{"id":23878,"date":"2025-07-23T18:28:47","date_gmt":"2025-07-23T22:28:47","guid":{"rendered":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/?p=23878"},"modified":"2025-07-23T18:29:56","modified_gmt":"2025-07-23T22:29:56","slug":"china-linked-hack-exploits-outdated-microsoft-sharepoint-servers","status":"publish","type":"post","link":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/china-linked-hack-exploits-outdated-microsoft-sharepoint-servers.html","title":{"rendered":"China-Linked Hack Exploits Outdated Microsoft SharePoint Servers"},"content":{"rendered":"\n<p><strong>Key Takeaways:<\/strong><\/p>\n\n\n\n<ul>\n<li>Chinese state-affiliated hackers exploited a vulnerability in Microsoft SharePoint long after the software\u2019s support had ended.<\/li>\n\n\n\n<li>The attack, tied to the Flax Typhoon group, targeted unpatched SharePoint 2013 servers that reached end-of-life in April 2023.<\/li>\n\n\n\n<li>Security researchers warn this type of incident could foreshadow a wave of legacy software exploitation as more enterprise tools age out of support.<\/li>\n\n\n\n<li>Experts urge organizations to inventory and sunset legacy infrastructure to prevent further national security risks.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>As cybersecurity teams race to adopt AI tools and zero trust frameworks, some of the most critical threats continue to emerge from basic IT hygiene failures\u2014like unpatched, outdated software. That reality came into focus again this week after Microsoft confirmed that Chinese-linked hackers <a href=\"https:\/\/www.wired.com\/story\/microsoft-sharepoint-hack-china-end-of-life-updates\/\">breached<\/a> organizations by targeting SharePoint 2013 servers that had reached end-of-life and were no longer receiving security updates.<\/p>\n\n\n\n<p>The campaign, attributed to a threat actor known as Flax Typhoon (also tracked as Ethereal Panda), capitalized on CVE-2023-29357, a vulnerability affecting SharePoint&#8217;s authentication mechanism. Though Microsoft released a patch for the flaw in June 2023, it did not apply to versions of SharePoint that had already aged out of support\u2014including SharePoint Server 2013. According to researchers, Flax Typhoon began actively exploiting the issue months later.<\/p>\n\n\n\n<p>In related news we&#8217;ve reported, New Coyote Malware Variant <a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/new-coyote-malware-variant-exploits-windows-ui-automation-to-evade-detection-and-steal-banking-credentials.html\">Exploits<\/a> Windows UI Automation to Evade Detection and Steal Banking Credentials, Automotive Security Under <a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/automotive-security-under-scrutiny-after-major-vulnerabilities-exposed-in-connected-cars.html\">Scrutiny<\/a> After Major Vulnerabilities Exposed in Connected Cars, Clorox <a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/clorox-sues-cognizant-for-380-million-over-credential-mishandling-in-cyberattack.html\">Sues<\/a> Cognizant for $380 Million Over Credential Mishandling in Cyberattack, US Nuclear Weapons Agency <a href=\"http:\/\/US Nuclear Weapons Agency Breached in Microsoft SharePoint Cyberattack\">Breached<\/a> in Microsoft SharePoint Cyberattack, Chinese Threat Actor\u00a0<a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/chinese-threat-actor-targets-microsoft-sharepoint-in-toolshell-malware-campaign.html\">Targeted<\/a>\u00a0Microsoft SharePoint in ToolShell Malware Campaign, Chinese Hackers\u00a0<a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/chinese-hackers-breach-us-national-guard-networks-stay-hidden-for-months.html\">Breached<\/a>\u00a0US National Guard Networks, Stay Hidden for Months, Ukrainian Hackers\u00a0<a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/ukrainian-hackers-claim-devastating-cyberattack-on-russian-drone-manufacturer-gaskar-group.html\">Claimed<\/a>\u00a0Devastating Cyberattack on Russian Drone Manufacturer Gaskar Group and the Trump Administration\u00a0<a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/security\/trump-administration-allocates-1-billion-for-offensive-cyber-operations.html\">Allocated<\/a>\u00a0$1 Billion for Offensive Cyber Operations.