- Microsoft SharePoint vulnerability is proving incredibly attractive to hackers
- New estimates place the number of organizations affected at 400
- The hackers have deployed ransomware against some affected organizations
New estimates regarding the recently-exploited Microsoft SharePoint vulnerabilities now evaluate that as many as 400 organizations may have been targeted.
The figure is a sharp increase from the original count of around 100, with Microsoft pointing the finger at Chinese threat actors for the hacks, namely Linen Typhoon, Violet Typhoon, and Storm-2603.
The victims are primarily US based, and amongst these are some high value targets, including the National Nuclear Security Administration – the US agency responsible for maintaining and designing nuclear weapons, Bloomberg reports.
Ransomware deployed
So far, no sensitive or classified information is confirmed to have been leaked, but the hackers have also seemingly broken into systems belonging to national governments in Europe and the Middle East, the US Education Department – and the full extent of the repercussions won’t be seen for a long time yet, experts have warned.
Microsoft has confirmed that these security flaws, although now patched, were used by the Chinese threat actor Storm-2603 to deploy ransomware – which could cost the affected organisation millions.
“Microsoft tracks this threat actor in association with attempts to steal MachineKeys using the on-premises SharePoint vulnerabilities,” the company shared in a report. “Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities.”
The vulnerability allows hackers to extract cryptographic keys from servers run by Microsoft clients, these keys in turn let them install programmes onto the servers – including malware or backdoors which could allow the hackers to return at a later date. This means that patching the vulnerability should be a top priority for any organisation affected.
Microsoft did issue a patch for this vulnerability early on, but some bypasses were identified, so customers were advised to be extra vigilant and deploy Antimalware Scan Interface (AMSI) as well as antivirus software. Since, additional security updates have been rolled out to address the issues.
China has repeatedly denied the accusation of cyber espionage, and a Chinese embassy spokesperson told TechRadar Pro it hopes, “relevant parties will adopt a professional and responsible attitude when characterizing cyber incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations.”
