Chinese Threat Actors Exploit ToolShell SharePoint Flaw Weeks After Microsoft's July Patch

According to Symantec, three Chinese threat groups have turned a zero-day vulnerability into a weapon. Attackers have targeted government agencies in the United States, South America, and an African nation. To gain access, they have utilized programs like Krusty loader, ShadowPad, and Zingdoor.

According to the company, the attacks were "likely for the purpose of espionage." Although the firm claims that "all evidence points to those behind it being China-based threat actors...the activity carried out on targeted networks indicates that the attackers were interested in stealing credentials and in establishing persistent and stealthy access to victim networks," it lacks sufficient evidence to definitively link this activity to a particular group. According to Symantech, "there is some overlap in the types of victims and some of the tools used between this activity and activity previously attributed to Glowworm," but there isn't enough data to link the activity to a particular group. "We can say that all evidence points to those behind it being China-based threat actors," the statement continues. "We do not think that this is an isolated attack, and this is not an isolated incident," the statement states.

We're looking into it, and if more information is needed, we'll make it."