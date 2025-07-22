Microsoft logo in Hanover, Germany, March 31 2025. Picture: FABIAN BIMMER/REUTERS
London — A security patch released by Microsoft earlier this month failed to fully fix a critical flaw in the US tech company’s SharePoint server software that had been identified at a hacking competition in May, opening the door to a sweeping global cyber-espionage operation, according to a reviewed timeline of events.
A Microsoft spokesperson confirmed on Tuesday that its initial solution didn’t work, adding that the company had released further patches that fixed the issue. It remains unclear who is behind the ongoing operation, which targeted about 100 organisations over the weekend and is expected to escalate as other hackers join the fray.
Microsoft said in a blog post that two allegedly Chinese hacking groups, dubbed “Linen Typhoon” and “Violet Typhoon”, were exploiting the vulnerabilities, along with another China-based hacking group.
Microsoft and Alphabet’s Google have said China-linked hackers were probably behind the first wave of hacks. Chinese government-linked operatives are regularly implicated in cyberattacks, but Beijing routinely denies carrying out hacking operations. In an emailed statement, the Chinese embassy in Washington said China opposes all forms of cyberattacks, and “smearing others without solid evidence”.
The vulnerability that facilitated the attack was first identified in May at a hacking competition in Berlin organised by cybersecurity firm Trend Micro, which offered cash bounties for the discovery of computer bugs in popular software.
It offered a $100,000 prize for “zero-day” exploits — so called because they leverage previously undisclosed digital weaknesses that could be used against SharePoint, Microsoft’s flagship document management and collaboration platform.
A researcher working for the cybersecurity arm of Viettel, a telecommunications firm operated by Vietnam’s military, identified a SharePoint bug at the event, dubbed it “ToolShell” and demonstrated a method of exploiting it. The researcher was awarded $100,000 for the discovery, according to a post on X by Trend Micro’s “Zero Day Initiative”.
Vendors
In a statement, Trend Micro said it was the responsibility of vendors participating in its competition to patch and disclose security flaws as soon as possible. “Patches will occasionally fail. This has happened with SharePoint in the past,” the statement said. Microsoft said in a July 8 security update that it had identified the bug, listed it as a critical vulnerability, and released patches to fix it.
About 10 days later, however, cybersecurity firms started to notice an influx of malicious online activity targeting the same software the bug sought to exploit: SharePoint servers. “Threat actors subsequently developed exploits that appear to bypass these patches,” British cybersecurity firm Sophos said in a blog on Monday.
The pool of potential ToolShell targets remains vast. According to data from Shodan, a search engine that helps identify internet-linked equipment, more than 8,000 servers online could theoretically have already been compromised by hackers.
Those servers include major industrial firms, banks, auditors, healthcare companies, and several US state-level and international government entities.
The Shadowserver Foundation, which scans the internet for potential digital vulnerabilities, put the number at a little more than 9,000, while cautioning that the figure was a minimum. It said most of those affected were in the US and Germany, and the victims included government organisations.
Germany’s federal office for information security, BSI, said on Tuesday it had found SharePoint servers within government networks that were vulnerable to the ToolShell attack but none had been compromised
Microsoft blames Chinese hackers for exploiting security flaw
Bug in SharePoint server software was identified at hacking competition but subsequent patch proves insufficient
London — A security patch released by Microsoft earlier this month failed to fully fix a critical flaw in the US tech company’s SharePoint server software that had been identified at a hacking competition in May, opening the door to a sweeping global cyber-espionage operation, according to a reviewed timeline of events.
A Microsoft spokesperson confirmed on Tuesday that its initial solution didn’t work, adding that the company had released further patches that fixed the issue. It remains unclear who is behind the ongoing operation, which targeted about 100 organisations over the weekend and is expected to escalate as other hackers join the fray.
Microsoft said in a blog post that two allegedly Chinese hacking groups, dubbed “Linen Typhoon” and “Violet Typhoon”, were exploiting the vulnerabilities, along with another China-based hacking group.
Microsoft and Alphabet’s Google have said China-linked hackers were probably behind the first wave of hacks. Chinese government-linked operatives are regularly implicated in cyberattacks, but Beijing routinely denies carrying out hacking operations. In an emailed statement, the Chinese embassy in Washington said China opposes all forms of cyberattacks, and “smearing others without solid evidence”.
The vulnerability that facilitated the attack was first identified in May at a hacking competition in Berlin organised by cybersecurity firm Trend Micro, which offered cash bounties for the discovery of computer bugs in popular software.
It offered a $100,000 prize for “zero-day” exploits — so called because they leverage previously undisclosed digital weaknesses that could be used against SharePoint, Microsoft’s flagship document management and collaboration platform.
A researcher working for the cybersecurity arm of Viettel, a telecommunications firm operated by Vietnam’s military, identified a SharePoint bug at the event, dubbed it “ToolShell” and demonstrated a method of exploiting it. The researcher was awarded $100,000 for the discovery, according to a post on X by Trend Micro’s “Zero Day Initiative”.
Vendors
In a statement, Trend Micro said it was the responsibility of vendors participating in its competition to patch and disclose security flaws as soon as possible. “Patches will occasionally fail. This has happened with SharePoint in the past,” the statement said. Microsoft said in a July 8 security update that it had identified the bug, listed it as a critical vulnerability, and released patches to fix it.
About 10 days later, however, cybersecurity firms started to notice an influx of malicious online activity targeting the same software the bug sought to exploit: SharePoint servers. “Threat actors subsequently developed exploits that appear to bypass these patches,” British cybersecurity firm Sophos said in a blog on Monday.
The pool of potential ToolShell targets remains vast. According to data from Shodan, a search engine that helps identify internet-linked equipment, more than 8,000 servers online could theoretically have already been compromised by hackers.
Those servers include major industrial firms, banks, auditors, healthcare companies, and several US state-level and international government entities.
The Shadowserver Foundation, which scans the internet for potential digital vulnerabilities, put the number at a little more than 9,000, while cautioning that the figure was a minimum. It said most of those affected were in the US and Germany, and the victims included government organisations.
Germany’s federal office for information security, BSI, said on Tuesday it had found SharePoint servers within government networks that were vulnerable to the ToolShell attack but none had been compromised
Reuters
Thousands of companies vulnerable after Microsoft server hacked
SA manufacturing banks on AI to bridge skills gap
Google recruits Windsurf executives to advance AI ambitions
AI drives huge increase in use of Arm-based chips
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.
Most Read
Published by Arena Holdings and distributed with the Financial Mail on the last Thursday of every month except December and January.