<\/p>\n\n\n\n<p><strong>The Threat from Outdated Infrastructure<\/strong><\/p>\n\n\n\n<p>The SharePoint exploit underscores a mounting concern in cybersecurity: how quickly outdated infrastructure can become a national security risk. Many organizations still run legacy systems like SharePoint 2013 internally, especially where workloads are deeply embedded into business processes. But once those tools lose vendor support, they become high-value soft targets for advanced persistent threat (APT) groups.<\/p>\n\n\n\n<p>\u201cThe moment support ends, the patching stops, but attackers don\u2019t,\u201d said a security researcher familiar with the case. \u201cNation-state actors know which systems are still widely deployed and lagging behind. They plan around it.\u201d<\/p>\n\n\n\n<p>Despite Microsoft\u2019s clear warnings about the end of support for SharePoint 2013 in April 2023, telemetry data suggests many organizations did not migrate in time. The result was predictable: an attack surface that widened over time as patch coverage dropped and vulnerability awareness faded.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"alignright is-resized\"><img decoding=\"async\" src=\"https:\/\/sdmntprcentralus.oaiusercontent.com\/files\/00000000-41e0-61f5-9045-76c479eaa5e4\/raw?se=2025-07-23T23%3A23%3A36Z&amp;sp=r&amp;sv=2024-08-04&amp;sr=b&amp;scid=4c4c1eec-dbf8-5cf4-8e7d-f6934248fdfb&amp;skoid=71e8fa5c-90a9-4c17-827b-14c3005164d6&amp;sktid=a48cca56-e6da-484e-a814-9c849652bcb3&amp;skt=2025-07-23T20%3A09%3A08Z&amp;ske=2025-07-24T20%3A09%3A08Z&amp;sks=b&amp;skv=2024-08-04&amp;sig=TbbqP9YURYb8K2HTUZTJ7HHf0HPwoO1Tc3IrHjYunyA%3D\" alt=\"Generated image\" style=\"width:580px;height:auto\"\/><\/figure><\/div>\n\n\n<p><strong>How the Attack Worked<\/strong><\/p>\n\n\n\n<p>CVE-2023-29357 allows for privilege escalation, meaning a malicious actor can impersonate an authenticated user on a SharePoint instance and gain administrative access. The vulnerability does not require user interaction, making it particularly useful for stealthy initial access operations.<\/p>\n\n\n\n<p>Flax Typhoon reportedly chained this vulnerability with other known issues to establish persistence, move laterally within target networks, and exfiltrate sensitive data. The full scope of the intrusion remains classified, but sources suggest the victims include government agencies and critical infrastructure operators in Asia and North America.<\/p>\n\n\n\n<p>Microsoft has since updated its guidance to strongly recommend migrating to supported SharePoint versions or cloud-based SharePoint Online. However, the breach also highlights a structural limitation: support timelines are not always aligned with enterprise migration cycles, particularly in sectors with compliance-heavy documentation systems.<\/p>\n\n\n\n<p><strong>A Growing Pattern<\/strong><\/p>\n\n\n\n<p>This isn\u2019t the first time Chinese state-sponsored actors have been linked to exploits involving outdated Microsoft tools. The Hafnium campaign in 2021 relied heavily on flaws in on-premise Exchange Servers\u2014many of which were also behind on patches or end-of-life. The parallels are troubling.<\/p>\n\n\n\n<p>While the federal government has begun mandating software bill-of-materials (SBOMs) and inventory tracking for critical suppliers, private sector compliance remains inconsistent. Many smaller organizations lack the visibility or resources to phase out aging systems.<\/p>\n\n\n\n<p>According to some experts, these events reveal a deeper problem: cybersecurity frameworks often assume software lifecycles are neatly managed, but the reality is far messier.<\/p>\n\n\n\n<p><strong>Policy and Industry Implications<\/strong><\/p>\n\n\n\n<p>There are growing calls for industry-wide frameworks to manage legacy tech risk. Some experts propose a \u201cresponsible decommissioning\u201d initiative that mirrors responsible disclosure\u2014encouraging vendors and users to publicly signal end-of-life dates and offer transparent migration paths.<\/p>\n\n\n\n<p>Others say mandates may be necessary. \u201cIf a piece of software can compromise national security and it&#8217;s no longer supported, its operators need to be held to account,\u201d one policy analyst stated. \u201cThat includes requiring inventories and proof of phase-outs in regulated industries.\u201d<\/p>\n\n\n\n<p>Microsoft, for its part, has not commented on whether extended support options or alerts could be improved. The company did note that it routinely works with CISA and global cybersecurity agencies to surface urgent threats and guidance.