Microsoft has revealed that investigations are underway indicating that Chinese “threat actors,” including state-sponsored hackers, are taking advantage of security flaws in SharePoint’s document sharing servers, impacting numerous government agencies and organizations.
Eye Security, a Dutch cybersecurity firm, reported that hackers have compromised around 400 institutions, businesses, and other entities, stating, “We anticipate an increase as the investigation continues.”
The majority of the affected parties are located in the United States. Bloomberg noted that one of the victims was a US agency responsible for overseeing the National Nuclear Security Agency, which manages nuclear weapons. This agency was among those affected.
According to Microsoft, three groups have been identified utilizing Chinese state-backed techniques, with a focus on exploiting newly disclosed vulnerabilities in internet-facing servers hosting the platform.
This announcement coincides with reports from the financial sector that Amazon has halted artificial intelligence labs in Shanghai. Additionally, consultancy firm McKinsey reported that Chinese companies are withdrawing from AI-related projects as geopolitical tensions between Washington and Beijing escalate.
Recently, Microsoft and IBM have scaled back their research and development initiatives in China, with US officials intensifying scrutiny on American companies involved in AI within the country.
In a blog post, Microsoft stated that the vulnerability is associated with an on-premises SharePoint server commonly utilized by businesses, not a cloud-based service.
Numerous large organizations employ SharePoint as a platform for document storage and collaboration, integrating seamlessly with other Microsoft products like Office and Outlook.
Microsoft indicated that the attacks commenced as early as July 7th, with hackers attempting to leverage the vulnerability for “early access to the target organization.”
This vulnerability permits an attacker to spoof authentication credentials and remotely execute malicious code on the server. Microsoft observed an attack that sent requests to a SharePoint server, potentially “enabling the theft of key material.”
In response, Microsoft has released a security update and recommended that all users of on-premises SharePoint systems apply it. They cautioned that hacking groups are continuing to target these systems, which they rated as having “high confidence” in terms of vulnerability.
After the newsletter promotion
Eye Security reported in a press release that “anomalous activity” was detected on a client’s on-premises SharePoint Server on the evening of July 18th. They subsequently scanned over 8,000 publicly accessible SharePoint servers across the globe, discovering numerous compromised systems and confirming that attackers were executing a coordinated mass exploitation campaign.
Microsoft stated that the linen typhoon has been focused on “intellectual property theft” since 2012, with primary targets including government, defense, strategic planning, and human rights-related organizations.
Since 2015, the Violet Typhoon has predominantly targeted former government and military personnel, NGOs, think tanks, academia, digital and print media, and sectors related to finance and health in the US, Europe, and East Asia.
Microsoft mentioned a third group, Storm-2603, which is situated in China, though no direct connection has been established between this group and other Chinese threat actors. They warned that “additional actors” could exploit the vulnerability to target on-premises SharePoint systems unless security updates are installed.
Source: www.theguardian.com
