Microsoft Says China-Linked Hackers Used Recent Security Exploit In Hacking Spree

Authored by Jack Phillips via The Epoch Times (emphasis ours),

Microsoft said on Tuesday that it has observed Beijing-backed hackers exploiting widespread attacks against organizations using collaboration software from the tech giant.

A member of an alleged hacking group, in a file photo. Nicolas Asfouri/AFP via Getty Images

“As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities targeting internet-facing SharePoint servers,” the Redmond, Washington-based company said in a blog post on Tuesday.

It added that “another China-based threat actor, tracked as Storm-2603,” was seen exploiting vulnerabilities in its SharePoint software, which is widely used to coordinate work on projects, documents, and other business.

“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” Microsoft added.

Exploits include bypassing the program’s authentication feature and executing remote code “against vulnerable on-premises SharePoint servers,” Microsoft said.

Microsoft’s post advised customers using SharePoint to upgrade it with the latest security patches in order to stop attacks and exploits from Chinese hacking groups. It also advised that users enable Microsoft software such as Defender Antivirus and its Antimalware Scan Interface, or equivalent programs.

“Additional actors may use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately,” the company said.

Linen Typhoon, according to Microsoft, is accused of stealing intellectual property and is focused on organizations connected to human rights, governments, defense, and strategic planning.

Violet Typhoon has been more focused on exploiting systems related to former government and military officials, nongovernmental organizations, universities and colleges, print and digital media, and think tanks, among other sectors.

In March, the Department of Justice (DOJ) indicted two Chinese nationals accused of operating in the APT27 , or Linen Typhoon, hacking group, which researchers say has many different names.

The two nationals were alleged to have hacked into U.S. companies, municipalities, and other institutions for profit, and caused millions of dollars worth of damages, the DOJ said.

Microsoft’s Tuesday post did not elaborate on the types or names of organizations that were targeted through the SharePoint vulnerability.

On Saturday, the company sent out an alert about “active attacks” on self-hosted SharePoint servers, and also issued an emergency fix to shut down the vulnerability, while dubbing it a “zero-day” exploit because it leverages a previously undisclosed digital weakness. SharePoint instances run off of Microsoft servers were not impacted, the company said.

The Cybersecurity and Infrastructure Security Agency has warned that the impact could be widespread and said that servers impacted by the vulnerability should be disconnected from the internet before any updates are applied. Meanwhile, private research firms have said that the vulnerability can lead to serious security breaches.

“Once inside, they can access all SharePoint content, system files, and configurations and move laterally across the Windows Domain,” Netherlands-based research company Eye Security said in a research note on the hacks.

It added that “because SharePoint often connects to core services like Outlook, Teams, and OneDrive, a breach can quickly lead to data theft, password harvesting, and lateral movement across the network.”

Reuters contributed to this report.