<\/p>\n\n\n\n<p><strong>A Warning for the Future<\/strong><\/p>\n\n\n\n<p>As the industry turns its attention to AI-driven threats and complex zero-day chains, the SharePoint incident is a reminder that low-tech risks still pack a punch\u2014especially when paired with state-sponsored intent.<\/p>\n\n\n\n<p>With more enterprise software nearing end-of-life milestones over the next 24 months, the concern is that other tools\u2014like older Citrix, Oracle, and even SAP systems\u2014may become the next target set. Attackers don\u2019t need novel exploits when simple neglect creates the opportunity.<\/p>\n\n\n\n<p>Organizations are advised to perform risk-based assessments of all unsupported software, prioritize cloud migration or vendor-supported alternatives, and adopt a culture of lifecycle vigilance.<\/p>\n\n\n\n<p><strong><mark>Le<em>arn how AI Agents can supercharge your company\u2019s profits and productivity at&nbsp;<a href=\"http:\/\/www.tmcnet.com\/\">TMC\u2019s&nbsp;<\/a><a href=\"https:\/\/www.aiagentevent.com\/\">AI Agent Event<\/a>, Sept 29-30, 2025 in DC.<\/em><\/mark><\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/05\/image-10.png\"><img loading=\"lazy\" decoding=\"async\" width=\"299\" height=\"136\" src=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2025\/05\/image-10.png\" alt=\"\" class=\"wp-image-20657\"\/><\/a><\/figure>\n\n\n\n<p>If you liked this post, you\u2019ll love one of the the leading global business communications and technology events since 1999, the&nbsp;<a href=\"http:\/\/www.itexpo.com\/\">ITEXPO #TECHSUPERSHOW<\/a>, Feb 10-12, 2026 Fort Lauderdale, Florida.<\/p>\n\n\n\n<p>Don\u2019t forget the collocated&nbsp;<a href=\"http:\/\/www.mspexpo.com\/\">MSP Expo<\/a>&nbsp;\u2013 just for managed service providers!<\/p>\n\n\n\n<p><em>Aside from his role as CEO of&nbsp;<a href=\"http:\/\/www.tmcnet.com\/\">TMC<\/a>&nbsp;and chairman of&nbsp;<a href=\"http:\/\/www.itexpo.com\/\">ITEXPO<\/a>&nbsp;#TECHSUPERSHOW Feb 10-12, 2026,&nbsp;Rich Tehrani is CEO of&nbsp;<a href=\"https:\/\/www.rt-advisors.com\/\">RT Advisors<\/a>&nbsp;and a Registered Representative (investment banker) with and offering securities through&nbsp;<a href=\"https:\/\/www.4pointscapital.com\/\">Four Points Capital Partners LLC&nbsp;<\/a>(Four Points) (Member FINRA\/SIPC). He handles capital\/debt raises as well as M&amp;A. RT Advisors is not owned by Four Points.<\/em><\/p>\n\n\n\n<p>The above is not an endorsement or recommendation to buy\/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.<\/p>\n\n\n\n<p>The views and opinions expressed above are those of the participants. While believed to be reliable, the information has not been independently verified for accuracy. Any broad, general statements made herein are provided for context only and should not be construed as exhaustive or universally applicable.<\/p>\n\n\n\n<p><em>Portions of this article may have been developed with the assistance of artificial intelligence, which may have contributed to ideation, content generation, factual review, or editing<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Key Takeaways: As cybersecurity teams race to adopt AI tools and zero trust frameworks, some of the most critical threats continue to emerge from basic IT hygiene failures\u2014like unpatched, outdated software. That reality came into focus again this week after Microsoft confirmed that Chinese-linked hackers breached organizations by targeting SharePoint 2013 servers that had reached<\/p>\n","protected":false},"author":44,"featured_media":23880,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[156],"tags":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/23878"}],"collection":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/comments?post=23878"}],"version-history":[{"count":1,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/23878\/revisions"}],"predecessor-version":[{"id":23879,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/23878\/revisions\/23879"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media\/23880"}],"wp:attachment":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media?parent=23878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/categories?post=23878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/tags?post=23878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}