International Private School of Technology المدرسة الدولية الخاصة للتكنولوجيا Private School مدرسة خاصة للتكوين المهني
Microsoft recently confirmed a significant cyberattack exploiting flaws in on-premises SharePoint servers. The breach impacted around 100 organizations worldwide, including U.S. federal agencies, European institutions, and private companies. Cloud-based SharePoint environments were not affected.
Investigations linked the attack to state-sponsored threat groups, identified as Linen Typhoon, Violet Typhoon, and Storm-2603. These actors exploited a set of vulnerabilities collectively referred to as ToolShell (CVE-2025-53770 and CVE-2025-53771), allowing remote code execution without authentication. Once inside, the attackers deployed web shells, planted backdoors, and in some cases spread ransomware.
Cybersecurity researchers noted that ransomware gangs such as 4L4MD4R and Warlock also took advantage of the same flaws to target businesses, demanding Bitcoin payments in exchange for data decryption.
In response, Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued urgent guidance, recommending that all affected organizations:
- Apply the latest SharePoint security updates immediately.
- Review systems for indicators of compromise.
- Remove or disconnect internet-exposed servers if they cannot be patched quickly.
This incident underscores the critical need for proactive patch management, tight network segmentation, and strong monitoring of third-party integrations. While Microsoft’s cloud platforms remained secure, the breach highlights the ongoing risks posed by self-hosted infrastructure in the face of increasingly sophisticated cyber threats.