as Storm-0558.<\/p>\n

Violet Typhoon typically specializes in intellectual property theft, focusing on data and projects that make a particular organization competitive in its field. The group primarily targets former government and military personnel, non-governmental organizations (NGOs), think tanks, higher education institutions, digital and print media, as well as financial and health-related sectors in the US, Europe and East Asia.<\/p>\n

Violet Typhoon persistently scans for vulnerabilities in the exposed web infrastructure of target organizations, exploiting discovered weaknesses to install web shells.<\/p>\n

Finally, while Microsoft assessed \u201cwith medium confidence\u201d that Storm-2603 is a China-based threat actor, the tech giant\u2019s threat intelligence team has not yet identified any links between the group and other known Chinese threat actors.<\/p>\n

\u201cMicrosoft tracks this threat actor in association with attempts to steal MachineKeys via the on-premises SharePoint vulnerabilities,\u201d said the Microsoft Threat Intelligence team.<\/p>\n

Additionally, while the company has observed this threat actor deploying Warlock and Lockbit ransomware in the past, it is currently unable to confidently assess the threat actor\u2019s objectives.<\/p>\n

Aligned with Previous Attribution<\/strong><\/h2>\n

This new Microsoft assessment aligns with a previous estimate from Google Cloud-owned Mandiant.<\/p>\n

Earlier on July 22, Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, commented: \u201cWe assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor.\u201d<\/p>\n

\n

Speaking to Infosecurity<\/em>,\u00a0Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, highlighted that this attribution to Chinese nation-state\u00a0hacking groups\u00a0reinforces that the ‘ToolShell’ exploitation campaign\u00a0is “more than opportunistic exploitation.”<\/p>\n

“It is more likely potentially part of a broader strategic campaign aimed at gaining initial access, establishing persistence, and attempting to exfiltrate sensitive intelligence data from high-value targets across government, defence, academia and NGOs. This is yet another reminder that if you are running unpatched, internet-facing systems \u2013 especially legacy collaboration platforms \u2013 you are not just a potential target, you are likely already in the crosshairs,” she added.<\/p>\n<\/div>\n

Mandiant’s Carmakal also emphasized the importance for cybersecurity professionals and potential victims to recognize that multiple actors are likely actively exploiting these vulnerabilities.<\/p>\n

\u201cWe fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well,\u201d he said.<\/p>\n

This statement aligns with Microsoft\u2019s assessment: \u201cInvestigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.\u201d<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Microsoft has confirmed three Chinese-based threat groups have been actively exploiting CVE-2025-53770 and CVE-2025-53771, two critical and high-severity vulnerabilities in internet-facing SharePoint servers. The chained exploitation of these two bugs has been dubbed \u2018ToolShell\u2019 by the cybersecurity community. In a new blog posted on July 22, Microsoft Threat Intelligence confirmed that these groups include Linen<\/p>\n","protected":false},"author":2,"featured_media":1531,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1530","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1530-d659f103-a596-4c4c-86e1-b9217ebe7885.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1530-d659f103-a596-4c4c-86e1-b9217ebe7885-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1530-d659f103-a596-4c4c-86e1-b9217ebe7885.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1530-d659f103-a596-4c4c-86e1-b9217ebe7885.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1530-d659f103-a596-4c4c-86e1-b9217ebe7885.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1530-d659f103-a596-4c4c-86e1-b9217ebe7885.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1530-d659f103-a596-4c4c-86e1-b9217ebe7885.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1530-d659f103-a596-4c4c-86e1-b9217ebe7885.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1530-d659f103-a596-4c4c-86e1-b9217ebe7885.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1530-d659f103-a596-4c4c-86e1-b9217ebe7885.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1530-d659f103-a596-4c4c-86e1-b9217ebe7885-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=1530"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1530\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/1531"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=1530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=1530"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=1530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}