Microsoft's SharePoint Shocker: China's Cyber Typhoons Unleash Zero-Day Chaos

This is your China Hack Report: Daily US Tech Defense podcast.Hey listeners, Ting here! You want the sizzle and the code—so let’s not waste a microsecond. This is China Hack Report: Daily US Tech Defense, bringing you the most critical action from the past 24 hours. Buckle up!The headline you can’t miss is Microsoft’s SharePoint zero-day meltdown, freshly confirmed by their July 22 update. Chinese state-sponsored groups—specifically **Linen Typhoon** and **Violet Typhoon**, with guest star Storm-2603—have been on a SharePoint rampage all month, but hit peak madness this week. These groups have been exploiting a chain of vulnerabilities—CVEs 2025-49704, 49706, 53770, and 53771—using everything from malicious POST requests to the infamous `ToolPane.aspx` attack vector. And this is strictly an on-premises SharePoint party; SharePoint Online folks, you can exhale for now.Who’s in the blast zone? High-value targets like the **U.S. National Nuclear Security Administration**, the **National Institutes of Health**, the **Education Department**, Florida’s Department of Revenue, and the always festive Rhode Island General Assembly. Even the Department of Homeland Security got caught in this cyber dragnet, leading to SharePoint outages that locked out entire teams at Defense Intelligence for hours. Eye Security estimates over **400 organizations** compromised in just the last week. If you run SharePoint Server Subscription Edition, 2019, or 2016, you are officially on the front lines.Here’s the malware kicker: **Storm-2603 didn’t just steal keys—they dropped Warlock ransomware** directly onto government servers. If you thought ransomware was passé, Storm-2603 just updated the playbook. And it’s not just about data snatching. These threat actors are gunning for long-term persistence, laying down webshells, siphoning credentials, and pivoting through networks wide open thanks to unpatched boxes.How did we get here? This all traces back to a wild revelation: According to a joint probe by ProPublica and Jack Burnham of FDD, Microsoft had been letting China-based engineers push code into DOD systems for years—under “digital escort” supervision that, frankly, couldn’t spot a buffer overflow if it showed up wearing a neon sign. Secretary Pete Hegseth just put a hard stop to this, ending all China involvement in Pentagon cloud services and forcing a two-week review of every other system with foreign developer fingerprints.Now, what’s CISA saying? In classic superhero mode, CISA fired off emergency directives: **patch all affected SharePoint servers now**, isolate them from the public internet, turn on Antimalware Scan Interface in full mode, load up ToolShell-specific indicators into SIEM tools, and lock down every possible admin credential. Failure to do so is basically inviting Linen Typhoon to your next board meeting.If you’re running SysAid, don’t relax—two actively exploited flaws (CVE-2025-2775 and 2776) are being hammered too, so patch those now, or risk easier lateral movement by attackers.So, listeners: patch, isolate, harden, repeat. If your infosec team’s not sweating in a war room right now, maybe check to make sure they’re not part of the Typhoon.Thanks for tuning in to my data-drenched dispatch. Don’t forget to subscribe and spread the word. This has been a quiet please production, for more check out quiet please dot ai.For more http://www.quietplease.aiGet the best deals https://amzn.to/3ODvOtaThis content was created in partnership and with the help of Artificial Intelligence AI

There are no comments yet.

Please log in to write the first comment.