Three Chinese groups identified as attackers on Sharepoint servers
An analysis by Microsoft names three different groups from China as the attackers of the latest Sharepoint vulnerability. But it is unlikely to stop there.
(Image: Katya Rekina/Shutterstock.com)
Microsoft has identified three different groups from China that have carried out recent toolshell attacks on Sharepoint servers. According to the software company, two of these groups are linked to the Chinese government. The attackers have exploited the serious "toolshell" vulnerability in self-hosted versions of Microsoft Sharepoint and may have obtained sensitive data and passwords as well as access to connected systems.
Just a few days ago, this previously unknown vulnerability was discovered in the on-premise versions of Sharepoint, for which no patch was initially available. Microsoft has since released the first patches for Toolshell, but apparently 100 organizations were already compromised over the weekend. According to initial investigations by the security firm Check Point, dozens of government institutions as well as telecommunications and software companies in North America and Western Europe were the target of these attacks.
Chinese attackers with Beijing connection
Microsoft counts the two Chinese groups "Linen Typhoon" and "Violet Typhoon" among the first attackers, who are reportedly supported by the government in Beijing and have exploited the weaknesses in Sharepoint servers with an Internet connection. Another group from China named by Microsoft is "Storm-2603", which carried out toolshell attacks. However, investigations are still ongoing in order to identify further attackers. Microsoft expects further attacks on unpatched Sharepoint systems, so updates should be applied urgently.
Videos by heise
However, patching is not enough after attacks on Microsoft Sharepoint. This is because closing the gaps may not be sufficient against current toolshell attacks if the attackers have already gained access to the system. It is therefore essential to determine whether an attack has actually taken place and perhaps even been successful. Microsoft recommends its own Defender Antivirus and the "Antimalware Scan Interface" (AMSI) for detection, but users should also change the machine keys for ASP.NET of the Sharepoint servers and restart the "Internet Information Services" (IIS).
US cyber security authority praises Microsoft
The US Cybersecurity Agency, CISA, has now included the Sharepoint vulnerability in its catalog of known and exploited vulnerabilities. Listed as CVE-2025-53770, this vulnerability allows the execution of foreign code on the attacked systems. "This attack activity, known as a 'toolshell', allows unauthenticated access to systems and enables malicious actors to gain full access to SharePoint content, including file systems and internal configurations, as well as execute code over the network," writes CISA.
At the same time, the cyber security authority praises the software company for the immediate action taken. "Microsoft is responding quickly, and we are working with the company to inform potentially affected organizations of recommended actions," it continues. "CISA recommends that all organizations with on-premises Microsoft SharePoint servers take the recommended actions immediately."
(fds)
