Microsoft’s cybersecurity analysts have confirmed that Chinese state-sponsored actors are behind a series of recent attacks on SharePoint servers. Three distinct espionage groups have been observed conducting the hacks.
Cybersecurity authorities globally are warning that a critical SharePoint remote code execution (RCE) vulnerability chain has been actively exploited. The flaws grant attackers total access without any authentication.
Network defenders must act to protect the servers by installing recently released patches, rotating keys, and taking other steps, as detailed by Microsoft and other security firms.
The Redmond giant traced the exploitation campaigns back to China.
“Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting these vulnerabilities targeting internet-facing SharePoint servers,” the firm said in a report.
“In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities.”
It seems that other actors are also using these exploits, and investigations are still ongoing. Thousands of SharePoint servers remain exposed on the open internet, many of them potentially still vulnerable.
What do we know about the three Chinese hacking groups?
The identified state-sponsored threat actors are known for their sophisticated cyber espionage tactics when targeting various industries.
Linen Typhoon (aka APT27, Emissary Panda, Bronze Union, Budworm) has been active since 2012 and focuses on stealing intellectual property. It primarily targets organizations related to government, defense, strategic planning, and human rights. These hackers typically rely on existing exploits and drive-by compromises to compromise organizations.
Violet Typhoon (aka APT31, Bronze Vinewood, Judgment Panda, Zirconium), active since 2015, specializes in espionage. It has primarily targeted former government and military personnel, non-governmental organizations (NGOs), think tanks, higher education, digital and print media, and financial and health-related organizations.
Storm-2603 has been observed deploying Warlock and LockBit ransomware in the past. Microsoft is currently unable to assess the threat actor’s objectives confidently, and assesses with medium confidence that it is a China-based threat actor.
All three threat actors have been conducting reconnaissance and exploitation of on-premises SharePoint servers, sending POST requests to the ToolPane endpoint.
“In observed attacks, threat actors send a crafted POST request to the SharePoint server, uploading a malicious script named spinstall0.aspx. Actors have also modified the file name in a variety of ways, such as spinstall.aspx, spinstall1.aspx, spinstall2.aspx, etc.” Microsoft said, detailing the attack chain.
“The spinstall0.aspx script contains commands to retrieve MachineKey data and return the results to the user through a GET request, enabling the theft of the key material by threat actors.”
CNBC reports that hackers have already compromised the US National Nuclear Security Administration (NNSA), the agency responsible for maintaining the country’s nuclear weapons stockpile. Other confirmed victims include the US Department of Education, Florida’s Department of Revenue, and the Rhode Island General Assembly, Bloomberg reported, citing individuals familiar with the matter.
Dozens of organizations and more than 100 servers have been identified as compromised, with more likely to come.
“Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the tech giant said.
The Chinese Embassy in Washington denied the allegations to Bloomberg, saying that China firmly opposes all forms of cyberattacks and smearing without solid evidence.
Your email address will not be published. Required fields are markedmarked