This story was originally published on MyNorthwest.com.
Microsoft blamed two Chinese nation-state actors for exploiting recently discovered security flaws in SharePoint to infiltrate vulnerable organizations, like schools, state governments, and the U.S. government’s top nuclear security agency. Microsoft patched the vulnerabilities, but not before the actors, Linen Typhoon and Violet Typhoon, accessed those organizations’ private information and deployed ransomware in some cases, they said.“
These vulnerabilities affect on-premises SharePoint servers only and do not affect SharePoint Online in Microsoft 365,” Microsoft said in an update published by the Microsoft Security Response Center (MSRC). “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.”
Attack on Microsoft SharePoint was ‘Zero-Day’ attack
The attacks raise serious security questions for a couple of reasons. It involved a so-called “Zero-Day” attack, meaning it came as a surprise to Microsoft — they had zero days to prepare a patch, and were forced to watch bad actors attack organizations with no way to stop them. Also, the organizations threatened are using older technology that includes servers that are connected to the internet but physically sit on-site. Typically, those organizations are forced to rely on such legacy servers because their budgets limit their ability to purchase security upgrades and a large-scale migration to cloud-based servers, and they often lack the IT support needed for both.
“We’re talking about schools impacted, hospitals, state and local government agencies,” Michael Sikorski, Chief Technology Officer and head of threat intelligence for Unit 42 at Palo Alto Networks, said. “That’s the scary part to me, it’s like it’s a helpless situation.”
Unit 42, which is a specialized team of security experts within Palo Alto Networks, has been following the SharePoint issue closely. They counted dozens of on-premises servers that had been compromised, which impacted more than 50 organizations. According to tech blog ZDNET, hackers also successfully breached the U.S. National Nuclear Security Administration, however, it was unclear what information was involved.
Hackers take advantage of contest
The bad actors, which Microsoft said also included non-nation-state actors, took advantage of two vulnerabilities discovered in May during a hackathon contest. The tech giant released patches for those bugs in July, however, the hackers had already exploited those vulnerabilities, which allowed cybercriminals to install malicious code and compromise an organization’s entire SharePoint environment. Bypassing security protections, like multi-factor authentication, hackers could then execute code remotely and gain access to SharePoint content, system files, and configurations. In other words, the first round of Microsoft’s security patches piqued the interest of hackers, who infiltrated and forced a second round of patches.
“Attackers overall will take a look at that fix and figure out, well, why did that fix go out and sort of reproduce the issue that was there?” Sikorski explained. “And so, once they do that, it sort of becomes much more widespread.”
In a statement to media, Microsoft said they were “aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.”
But, for smaller organizations with the least amount of budget to deal with this kind of cyberattack, the result can be devastating or even seem impossible to fix. Even if they download Microsoft’s cumulative patches that address all the bugs involved, Sikorski said it is more difficult for them to implement those fixes as opposed to larger corporations with large budgets.“
When you’re talking about SharePoint, if you’re going to patch that now, you need to take it down. That means your people are not going to get access to their files for some period of time. So, you do it late at night, and you’ve got to upgrade essentially,” Sikorski explained. “Well, if you don’t have staff to do it, that leaves you as a sitting duck.”
Sikorski and other cyber experts agreed, any organization that uses on-premises SharePoint servers should assume they’ve been attacked, their systems have been compromised, and act accordingly.
Follow Luke Duecy on X. Read more of his stories here. Submit news tips here.
©2025 Cox Media Group
