"Symantec: New China-based threat actors target networks for espionage"

JUST IN: Hackers linked to Ch*na exploited a “patched” Microsoft SharePoint flaw to break into networks across four continents. It wasn’t just spying. They found a way to bypass the patch that fixed a previous bypass. What makes this campaign particularly insidious is the depth of the post-exploit chain: after the unauthenticated breach, attackers deploy web shells, target MachineKey values, and forge authentication tokens. Once inside, the infrastructure runs as trusted. The result is that "the breach doesn’t just grant access; it becomes a hidden residency." For companies running broad-scale enterprise stacks, this exposure means even a *one-line exploit* can cascade into full-domain compromise. For non-IT teams, the message is simple. If your server is internet-facing and unpatched, you aren’t just living with risk. You’re hosting it. So, here are our recommendations: 1. Keep internet-facing servers fully patched within 24–48 hours of a security update and never expose admin panels or collaboration tools like SharePoint directly to the web. 2. Segment those systems behind VPN or zero-trust gateways, enforce multi-factor authentication, and monitor for web-shell or anomalous traffic activity. Basically, treat every public-facing server as a potential breach entry, not a convenience. https://lnkd.in/g4r6fev3 #auguryit #cysec

When Your Intranet Gets Sneakier Than Your Monday Morning Email Just came across a wild one: there’s a SharePoint flaw (ToolShell) that got patched months ago, but threat actors are still using it to breach networks across the globe. It’s like forgetting to lock the door, then realizing months later someone moved in. Here’s the low-down: - On-prem SharePoint servers were attacked via a web-endpoint exploit, dropping a hidden shell, stealing keys and credentials. - Victims? Telecoms, gov agencies, universities you name it. The “we’ll patch later” crowd got caught. - The patch exists, but patching delays and old server setups mean many doors are still unlocked out there. So if you (or your org) still run on-prem SharePoint, this is your friendly reminder: update now, rotate your keys, shut down exposed endpoints, and maybe treat your server like a weekend guest who forgot to leave. #SharePoint #Vulnerability #CyberSecurity #Infosec Source: https://lnkd.in/d_janUFD

Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft's July Patch Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025. Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country. According to Broadcom's Symantec Threat Hunter Team, the attacks involved the exploitation of CVE-2025-53770, a now-patched security flaw in on-premise SharePoint servers that could be used to bypass authentication and achieve remote code execution. Stay connected for industry’s latest content – Follow Deepthi Talasila #DevSecOps #ApplicationSecurity #AgenticAI #CloudSecurity #CyberSecurity #AIinSecurity #SecureDevOps #AppSec #AIandSecurity #CloudComputing #SecurityEngineering #ZeroTrust #MLSecurity #AICompliance #SecurityAutomation #SecureCoding #linkedin #InfoSec #SecurityByDesign #AIThreatDetection #CloudNativeSecurity #ShiftLeftSecurity #SecureAI #AIinDevSecOps #SecurityOps #CyberResilience #DataSecurity #SecurityInnovation #SecurityArchitecture #TrustworthyAI #AIinCloudSecurity #NextGenSecurity https://lnkd.in/e9NTgkkv

Are you running an on-premises SharePoint Server and wondering if you're at risk from the latest high-severity vulnerability? This isn't just any ordinary security threat - the vulnerability, tracked as CVE-2025-53770, has a severity rating of 9.8 out of 10 and is being actively exploited across the globe. The worst part is that it gives unauthenticated remote access to SharePoint Servers exposed to the internet, putting sensitive company data at risk, including authentication tokens used to access systems inside networks. Here are the key facts to know: – The vulnerability affects SharePoint Servers that infrastructure customers run in-house. – Microsoft's cloud-hosted SharePoint Online and Microsoft 365 are not affected. – Microsoft has released emergency updates to patch the vulnerability in SharePoint Subscription Edition and SharePoint 2019. – SharePoint 2016 remains unpatched, with Microsoft advising organizations to install the Antimalware Scan Interface. The takeaway is clear: if you're running an on-premises SharePoint Server, you should assume your network is breached until you've taken the necessary steps to protect yourself. Don't wait until it's too late - check your SharePoint Server version and apply the available patches or workarounds immediately. #Cybersecurity #SharePoint #DataProtection

Chinese threat actors are exploiting a patched SharePoint vulnerability (vulnerability (CVE-2025-53770)) to breach telecommunications, government, and educational entities globally, exposing sensitive data and enabling espionage. This compromises network security and demands immediate incident response. Organizations must immediately patch SharePoint servers, hunt for indicators of compromise, and review logs for unauthorized access attempts. 🔒⚠️ #cybersecurity #databreach #vulnerability https://lnkd.in/gtV8mG2w

🚨 Chinese Threat Actors Exploit ToolShell SharePoint Flaw Chinese threat groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, have actively exploited the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint. This flaw, which allows for authentication bypass and remote code execution, was patched by Microsoft in July 2025. Despite the patch, these actors have targeted various organizations worldwide, including: • A telecommunications company in the Middle East • Government departments in Africa and South America • A university in the U.S. • A finance company in Europe The attacks involved deploying tools like Zingdoor, ShadowPad, and KrustyLoader, highlighting the persistent threat posed by nation-state actors. 🔗 Read more: https://lnkd.in/gpjENNJ9 #CyberSecurity #InfoSec #Microsoft #SharePoint #ToolShell #CVE202553770 #ThreatIntel #NationStateActors

