Insights on the Microsoft SharePoint Cyber Assaults

Insights on the Microsoft SharePoint Cyber Assaults

Cyber Attacks Targeting Microsoft SharePoint: Global Impact and Response

A series of cyber attacks targeting Microsoft SharePoint servers have compromised multiple federal agencies, state and local government entities, and private organizations worldwide. According to investigations by the Cybersecurity and Infrastructure Security Agency (CISA), these attacks began in early July and have escalated since.

Researchers from Censys have identified 9,717 on-premises SharePoint servers that are exposed, while Shadowserver Foundation has confirmed at least three hundred compromises as of Wednesday. The attacks have affected various sectors, including government agencies, critical infrastructure, healthcare, and financial sectors.

The China-based nation-state actors identified as participating in these attacks are Linen Typhoon, Violet Typhoon, and Storm-2603. Linen Typhoon and Violet Typhoon are established Chinese government-backed hacking groups, named by Microsoft according to its "Typhoon" convention for known Chinese cyber threat units. Storm-2603, assessed with medium confidence to be a China-based threat actor, is an emerging hacker group, characterized as such by Microsoft.

These groups targeted on-premises versions of SharePoint Server 2016, 2019, and Subscription Edition, exploiting the vulnerabilities to bypass multifactor authentication and deploy persistent backdoors for data theft and cryptographic key exfiltration. The campaign has affected dozens of organizations globally.

Microsoft and cybersecurity firms such as Mandiant have confirmed the attribution and emphasized the severity and scale of these coordinated attacks from state-backed Chinese actors. In response, Microsoft has released security updates to protect customers against CVE-2025-53770 and CVE-2025-53771.

The Department of Health and Human Services and the Department of Energy have confirmed that they were hacked, with the intrusion affecting DOE components including the National Nuclear Security Administration. Researchers at Rapid7 have posted an exploit module on GitHub for CVE-2025-53770 and CVE-2025-53371.

Microsoft customers are advised to configure Antimalware Scan Interface integration, rotate SharePoint Server ASP.NET Machine Keys, and restart Internet Information Services on all SharePoint servers after completing the upgrades. Hackers have stolen Machine Keys in the early phase of attacks.

The attacks exploit vulnerabilities tracked as CVE-2025-49704 and CVE-2025-49706. It is important to note that while DHS has confirmed that it was hacked, there is no evidence that the hackers exfiltrated data from any of its components.

In conclusion, the ongoing cyber attacks targeting Microsoft SharePoint servers pose a significant threat to organizations globally. It is crucial for affected organizations to take immediate action to secure their servers and protect their data from potential breaches.

1. The global impact of the cyber attacks targeting Microsoft SharePoint servers has been substantial, compromising various federal agencies, state and local government entities, and private organizations worldwide.
2. Researchers from Censys and Shadowserver Foundation have identified numerous exposed SharePoint servers and confirmed hundreds of compromises, indicating the widespread spread of these attacks.
3. These attacks are attributed to Chinese state-backed hacking groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, with Linen Typhoon and Violet Typhoon being established Chinese government-backed actors.
4. The attacks exploit vulnerabilities in on-premises versions of SharePoint Server 2016, 2019, and Subscription Edition, bypassing multifactor authentication and deploying persistent backdoors for data theft and cryptographic key exfiltration.
5. In response to these attacks, Microsoft has released security updates to protect customers against CVE-2025-53770 and CVE-2025-53771, and has advised Microsoft customers to take specific measures to secure their servers.
6. The ongoing attacks on Microsoft SharePoint servers highlight the increasing importance of cybersecurity, data-and-cloud-computing, and technology-related news in the context of general news, crime-and-justice, and politics.

Read also: