Plus spy helping spy: Typhoons teaming up:
Security researchers now say more Chinese crews - likely including Salt Typhoon - than previously believed exploited a critical Microsoft SharePoint vulnerability, and used the flaw to target government agencies, telecommunications providers, a university, and a finance company across multiple continents.
Threat intel analysts at Broadcom-owned Symantec and Carbon Black uncovered additional victims and malware tools the intruders used, and published those and other details about the attacks in a Wednesday report.
In July, Microsoft patched the so-called ToolShell vulnerability (CVE-2025-53770), a critical remote code execution bug in on-premises SharePoint servers. But before Redmond fixed the flaw, Chinese attackers found and exploited it as a zero-day, compromising more than 400 organizations, including the US Energy Department.
Trend Micro's research team says they've uncovered additional evidence of China-aligned groups, specifically Salt Typhoon and its Beijing botnet-building brethren Flax Typhoon, collaborating in "what looks like a single cyber campaign at first sight."
In these attacks, Salt Typhoon (aka Earth Estries, FamousSparrow) performs the initial break-in, then hands the compromised org over to Flax Typhoon (aka Earth Naga).
"This phenomenon, which we have termed 'Premier Pass,' represents a new level of coordination in cyber campaigns, particularly among China-aligned APT actors," the Trend researchers said.
At the time, Microsoft attributed the break-ins to three China-based groups. These included two government-backed groups: Linen Typhoon (aka Emissary Panda, APT27), which typically steals intellectual property, and Violet Typhoon (aka Zirconium, Judgment Panda, APT31), which focuses on espionage and targets former government and military personnel and other high-value individuals.
Microsoft also accused a suspected China-based criminal org, Storm-2603, of exploiting the bug to infect victims with Warlock ransomware.
It now appears other Beijing crews – including Salt Typhoon, which famously hacked America's major telecommunications firms and stole information belonging to nearly every American – also joined in the attacks.
(Score: 2, Touché) by Gaaark on Tuesday October 28, @04:33PM
Good thing Trump's cozying up to Xi: Canada is Trumps REAL enemy, what with our igloos and snow-mobiles.
We're coming for you, Trump... i've got an icicle with your name on it!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 0, Troll) by Anonymous Coward on Tuesday October 28, @05:23PM
While analysts and researchers are chasing their tails, or just releasing your regular state AI propaganda, the real culprits remain unnamed and undiscovered deep inside the trillionaire apparatus 20,000 leagues under the Golf of America
That scenario is every bit as plausible as this "China" syndrome everybody is suffering
(Score: 5, Touché) by Mojibake Tengu on Tuesday October 28, @11:48PM (1 child)
Microsoft had about 40 years wide opportunity window to make their software impenetrable. They didn't. They didn't even tried to.
Three generations of newborn hackers rampant on Microsoft software in this epoch already.
Must have been a very good rational reason for such volume of ignorance.
It is obvious to me at such timescale, the vulnerability to attacks is the desired design principle of Microsoft products. It's done willingly.
Rust programming language offends both my Intelligence and my Spirit.
(Score: 1, Funny) by Anonymous Coward on Wednesday October 29, @11:09AM
To be fair: they want to attract developers.