Microsoft server hack hit about 100 victims, researchers say
Microsoft on Saturday issued an alert about "active attacks" on self-managed SharePoint servers, which are widely used by government agencies and businesses to share documents within organisations.
Dubbed a "zero-day" because it leverages a previously undisclosed digital weakness, the hacks allow spies to penetrate vulnerable servers and potentially drop a backdoor to secure continuous access to victim organizations.
Vaisha Bernard, the chief hacker at Eye Security, a Netherlands-based cybersecurity firm, which discovered the hacking campaign targeting one of its clients on Friday, said that an internet scan carried out with the Shadowserver Foundation had uncovered nearly 100 victims altogether - and that was before the technique behind the hack was widely known.
"It's unambiguous," Bernard said. "Who knows what other adversaries have done since to place other backdoors."
He declined to identify the affected organizations, saying that the relevant national authorities had been notified.
The Shadowserver Foundation confirmed the 100 figure and said that most of those affected were in the United States and Germany and that the victims included government organizations.
Another researcher said that, so far, the spying appeared to be the work of a single hacker or set of hackers.
"It's possible that this will quickly change," said Rafe Pilling, director of Threat Intelligence at Sophos, a British cybersecurity firm.
Microsoft said it had "provided security updates and encourages customers to install them," a company spokesperson said in an emailed statement.
It was not clear who was behind the ongoing hack. The FBI said on Sunday it was aware of the attacks and was working closely with its federal and private-sector partners, but offered no other details. Britain's National Cyber Security Center said in a statement that it was aware of "a limited number" of targets in the United Kingdom.
According to data from Shodan, a search engine that helps to identify internet-linked equipment, over 8,000 servers online could theoretically have already been compromised by hackers.
Those servers include major industrial firms, banks, auditors, healthcare companies, and several U.S. state-level and international government entities.
"The SharePoint incident appears to have created a broad level of compromise across a range of servers globally," said Daniel Card of British cybersecurity consultancy, PwnDefend.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CNA
6 hours ago
- CNA
US Fed poised to hold off on rate cuts, defying Trump pressure
WASHINGTON: The US central bank is widely expected to hold off slashing interest rates again at its upcoming meeting, as officials gather under the cloud of an intensifying pressure campaign by President Donald Trump. Policymakers at the independent Federal Reserve have kept the benchmark lending rate steady since the start of the year as they monitor how Trump's sweeping tariffs are impacting the world's biggest economy. With Trump's on-again, off-again tariff approach - and the levies' lagged effects on inflation - Fed officials want to see economic data from this summer to gauge how prices are being affected. When mulling changes to interest rates, the central bank - which meets on Tuesday and Wednesday - seeks a balance between reining in inflation and the health of the jobs market. But the bank's data-dependent approach has enraged the Republican president, who has repeatedly criticised Fed Chair Jerome Powell for not slashing rates further, calling him a "numbskull" and "moron". Most recently, Trump signalled he could use the Fed's US$2.5 billion renovation project as an avenue to oust Powell, before backing off and saying that would be unlikely. Trump visited the Fed construction site on Thursday, making a tense appearance with Powell in which the Fed chair disputed Trump's characterisation of the total cost of the refurbishment in front of the cameras. But economists expect the Fed to look past the political pressure at its policy meeting. "We're just now beginning to see the evidence of tariffs' impact on inflation," said Ryan Sweet, chief US economist at Oxford Economics. "We're going to see it (too) in July and August, and we think that's going to give the Fed reason to remain on the sidelines," he told AFP. "TRIAL BALLOON" Since returning to the presidency in January, Trump has imposed a 10 per cent tariff on goods from almost all countries, as well as steeper rates on steel, aluminium and autos. The effect on inflation has so far been limited, prompting the US leader to use this as grounds for calling for interest rates to be lowered by three percentage points. Currently, the benchmark lending rate stands at a range between 4.25 per cent and 4.50 per cent. Trump also argues that lower rates would save the government money on interest payments, and floated the idea of firing Powell. The comments roiled financial markets. "Powell can see that the administration floated this trial balloon" of ousting him before walking it back on the market's reaction, Sweet said. "It showed that markets value an independent central bank," the Oxford Economics analyst added, anticipating Powell will be instead more influenced by labour market concerns. Powell's term as Fed chair ends in May 2026. JOBS MARKET "FISSURES" Analysts expect to see a couple of members break ranks if the Fed's rate-setting committee decides for a fifth straight meeting to keep interest rates unchanged. Sweet cautioned that some observers may spin dissents as pushback on Powell but argued this is not necessarily the case. "It's not out-of-line or unusual to see, at times when there's a high degree of uncertainty, or maybe a turning point in policy, that you get one or two people dissenting," said Nationwide chief economist Kathy Bostjancic. Fed Governor Christopher Waller and Vice Chair for Supervision Michelle Bowman have both signalled openness to rate cuts as early as July, meaning their disagreement with a decision to hold rates steady would not surprise markets. Bostjancic said that too many dissents could be "eyebrow-raising", and lead some to question if Powell is losing control of the board, but added: "I don't anticipate that to be the case." For Sweet, "the big wild card is the labour market". There has been weakness in the private sector, while the hiring rate has been below average and the number of permanent job losers is rising. "There are some fissures in the labour market, but they haven't turned into fault lines yet," Sweet said. If the labour market suddenly weakened, he said he would expect the Fed to start cutting interest rates sooner.
