Microsoft has linked Chinese state-backed groups, Linen Typhoon and Violet Typhoon, to widespread attacks exploiting SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704, and CVE-2025-53770). These flaws, part of the ToolShell exploit chain, have compromised at least 400 servers across 148 organizations globally, including U.S. agencies like the National Nuclear Security Administration and Department of Education.
The attackers deploy Warlock ransomware after breaching systems, using Mimikatz to steal credentials, then moving laterally with tools like PsExec and Impacket. Shadowserver reports over 420 vulnerable SharePoint servers still exposed. While Microsoft confirms ransomware deployment, the hackers' exact motives remain unclear. Urgent patching and mitigation measures are advised to prevent further exploitation.
Read more...