China's Salt Typhoon Exploited SharePoint to Hit Govts
upstart writes:
Plus spy helping spy: Typhoons teaming up:
Security researchers now say more Chinese crews - likely including Salt Typhoon - than previously believed exploited a critical Microsoft SharePoint vulnerability, and used the flaw to target government agencies, telecommunications providers, a university, and a finance company across multiple continents.
Threat intel analysts at Broadcom-owned Symantec and Carbon Black uncovered additional victims and malware tools the intruders used, and published those and other details about the attacks in a Wednesday report.
In July, Microsoft patched the so-called ToolShell vulnerability (CVE-2025-53770), a critical remote code execution bug inon-premises SharePoint servers. But before Redmond fixed the flaw, Chinese attackers found and exploited it as a zero-day, compromising more than 400 organizations, including the US Energy Department.
Trend Micro's research team says they've uncovered additional evidence of China-aligned groups, specifically Salt Typhoon and its Beijing botnet-building brethren Flax Typhoon, collaborating in "what looks like a single cyber campaign at first sight."
In these attacks, Salt Typhoon (aka Earth Estries, FamousSparrow) performs the initial break-in, then hands the compromised org over to Flax Typhoon (aka Earth Naga).
"This phenomenon, which we have termed 'Premier Pass,' represents a new level of coordination in cyber campaigns, particularly among China-aligned APT actors," the Trend researchers said.
At the time, Microsoft attributed the break-ins to three China-based groups. These included two government-backed groups: Linen Typhoon (aka Emissary Panda, APT27), which typically steals intellectual property, and Violet Typhoon (aka Zirconium, Judgment Panda, APT31), which focuses on espionage and targets former government and military personnel and other high-value individuals.
Microsoft also accused a suspected China-based criminal org, Storm-2603, of exploiting the bug to infect victims with Warlock ransomware.
It now appears other Beijing crews - including Salt Typhoon, which famously hacked America's major telecommunications firms and stole information belonging to nearly every American - also joined in the attacks.
Read more of this story at SoylentNews.