Straits Times
15 hours ago
- Straits Times
KKR in talks to buy S'pore-based ST Telemedia Global Data Centres in deal valued at US$5b: Sources
KKR is already a backer in the closely held data centre company known as STT GDC with a 14.1 per cent stake. KKR & Co. is in talks to buy ST Telemedia Global Data Centres in a deal that could value the Asian digital infrastructure provider at more than US$5 billion (S$6.4 bliion), according to people familiar with the matter. The US investment firm and ST Telemedia could reach a deal in the coming weeks, the people said. KKR is already a backer in the closely held data centre company known as STT GDC with a 14.1 per cent stake. At a more than US$5 billion valuation, the deal could be among the largest for KKR in 2025, according to data compiled by Bloomberg. Discussions are advanced but could still be delayed or even fall apart, the people said, asking not to be identified as the information is private. KKR and STT GDC declined to comment. Based in Singapore, STT GDC is one of Asia's largest data centre operators with more than 100 data centres across 20 major markets including India, South Korea, Japan and Malaysia. It also has presence beyond Asia in countries such as the UK, Italy and Germany. The company provides services such as colocation, connectivity, and support services. A consortium of KKR and Singapore Telecommunications in 2024 invested $1.75 billion for a minority stake in STT GDC after a competitive process. KKR in 2025 has pulled out the same playbook it deployed during the pandemic by investing through the market turbulence triggered by President Donald Trump's trade war. In April, it won a hotly-contested auction for post-trade services firm OSTTRA for an enterprise value of more than US$3 billion and announced an acquisition of Karo Healthcare for more than €2.5 billion (S$3.76 billion) including debt. More recently, KKR agreed to buy London-listed Spectris, a maker of precision testing equipment and software, for about £4.1 billion (S$7.05 billion). BLOOMBERG
Straits Times
a day ago
- Straits Times
Microsoft probing whether cyber alert tipped off Chinese hackers
Find out what's new on ST website and app. Microsoft is looking into whether a leak from its early alert system led to the widespread exploitation of vulnerabilities in the SharePoint software. Microsoft is investigating whether a leak from its early alert system for cybersecurity companies allowed Chinese hackers to exploit flaws in its SharePoint service before they were patched, according to people familiar with the matter. The technology company is looking into whether the programme – designed to give cybersecurity experts a chance to fix computer systems before the revelation of new security concerns – led to the widespread exploitation of vulnerabilities in its SharePoint software globally over the past several days, the people said, asking not to be identified discussing private matters. 'As part of our standard process, we'll review this incident, find areas to improve, and apply those improvements broadly,' a Microsoft spokesperson said in a statement, adding that partner programmes are an important part of the company's security response. The Chinese embassy in Washington referred to comments made by foreign affairs ministry spokesman Guo Jiakun to media earlier this week, opposing hacking activities. 'Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation,'' Mr Guo said. 'China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues.' Microsoft has attributed SharePoint breaches to state-sponsored hackers from China , and at least a dozen Chinese companies participate in the initiative, called the Microsoft Active Protections Program, or MAPP, according to Microsoft's website. Members of the 17-year-old programme must prove they are cybersecurity vendors and that they don't produce hacking tools like penetration testing software. After signing a non-disclosure agreement, they receive information about novel patches to vulnerabilities 24 hours before Microsoft releases them to the public. A subset of more highly-vetted users receive notifications of an incoming patch five days earlier, according to Microsoft's MAPP website. Mr Dustin Childs, head of threat awareness for the Zero Day Initiative at cybersecurity company Trend Micro, says Microsoft alerted members of the program about the vulnerabilities that led to the SharePoint attacks. 