Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

China's Salt Typhoon Exploited SharePoint to Hit Govts

Pending submission by upstart at 2025-10-22 18:26:05
News

upstart [soylentnews.org] writes:

████ # This file was generated bot-o-matically! Edit at your own risk. ████

for jan

China's Salt Typhoon exploited SharePoint to hit govts [theregister.com]:

Security researchers now say more Chinese crews - likely including Salt Typhoon - than previously believed exploited a critical Microsoft SharePoint vulnerability, and used the flaw to target government agencies, telecommunications providers, a university, and a finance company across multiple continents.

Threat intel analysts at Broadcom-owned Symantec and Carbon Black uncovered additional victims and malware tools the intruders used, and published those and other details about the attacks in a Wednesday report [security.com].

The SharePoint attack vector

In July, Microsoft patched [theregister.com] the so-called ToolShell vulnerability (CVE-2025-53770 [microsoft.com]), a critical remote code execution bug in on-premises SharePoint servers. But before Redmond fixed the flaw, Chinese attackers found and exploited it as a zero-day [theregister.com], compromising more than 400 organizations [theregister.com], including the US Energy Department.

In other PRC cyber-spy news…

Trend Micro's research team says [trendmicro.com] they've uncovered additional evidence of China-aligned groups, specifically Salt Typhoon and its Beijing botnet-building [theregister.com] brethren Flax Typhoon [theregister.com], collaborating in "what looks like a single cyber campaign at first sight."

In these attacks, Salt Typhoon (aka [theregister.com] Earth Estries, FamousSparrow) performs the initial break-in, then hands the compromised org over to Flax Typhoon (aka Earth Naga).

"This phenomenon, which we have termed 'Premier Pass,' represents a new level of coordination in cyber campaigns, particularly among China-aligned APT actors," the Trend researchers said.

At the time, Microsoft attributed the break-ins to three China-based groups. These included two government-backed groups [theregister.com]: Linen Typhoon (aka Emissary Panda, APT27), which typically steals intellectual property, and Violet Typhoon (aka Zirconium, Judgment Panda, APT31), which focuses on espionage and targets former government and military personnel and other high-value individuals.

Microsoft also accused a suspected China-based criminal org, Storm-2603 [theregister.com], of exploiting the bug to infect victims with Warlock ransomware [theregister.com].

It now appears other Beijing crews – including Salt Typhoon [theregister.com], which famously hacked America's major telecommunications firms [theregister.com] and stole information [theregister.com] belonging to nearly every American [theregister.com] – also joined in the attacks.

On Wednesday, the Symantec and Carbon Black threat hunters said China-based attackers using malware linked to Salt Typhoon abused ToolShell to break into a Middle East telecom company and two African government departments shortly after the vulnerability was patched.

In all three of these attacks, the miscreants used Zingdoor, an HTTP backdoor written in Go and first spotted [trendmicro.com] by Trend Micro in an August 2023 cyberespionage campaign they attributed to Earth Estries/Salt Typhoon. Zingdoor collects system information, uploads and downloads files, and runs arbitrary commands on compromised networks.

The attackers also deployed what researchers say appears to be the ShadowPad Trojan, and used another backdoor, KrustyLoader [theregister.com], linked to a group called UNC5221 [theregister.com], which is also believed to be a China-nexus group.

"The attackers also gained access to the networks of two government agencies in South America and a university in the US recently," according to the report.

In these attacks, however, the intruders used other bugs for initial access – not the SharePoint CVE – and exploited SQL servers and Apache HTTP servers running Adobe ColdFusion software to deliver malware, the researchers wrote:

Notably, in the case of the South American victims, the attackers used the filename "mantec.exe", possibly to mimic a Symantec filename ("symantec.exe") in an attempt to hide their malicious activity. This binary (mantec.exe), which is a legitimate copy of a BugSplat executable used for bug tracking, was used to sideload a malicious DLL.

Salt Typhoon commonly uses DLL sideloading to deliver malware. In a Monday report, Darktrace researchers said the PRC-backed goon squad used this technique to infect a European telecom firm [theregister.com].

