A critical SharePoint vulnerability known as “ToolShell” remained unpatched despite Microsoft’s initial fix. This allowed alleged China-linked hackers to exploit it, targeting over 100 organizations globally — including U.S. national security bodies. Here’s a quick breakdown of the timeline and impact:
Key Points:
- Flaw Discovered: A Vietnamese researcher uncovered the bug in May during a Berlin hacking event organized by Trend Micro, earning a $100,000 prize.
- Initial Patch Failed: Microsoft released a patch in July, but it didn’t fully resolve the issue. Exploits continued even after the patch.
- Hacking Groups Involved: Microsoft suspects Chinese hacking groups “Linen Typhoon” and “Violet Typhoon,” among others, are exploiting the flaw.
- Targeted Organizations: Around 100 organizations were attacked; the U.S. National Nuclear Security Administration was reportedly among them.
- Microsoft’s Confirmation: On July 8, Microsoft acknowledged the critical vulnerability and issued additional patches after realizing the first fix failed.
- Mass Exploitation Begins: 10 days post-patch, cybersecurity firms detected increased attacks on SharePoint servers.
- Global Exposure: Between 8,000–9,000 SharePoint servers may still be vulnerable — mostly in the U.S. and Germany — according to Shodan and Shadowserver Foundation.
- No Data Breach Confirmed Yet: No classified or sensitive data is confirmed to be compromised as per current reports.
China Denies Involvement: China’s embassy claims it opposes all forms of cyberattacks and accuses others of “smearing” without proof.