Just Recently, researchers from Broadcom’s Symantec Threat Hunter Team reported that multiple China-linked threat groups exploited the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint shortly after its July 2025 patch release. The flaw, a patch bypass for CVE-2025-49704 and CVE-2025-49706, allowed attackers to bypass authentication and achieve remote code execution on unpatched or misconfigured on-premises SharePoint servers. These intrusions targeted a diverse set of victims, including a telecommunications provider in the Middle East, government agencies across Africa and South America, a U.S. university, and a European financial firm. Threat actors such as Linen Typhoon (Budworm), Violet Typhoon (Sheathminer), Storm-2603, and Salt Typhoon (Glowworm) reportedly deployed post-exploitation tools such as Zingdoor, ShadowPad, and KrustyLoader, enabling credential theft, persistence, and stealthy espionage operations (Lakshmanan, 2025). The ToolShell campaign underscores a key principle in cybersecurity management and education, patch availability does not equate to immediate security. Even after public disclosure and vendor remediation, adversaries continue to weaponize newly revealed flaws against unpatched systems. The incident illustrates the persistent risks posed by on-premises legacy infrastructure and the need for timely patching, post-patch credential rotation, and active monitoring for exploitation indicators. From an instructional perspective, this case serves as a timely example for cybersecurity professionals and students alike: understanding threat actor behaviors, defense-in-depth strategies, and rapid vulnerability management is essential to mitigating modern cyber-espionage campaigns (Lakshmanan, 2025). Reference Lakshmanan, R. (2025, October 22). Chinese threat actors exploit ToolShell SharePoint flaw weeks after Microsoft’s July patch. The Hacker News. https://lnkd.in/gmxhAnsN

Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft's July Patch Threat actors with ties to China exploited the ToolShell security vulnerability in Microsoft SharePoint to breach a telecommunications company in the Middle East after it was publicly disclosed and patched in July 2025. Also targeted were government departments in an African country, as well as government agencies in South America, a university in the U.S., as well as likely a state technology agency in an African country, a government department in the Middle East, and a finance company in a European country. According to Broadcom's Symantec Threat Hunter Team, the attacks involved the exploitation of CVE-2025-53770, a now-patched security flaw in on-premise SharePoint servers that could be used to bypass authentication and achieve remote code execution. https://lnkd.in/eaz_BG37 Stay Connected to Sidharth Sharma, CPA, CISA, CISM, CFE, CDPSE for content related to Cyber Security. #CyberSecurity #JPMC #Technology #InfoSec #DataProtection #DataPrivacy #ThreatIntelligence #CyberThreats #NetworkSecurity #CyberDefense #SecurityAwareness #ITSecurity #SecuritySolutions #CyberResilience #DigitalSecurity #SecurityBestPractices #CyberRisk #SecurityOperations 

Just weeks after Microsoft patched CVE-2025-53770 in SharePoint, threat actors linked to China were already exploiting it in live environments. Victims spanned continents, telecom firms, government agencies, a university, proving once again that disclosure-to-exploitation time is now dangerously short. This wasn’t a one-off incident. Symantec's report shows multiple groups using this flaw alongside older exploits like PetitPotam, fileless techniques, and advanced loaders like ShadowPad and KrustyLoader. The goal wasn’t destruction, it was quiet access, credential theft, and long-term presence. There’s a bigger point here: patching is no longer a finish line. It’s a starting point. Many organizations patch slowly, especially on-prem systems like SharePoint. Attackers know this and time their operations accordingly. Security teams need to: 🔐 Monitor for post-patch exploitation, not just missing patches 🔐 Assume any disclosed critical CVE is already being tested in the wild 🔐 Focus on detecting the behavior of compromise, not just the signature of a payload This is how espionage campaigns operate today: fast, quiet, and across multiple layers of infrastructure. Being ready means thinking beyond just “what’s the latest patch?” Learn more: https://lnkd.in/gtV8mG2w #CyberSecurity #ThreatIntelligence #SharePoint #PatchManagement

🚨 ToolShell Exploits in Microsoft SharePoint: A Wake-Up Call for IT and Security Leaders In the months following Microsoft’s July 2025 patch, multiple China-linked threat groups—including Linen Typhoon, Violet Typhoon, and Salt Typhoon—have exploited CVE-2025-53770, a critical SharePoint vulnerability now known as “ToolShell” thehackernews.com. 🔍 What we know: CVE-2025-53770 enables authentication bypass and remote code execution on on-prem SharePoint servers. Despite being patched, the flaw was rapidly weaponized in espionage campaigns targeting: A telecom provider in the Middle East Government agencies in Africa and South America A U.S. university and a European finance firm thehackernews.com Attackers deployed tools like ShadowPad, Zingdoor, and KrustyLoader—indicating long-term persistence and credential theft objectives thehackernews.com. Some campaigns also leveraged PetitPotam (CVE-2021-36942) for privilege escalation and domain compromise thehackernews.com. 🧠 Why this matters: ToolShell is a case study in patch lag, threat actor agility, and the limits of perimeter defense. The flaw bypasses previous patches (CVE-2025-49704/49706), raising concerns about patch efficacy and regression testing. The breadth of targets—telecom, education, finance, and government—underscores the cross-sector risk of unpatched collaboration platforms. 💬 For CISOs, MSPs, and infrastructure leaders: Reassess your SharePoint exposure—especially on-prem deployments. Validate patch coverage and monitor for post-exploitation behaviors (DLL side-loading, credential theft, lateral movement). Strengthen vendor patch validation processes and threat intel integration. This isn’t just a SharePoint issue—it’s a governance issue. How are we ensuring that patching, detection, and response are aligned across silos? #CyberSecurity #SharePoint #ToolShell #CVE202553770 #PatchManagement #ThreatIntelligence #MSP #CISO #ZeroDay #InfrastructureResilience #VendorAccountability #SecurityOps #Governance Article Link - https://lnkd.in/gcDUA9St