In a recent disclosure, Microsoft has identified that three Chinese state-sponsored hacking groups—Linen Typhoon, Violet Typhoon, and Storm-2603—have been actively exploiting vulnerabilities in on-premises SharePoint Server instances since at least July 7, 2025. These groups have been leveraging flaws in SharePoint to gain unauthorized access to various organizations, underscoring the persistent threat posed by nation-state actors to global cybersecurity.
Background on the Threat Actors:
– Linen Typhoon (APT27): Active since 2012, this group has a history of targeting sectors such as government, defense, strategic planning, and human rights organizations. They are known for deploying malware families like SysUpdate, HyperBro, and PlugX.
– Violet Typhoon (APT31): Since 2015, Violet Typhoon has focused on espionage activities, primarily targeting former government and military personnel, NGOs, think tanks, higher education institutions, and media outlets across the United States, Europe, and East Asia. Their tactics often involve scanning for vulnerabilities in web infrastructures to install web shells.
– Storm-2603: Assessed with medium confidence to be a China-based threat actor, Storm-2603 has previously deployed ransomware such as Warlock and LockBit. Their current objectives remain under investigation.
Exploitation Details:
The vulnerabilities in question are related to incomplete fixes for CVE-2025-49706 (a spoofing flaw) and CVE-2025-49704 (a remote code execution bug). The bypasses for these vulnerabilities have been assigned the identifiers CVE-2025-53771 and CVE-2025-53770, respectively. Attackers have been observed exploiting these flaws by sending crafted POST requests to the ToolPane endpoint of SharePoint servers, leading to authentication bypasses and remote code execution.
Post-exploitation activities have included the deployment of a web shell named spinstall0.aspx (with variations such as spinstall.aspx, spinstall1.aspx, or spinstall2.aspx). This web shell enables attackers to retrieve and steal MachineKey data, facilitating further unauthorized access and potential data exfiltration.
Mitigation Recommendations:
To protect against these exploits, Microsoft recommends the following actions:
1. Apply Security Updates: Ensure that the latest updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016 are applied promptly.
2. Rotate Machine Keys: Change the ASP.NET machine keys on SharePoint servers to invalidate any keys that may have been compromised.
3. Restart IIS: Restart Internet Information Services (IIS) to apply configuration changes effectively.
4. Deploy Endpoint Protection: Utilize Microsoft Defender for Endpoint or equivalent solutions to detect and prevent malicious activities.
5. Enable AMSI and Antivirus Solutions: Integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or similar solutions) for all on-premises SharePoint deployments, configuring AMSI to operate in Full Mode.
Microsoft emphasizes the urgency of implementing these mitigations, as additional threat actors may exploit these vulnerabilities to target unpatched on-premises SharePoint systems.
Broader Implications:
This incident highlights the ongoing challenges in securing widely used enterprise software against sophisticated nation-state actors. The exploitation of SharePoint vulnerabilities by Chinese hacking groups is part of a broader pattern of cyber espionage activities aimed at stealing intellectual property and sensitive information.
Organizations are urged to adopt a proactive approach to cybersecurity, including regular patch management, continuous monitoring for suspicious activities, and comprehensive incident response planning. Collaboration between the public and private sectors is essential to enhance collective defense mechanisms against such persistent threats.
Conclusion:
The identification of Linen Typhoon, Violet Typhoon, and Storm-2603 as perpetrators of ongoing SharePoint exploits underscores the critical need for organizations to remain vigilant and proactive in their cybersecurity efforts. By implementing the recommended mitigations and maintaining a robust security posture, organizations can better defend against the evolving tactics of nation-state actors and protect their sensitive data from unauthorized access.