These same SharePoint attacks also compromised a state technology agency in an African country, a government department in the Middle East, and a finance firm in Europe, according to the Broadcom-owned security firms.

While the researchers "do not have sufficient evidence to conclusively attribute this activity to one specific group," all evidence points to China-based attackers, they said, adding that the large victim count is "also notable."

"This may indicate that the attackers were carrying out an element of mass scanning for the ToolShell vulnerability, before then carrying out further activity only on networks of interest," the threat analysts wrote. "The activity carried out on targeted networks indicates that the attackers were interested in stealing credentials and in establishing persistent and stealthy access to victim networks, likely for the purpose of espionage."

Microsoft declined to comment.®

Get ourTech Resources [theregister.com]ShareMore about

  • China
  • Cybercrime
  • Security

More like these×More about

  • China
  • Cybercrime
  • Security
  • Symantec

Narrower topics

  • 2FA
  • Advanced persistent threat
  • Application Delivery Controller
  • Authentication
  • BEC
  • Black Hat
  • BSides
  • Bug Bounty
  • Center for Internet Security
  • CHERI
  • China Mobile
  • China telecom
  • China Unicom
  • CISO
  • Common Vulnerability Scoring System
  • Cybersecurity
  • Cybersecurity and Infrastructure Security Agency
  • Cybersecurity Information Sharing Act
  • Cyberspace Administration of China
  • Data Breach
  • Data Protection
  • Data Theft
  • DDoS
  • DEF CON
  • Digital certificate
  • Encryption
  • End Point Protection
  • Exploit
  • Firewall
  • Google Project Zero
  • Great Firewall
  • Hacker
  • Hacking
  • Hacktivism
  • Hong Kong
  • Identity Theft
  • Incident response
  • Information Technology and the People's Republic of China
  • Infosec
  • Infrastructure Security
  • JD.com
  • Kenna Security
  • NCSAM
  • NCSC
  • Palo Alto Networks
  • Password
  • Personally Identifiable Information
  • Phishing
  • Quantum key distribution
  • Ransomware
  • Remote Access Trojan
  • REvil
  • RSA Conference
  • Semiconductor Manufacturing International Corporation
  • Shenzhen
  • Spamming
  • Spyware
  • Surveillance
  • TLS
  • Trojan
  • Trusted Platform Module
  • Uyghur Muslims
  • Vulnerability
  • Wannacry
  • Zero trust

Broader topics

  • APAC

More about ShareMore about

  • China
  • Cybercrime
  • Security

More like these×More about

  • China
  • Cybercrime
  • Security
  • Symantec

Narrower topics

  • 2FA
  • Advanced persistent threat
  • Application Delivery Controller
  • Authentication
  • BEC
  • Black Hat
  • BSides
  • Bug Bounty
  • Center for Internet Security
  • CHERI
  • China Mobile
  • China telecom
  • China Unicom
  • CISO
  • Common Vulnerability Scoring System
  • Cybersecurity
  • Cybersecurity and Infrastructure Security Agency
  • Cybersecurity Information Sharing Act
  • Cyberspace Administration of China
  • Data Breach
  • Data Protection
  • Data Theft
  • DDoS
  • DEF CON
  • Digital certificate
  • Encryption
  • End Point Protection
  • Exploit
  • Firewall
  • Google Project Zero
  • Great Firewall
  • Hacker
  • Hacking
  • Hacktivism
  • Hong Kong
  • Identity Theft
  • Incident response
  • Information Technology and the People's Republic of China
  • Infosec
  • Infrastructure Security
  • JD.com
  • Kenna Security
  • NCSAM
  • NCSC
  • Palo Alto Networks
  • Password
  • Personally Identifiable Information
  • Phishing
  • Quantum key distribution
  • Ransomware
  • Remote Access Trojan
  • REvil
  • RSA Conference
  • Semiconductor Manufacturing International Corporation
  • Shenzhen
  • Spamming
  • Spyware
  • Surveillance
  • TLS
  • Trojan
  • Trusted Platform Module
  • Uyghur Muslims
  • Vulnerability
  • Wannacry
  • Zero trust

Broader topics

  • APAC

TIP US OFF

Send us news [theregister.com]

Original Submission