On July 7, 2025, Microsoft officially linked the exploitation of security flaws in SharePoint Server instances for the Internet to two Chinese hacking groups called Linen Typhoon and Violet Typhoon, supporting an early report.
Tech Giant also observed a third China-based threat actor tracking Storm-2603, saying it would weaponize the flaws to gain early access to the target organization.
“With the rapid adoption of these exploits, Microsoft is confident that threat actors will continue to integrate them into attacks against unpaid on-premises SharePoint systems,” Tech Giant said in a report released today.
A brief description of the threat activity cluster can be found below –
Linen typens (aka APT27, Bronze Union, Emily Panda, Iodine, Lucky Mouse, Red Phoenix, and UNC215) were attributed to malware families such as Sysupdate, Hyperbro, Hyperbro, and Plugx Violet Typhoon before 2012. It has been active since 2015 and was previously attributed to attacks targeting Storm-2603 in the US, Finland and Czech Republic.
The vulnerabilities affecting on-premises SharePoint servers have been found to take advantage of the incomplete fixes for the spoofing flaw CVE-2025-49706 and the remote code execution bug CVE-2025-49704. The bypass is assigned CVE-2025-53771 and CVE-2025-53770, respectively.
The attack observed by Microsoft found that threat actors were using on-premises SharePoint servers via POST requests to tool pen endpoints. This results in authentication bypassing and remote code execution.
As revealed by other cybersecurity vendors, the infectious disease chain paves the way for the deployment of a web shell named “Spinstall0.aspx” (also known as Spinstall.aspx, Spinstall1.aspx, or Spinstall2.aspx), where enemies can retrieve and steal machine data.
To mitigate the risk poses by threats, it is essential that users apply the latest updates for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Server 2016, and deploy SharePoint Server ASP.NET Machine Keys, RestArt Internet Information Services (IIS), and Microsoft Defender for EndPoint or equivalent solutions.
We also recommend integrating and enabling the anti-malware scan interface (AMSI) and Microsoft Defender (or similar solution) for all on-premises SharePoint deployments, and configuring AMSI to enable Full Mode.
“Additional actors can use these exploits to target unpublished SharePoint systems and further highlight the need for organizations to implement mitigation and security updates immediately,” Microsoft said.
Source link
