Subj : MS SharePoint server hack
To   : All
From : Mike Powell
Date : Tue Jul 22 2025 10:26 am

Microsoft SharePoint server hack sees Chinese threat actor hit roughly 100
orgs - heres what we know so far

Date:
Tue, 22 Jul 2025 10:51:51 +0000

Description:
A recently discovered SharePoint security flaw has been exploited by threat
actors.

FULL STORY

A cyberespionage campaign exploiting the recently-revealed Microsoft
SharePoint issue has targeted roughly 100 organizations, compromising server
software and primarily hitting government agencies in the US and Germany,
experts have warned.

Google released a statement in which it attributed at least some of the
attacks to a China-Nexus threat actor, and warned against further expansion
of the threat.

Microsoft recently released urgent security flaw patche s to address a
zero-day vulnerability that affected SharePoint servers, which have been
abused in attacks since July 18, with victims reportedly including a private
energy operator in California as well as a private fintech firm in New York.

China-Nexus threat actors

The attacks saw hackers extract cryptographic keys from servers that are run
by Microsoft clients. The keys would then let them install pretty much
anything - including malware or backdoors that hackers could use to return.

Only SharePoint versions that are hosted by the customer, rather than the
cloud, are vulnerable. These types of attacks could allow attackers to steal
corporate secrets or install ransomware to encrypt key files.

We assess that at least one of the actors responsible for this early
exploitation is a China-nexus threat actor said Charles Carmakal, chief
technology officer of Googles Mandiant Consulting.

It's critical to understand that multiple actors are now actively exploiting
this vulnerability. We fully anticipate that this trend will continue, as
various other threat actors, driven by diverse motivations, will leverage
this exploit as well." he continued.

Researchers say that so far, the attacks can be attributed to a single hacker
or a set of hackers, rather than a large number - but there has been a broad
range of targets, and a vast number of potential targets - with some
researchers estimating up to 8,000 vulnerable servers.

Whilst the update should prevent new intrusion, users will also need to
rotate machine keys, search for any missed breaches, and deploy Antimalware
Scan Interface (AMSI) as well as antivirus software .

======================================================================
Link to news story:
https://www.techradar.com/pro/security/microsoft-sharepoint-server-hack-sees-c
hinese-threat-actor-hit-roughly-100-orgs-heres-what-we-know-so-far

$$
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)

You are viewing proxied material from vert.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.