TZUTC: -0500   
   MSGID: 1256.consprcy@1:2320/105 2ce4e89f   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Microsoft SharePoint server hack sees Chinese threat actor hit roughly 100   
   orgs - heres what we know so far   
      
   Date:   
   Tue, 22 Jul 2025 10:51:51 +0000   
      
   Description:   
   A recently discovered SharePoint security flaw has been exploited by threat   
   actors.   
      
   FULL STORY   
      
   A cyberespionage campaign exploiting the recently-revealed Microsoft   
   SharePoint issue has targeted roughly 100 organizations, compromising server   
   software and primarily hitting government agencies in the US and Germany,   
   experts have warned.    
      
   Google released a statement in which it attributed at least some of the   
   attacks to a China-Nexus threat actor, and warned against further expansion    
   of the threat.    
      
   Microsoft recently released urgent security flaw patche s to address a   
   zero-day vulnerability that affected SharePoint servers, which have been   
   abused in attacks since July 18, with victims reportedly including a private   
   energy operator in California as well as a private fintech firm in New York.   
      
   China-Nexus threat actors    
      
   The attacks saw hackers extract cryptographic keys from servers that are run   
   by Microsoft clients. The keys would then let them install pretty much   
   anything - including malware or backdoors that hackers could use to return.    
      
   Only SharePoint versions that are hosted by the customer, rather than the   
   cloud, are vulnerable. These types of attacks could allow attackers to steal   
   corporate secrets or install ransomware to encrypt key files.    
      
   We assess that at least one of the actors responsible for this early   
   exploitation is a China-nexus threat actor said Charles Carmakal, chief   
   technology officer of Googles Mandiant Consulting.    
      
   It's critical to understand that multiple actors are now actively exploiting   
   this vulnerability. We fully anticipate that this trend will continue, as   
   various other threat actors, driven by diverse motivations, will leverage    
   this exploit as well." he continued.    
      
   Researchers say that so far, the attacks can be attributed to a single hacker   
   or a set of hackers, rather than a large number - but there has been a broad   
   range of targets, and a vast number of potential targets - with some   
   researchers estimating up to 8,000 vulnerable servers.    
      
   Whilst the update should prevent new intrusion, users will also need to    
   rotate machine keys, search for any missed breaches, and deploy Antimalware   
   Scan Interface (AMSI) as well as antivirus software .   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/microsoft-sharepoint-server-hack-sees-c   
   hinese-threat-actor-hit-roughly-100-orgs-heres-what-we-know-so-far   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 206 300 307 317 400 426 428 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426