Microsoft has confirmed that Chinese state-linked hackers are exploiting critical flaws in on-premises SharePoint servers to steal data and deploy ransomware.
The groups, known as Linen Typhoon, Violet Typhoon, and Storm-2603, are targeting government, defence, and business organisations by abusing spoofing and remote code execution vulnerabilities. Cloud-based SharePoint systems are not affected.
Victims have been reported across multiple sectors and countries, including the UK. Microsoft says the attacks allow hackers to steal credentials, disable security tools, and spread ransomware such as Warlock.
Storm-2603, a China-based group, has been observed using a malicious script called spinstall0.aspx to gain access and escalate privileges inside networks. Microsoft has warned that more attackers are likely to adopt these methods.
To stay secure, businesses using on-prem SharePoint must install Microsoft’s latest security updates, rotate ASP.NET machine keys, enable AMSI protection, and use advanced endpoint detection tools to block post-exploit activity.