Chinese hackers are exploiting SharePoint vulnerabilities, Microsoft says

Chinese government-aligned hackers have exploited a batch of vulnerabilities recently disclosed in on-premises versions of Microsoft SharePoint, the tech giant said in a blog post Tuesday.

Two major China-linked groups named Linen Typhoon and Violet Typhoon have been found leveraging the vulnerabilities, which were publicly disclosed over the weekend. A third entity, dubbed Storm-2603, has also been identified, and is assessed with “medium confidence” to be a China-based group, the company said. 

The Typhoon label comes from Microsoft’s naming convention for cyber threat units. “Typhoon” is used to designate known Chinese hacking collectives tracked by company, while “Storm” variants are deemed emerging hacker groups in development.

“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the Tuesday blog says.

The issue centers on three SharePoint offerings managed on customer infrastructure and does not impact Microsoft 365 cloud environments. The flaw affects SharePoint Enterprise Server 2016 and 2019, as well as the Subscription Edition. Microsoft has since issued patches for all versions.

Google threat intelligence analysts identified the Chinese presence a day ago, a top executive said in an earlier statement.

“We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor,” Charles Carmakal, the CTO of Google Cloud’s Mandiant unit, said.

“It's critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well,” he added.

"Cyberspace is characterized by strong virtuality, difficulty in tracing origins, and diverse actors, making the tracing of cyber attacks a complex technical issue. We hope that relevant parties will adopt a professional and responsible attitude when characterizing cyber incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations," a spokesperson for China’s embassy in Washington, D.C. said.

The vulnerability is under active review by threat intelligence researchers as some have found evidence that U.S. government systems have been exposed and potentially compromised. Other global governments are also in the crosshairs, according to earlier released threat intelligence.

The bug is a “zero-day” — which gets its name because developers have not discovered it before and had zero days to fix it — that’s being actively exploited. Hackers are able to take advantage of it by sending specially crafted data to a SharePoint server, which improperly processes that input and allows them to execute malign code remotely. From there, sensitive information can be stolen or used to access other closed-off systems.

Within a week, about 80% of exposed systems will have patches installed that prevent the bugs from being further leveraged, Barry Mainz, CEO of cybersecurity services provider Forescout, said in an interview with Nextgov/FCW.

“You still got 20% [unpatched], right?” he said. “The regulated companies are a little bit more rigorous — so banking, brokerage, insurance, healthcare — and they may force updates,” he said, later adding that “the farther you go down market, for the smaller companies, they tend to have less rigor on processes and procedures.”

The U.S. federal government, as well as thousands of state and local governments, rely heavily on Microsoft products. For the federal enterprise, Microsoft is predominantly used across civilian and defense agencies for routine tasks like file sharing, internal messaging, records management and remote collaboration.

“There’ll be a blast radius here. I think it’ll be a little bit less than some of the other things we’ve seen recently. But there’ll still be a blast radius,” Mainz said.

Editor's note: This article has been updated to include a comment from the Chinese embassy.