'These two bugs were included in the MAPP release,' says Mr Childs, whose company is a MAPP member. 'The possibility of a leak has certainly crossed our minds.' He adds that such a leak would be a dire threat to the program, 'even though I still think MAPP has a lot of value'. Victims of the attacks now total more than 400 government agencies and corporations worldwide, including the US's National Nuclear Security Administration, the division responsible for designing and maintaining the country's nuclear weapons. For at least some of the attacks, Microsoft has blamed Linen Typhoon and Violet Typhoon, groups sponsored by the Chinese government, as well as another China-based group it calls Storm-2603. In response to the allegations, the Chinese Embassy has said it opposes all forms of cyberattacks, while also objecting to 'smearing others without solid evidence'. Mr Dinh Ho Anh Khoa, a researcher who works for the Vietnamese cybersecurity firm Viettel, revealed that SharePoint had unknown vulnerabilities in May at Pwn2Own, a conference in Berlin run by Mr Childs' organisation where hackers sit on stage and search for critical security vulnerabilities in front of a live audience. After the public demonstration and celebration, Mr Khoa headed to a private room with Childs and a Microsoft representative, Mr Childs said. Mr Khoa explained the exploit in detail and handed over a full white paper. Microsoft validated the research and immediately began working on a fix. Mr Khoa won US$100,000 (S$128,160) for the work. It took Microsoft about 60 days to come up with a fix. On July 7, the day before it released a patch publicly, hackers attacked SharePoint servers, cybersecurity researchers said. It is possible that hackers found the bugs independently and began exploiting them on the same day that Microsoft shared them with MAPP members, says Mr Childs. But he adds that this would be an incredible coincidence. The other obvious possibility is that someone shared the information with the attackers. The leak of news of a pending patch would be a substantial security failure, but 'it has happened before,' says Mr Jim Walter, senior threat researcher the cyber firm SentinelOne. MAPP has been the source of alleged leaks as far back as 2012, when Microsoft accused the Hangzhou DPtech Technologies, a Chinese network security company, of disclosing information that exposed a major vulnerability in Windows. Hangzhou DPtech was removed from the MAPP group. At the time, a Microsoft representative said in a statement that it had also 'strengthened existing controls and took actions to better protect our information'. In 2021, Microsoft suspected at least two other Chinese MAPP partners of leaking information about vulnerabilities in its Exchange servers, leading to a global hacking campaign that Microsoft blamed on a Chinese espionage group called Hafnium. It was one of the company's worst breaches ever – tens of thousands of exchange servers were hacked, including at the European Banking Authority and the Norwegian Parliament. Following the 2021 incident, the company considered revising the MAPP program, Bloomberg previously reported. But it did not disclose whether any changes were ultimately made or whether any leaks were discovered. A 2021 Chinese law mandates that any company or security researcher who identifies a security vulnerability must report it within 48 hours to the government's Ministry of Industry and Information Technology, according to an Atlantic Council report. Some of the Chinese companies that remain involved in MAPP, such as Beijing CyberKunlun Technology, are also members of a Chinese government vulnerabilities programme, the China National Vulnerability Database, which is operated by the country's Ministry of State Security, according to Chinese government websites. Mr Eugenio Benincasa, a researcher at ETH Zurich's Center for Security Studies, says there is a lack of transparency about how Chinese companies balance their commitments to safeguard vulnerabilities shared by Microsoft with requirements that they share information with the Chinese government. 'We know that some of these companies collaborate with state security agencies and that the vulnerability management system is highly centralised,' says Mr Benincasa. 'This is definitely an area that warrants closer scrutiny.' BLOOMBERG
