TZUTC: -0500
MSGID: 1256.consprcy@1:2320/105 2ce4e89f
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Microsoft SharePoint server hack sees Chinese threat actor hit roughly 100
orgs - heres what we know so far

Date:
Tue, 22 Jul 2025 10:51:51 +0000

Description:
A recently discovered SharePoint security flaw has been exploited by threat
actors.

FULL STORY

A cyberespionage campaign exploiting the recently-revealed Microsoft
SharePoint issue has targeted roughly 100 organizations, compromising server
software and primarily hitting government agencies in the US and Germany,
experts have warned. 

Google released a statement in which it attributed at least some of the
attacks to a China-Nexus threat actor, and warned against further expansion 
of the threat. 

Microsoft recently released urgent security flaw patche s to address a
zero-day vulnerability that affected SharePoint servers, which have been
abused in attacks since July 18, with victims reportedly including a private
energy operator in California as well as a private fintech firm in New York.

China-Nexus threat actors 

The attacks saw hackers extract cryptographic keys from servers that are run
by Microsoft clients. The keys would then let them install pretty much
anything - including malware or backdoors that hackers could use to return. 

Only SharePoint versions that are hosted by the customer, rather than the
cloud, are vulnerable. These types of attacks could allow attackers to steal
corporate secrets or install ransomware to encrypt key files. 

We assess that at least one of the actors responsible for this early
exploitation is a China-nexus threat actor said Charles Carmakal, chief
technology officer of Googles Mandiant Consulting. 

It's critical to understand that multiple actors are now actively exploiting
this vulnerability. We fully anticipate that this trend will continue, as
various other threat actors, driven by diverse motivations, will leverage 
this exploit as well." he continued. 

Researchers say that so far, the attacks can be attributed to a single hacker
or a set of hackers, rather than a large number - but there has been a broad
range of targets, and a vast number of potential targets - with some
researchers estimating up to 8,000 vulnerable servers. 

Whilst the update should prevent new intrusion, users will also need to 
rotate machine keys, search for any missed breaches, and deploy Antimalware
Scan Interface (AMSI) as well as antivirus software .

======================================================================
Link to news story:
https://www.techradar.com/pro/security/microsoft-sharepoint-server-hack-sees-c
hinese-threat-actor-hit-roughly-100-orgs-heres-what-we-know-so-far

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 664
SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426