Chinese State Hackers Capitalize on SharePoint 'ToolShell' Flaws

In a recent update, Microsoft's Threat Intelligence team has shed light on the activities of two significant Chinese state-backed cyber threat groups: Linen Typhoon (APT27) and Violet Typhoon (APT31).

Linen Typhoon, also known by multiple aliases such as Bronze Union, Circle Typhoon, and Red Phoenix, has been active since at least 2010. This threat group, known for conducting cyber espionage against international organizations, has objectives focused on intelligence gathering and geopolitical influence. Microsoft assesses Linen Typhoon with high confidence, and this assessment aligns with a previous estimate from Google Cloud-owned Mandiant.

Violet Typhoon, another active player since at least 2012, primarily targets former government and military personnel, non-governmental organizations (NGOs), think tanks, higher education institutions, digital and print media, as well as financial and health-related sectors in the US, Europe, and East Asia. Violet Typhoon is also known by various names, including Bronze Vinewood, Judgment Panda, Red keres, and Zirconium.

Microsoft assesses with medium confidence that Storm-2603, a China-based threat group identified by Microsoft, is linked to Linen Typhoon. However, the team has not yet identified any links between Storm-2603 and other known Chinese threat actors.

Storm-2603 has been observed deploying Warlock and Lockbit ransomware in the past, but Microsoft's current assessment does not allow for a confident assessment of the threat actor's objectives. Mandiant's Charles Carmakal commented that at least one of the actors responsible for the exploitation is a China-nexus threat actor.

Microsoft has tracked Violet Typhoon in association with attempts to steal MachineKeys via the on-premises SharePoint vulnerabilities. The company warns that threat actors will continue to integrate these exploits into their attacks against unpatched on-premises SharePoint systems.

Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, highlighted that the attribution of Chinese nation-state hacking groups reinforces that the 'ToolShell' exploitation campaign is part of a broader strategic campaign. Mandiant's Carmakal emphasized that multiple actors are likely actively exploiting these vulnerabilities, and this trend is expected to continue.

It is essential for organizations to remain vigilant and prioritize patching their systems to protect against these threats. The continuous activities of these cyber threat groups underscore the importance of cybersecurity in the digital age.