Microsoft vs. The Typhoon Trio: China-Linked Hackers Exploit SharePoint Flaws!

Hot Take:

Microsoft vs. China: Round Two! In a plot twist worthy of a spy thriller, Microsoft is pointing the finger at not one, but two Chinese hacking groups (with a surprise third guest) for exploiting SharePoint Server vulnerabilities. It’s like a twisted version of the Olympics, where the gold medal goes to whoever can hack into the most SharePoint servers without getting caught. Watch out, world! Because when Linen Typhoon, Violet Typhoon, and Storm-2603 are in the mix, even Microsoft has its work cut out.

Key Points:

• Microsoft identifies two Chinese hacking groups, Linen Typhoon and Violet Typhoon, exploiting SharePoint vulnerabilities.
• A third group, Storm-2603, also joins the SharePoint hacking party, deploying ransomware like Warlock and LockBit.
• Vulnerabilities involve incomplete fixes for CVE-2025-49706 and CVE-2025-49704, leading to CVE-2025-53771 and CVE-2025-53770.
• Threat actors use a web shell named “spinstall0.aspx” to steal MachineKey data from SharePoint servers.
• Microsoft recommends immediate updates and security measures to counter these threats.

Typhoon Trio Takes a Spin

In a move that would make even the most seasoned weatherman nervous, Microsoft has officially called out three Chinese hacking groups for exploiting SharePoint Server vulnerabilities. This isn’t just any weather pattern; it’s a full-blown cyber typhoon! Linen Typhoon and Violet Typhoon are the main storm systems, with a surprise guest appearance by Storm-2603. Forget the Weather Channel; this is the Cyber Channel, and things are about to get stormy.

SharePoint Shenanigans

Hold onto your servers, folks! The vulnerabilities affecting on-premises SharePoint servers are about as welcome as a mosquito at a nudist colony. These flaws allow for authentication bypass and remote code execution, which means hackers can waltz right in and do a little tap dance on your server. Microsoft has linked these sneaky infiltrations to incomplete fixes for earlier issues—it’s like putting a Band-Aid on a bullet wound and calling it good.

Web Shell Hijinks

The hackers have also been caught red-handed with their favorite toy: a web shell named “spinstall0.aspx.” This nifty little tool allows them to steal MachineKey data like candy from a baby. Cybersecurity researcher Rakesh Krishnan noted that the web shell uses Google’s Client Update Protocol (CUP) to blend malicious traffic with legitimate update checks. It’s the digital equivalent of wearing a disguise and sneaking into a secret club—sneaky, sneaky!

Defensive Playbook

Microsoft has laid out a game plan to tackle these cyber storms. First up, apply those SharePoint updates like they’re going out of style. Next, rotate your ASP.NET machine keys and give your IIS a much-needed restart. Don’t forget to arm your servers with Microsoft Defender for Endpoint or equivalent solutions. If you want to go for the gold, enable Antimalware Scan Interface (AMSI) in Full Mode. It’s like fortifying your castle with a moat, drawbridge, and a dragon—because why not?

Deja Vu, Microsoft Style

This isn’t Microsoft’s first tango with Beijing-aligned cyber baddies. Back in March 2021, Silk Typhoon (aka Hafnium) was wreaking havoc with zero-day exploits in Exchange Server. And just when you thought things couldn’t get any juicier, a 33-year-old Chinese national, Xu Zewei, was arrested in Italy for cyber attacks using Microsoft Exchange Server flaws. It’s like a soap opera but with less drama and more hacking.

In conclusion, the hacking saga continues as Microsoft untangles the web of cyber threats from China. The tech giant is doubling down on its security measures, urging organizations to patch up those SharePoint servers and batten down the hatches. As the digital landscape becomes ever more treacherous, one thing is clear: Microsoft is ready to weather the storm, one typhoon at a time.