Microsoft server hack likely single actor, thousands of firms now vulnerable, researchers say
Microsoft on Saturday issued an alert about "active attacks" on SharePoint servers used within organisations. It said that SharePoint Online in Microsoft 365, which is in the cloud, was not hit by the exploit, also known as a "zero day" because it was previously unknown to cybersecurity researchers.
"Based on the consistency of the tradecraft seen across observed attacks, the campaign launched on Friday appears to be a single actor. However, it's possible that this will quickly change," Rafe Pilling, Director of Threat Intelligence at Sophos, a British cybersecurity firm.
That tradecraft included the sending of the same digital payload to multiple targets, Pilling added.
Microsoft said it had "provided security updates and encourages customers to install them," a company spokesperson said in an emailed statement.
It was not clear who was behind the ongoing hack. The FBI said on Sunday it was aware of the attacks and was working closely with its federal and private-sector partners, but offered no other details. Britain's National Cyber Security Centre did not immediately respond to a request for comment.
The Washington Post said unidentified actors in the past few days had exploited a flaw to launch an attack that targeted U.S. and international agencies and businesses.
According to data from Shodan, a search engine that helps to identify internet-linked equipment, over 8,000 servers online could theoretically have already been compromised by hackers.
Those servers include major industrial firms, banks, auditors, healthcare companies, and several U.S. state-level and international government entities.
"The SharePoint incident appears to have created a broad level of compromise across a range of servers globally," said Daniel Card of British cybersecurity consultancy, PwnDefend.
"Taking an assumed breach approach is wise, and it's also important to understand that just applying the patch isn't all that is required here."
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Straits Times
6 hours ago
- Straits Times
Microsoft probing whether cyber alert tipped off Chinese hackers
Find out what's new on ST website and app. Microsoft is looking into whether a leak from its early alert system led to the widespread exploitation of vulnerabilities in the SharePoint software. Microsoft is investigating whether a leak from its early alert system for cybersecurity companies allowed Chinese hackers to exploit flaws in its SharePoint service before they were patched, according to people familiar with the matter. The technology company is looking into whether the programme – designed to give cybersecurity experts a chance to fix computer systems before the revelation of new security concerns – led to the widespread exploitation of vulnerabilities in its SharePoint software globally over the past several days, the people said, asking not to be identified discussing private matters. 'As part of our standard process, we'll review this incident, find areas to improve, and apply those improvements broadly,' a Microsoft spokesperson said in a statement, adding that partner programmes are an important part of the company's security response. The Chinese embassy in Washington referred to comments made by foreign affairs ministry spokesman Guo Jiakun to media earlier this week, opposing hacking activities. 'Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation,'' Mr Guo said. 'China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues.' Microsoft has attributed SharePoint breaches to state-sponsored hackers from China , and at least a dozen Chinese companies participate in the initiative, called the Microsoft Active Protections Program, or MAPP, according to Microsoft's website. Members of the 17-year-old programme must prove they are cybersecurity vendors and that they don't produce hacking tools like penetration testing software. After signing a non-disclosure agreement, they receive information about novel patches to vulnerabilities 24 hours before Microsoft releases them to the public. A subset of more highly-vetted users receive notifications of an incoming patch five days earlier, according to Microsoft's MAPP website. Mr Dustin Childs, head of threat awareness for the Zero Day Initiative at cybersecurity company Trend Micro, says Microsoft alerted members of the program about the vulnerabilities that led to the SharePoint attacks. 'These two bugs were included in the MAPP release,' says Mr Childs, whose company is a MAPP member. 'The possibility of a leak has certainly crossed our minds.' He adds that such a leak would be a dire threat to the program, 'even though I still think MAPP has a lot of value'. Victims of the attacks now total more than 400 government agencies and corporations worldwide, including the US's National Nuclear Security Administration, the division responsible for designing and maintaining the country's nuclear weapons. For at least some of the attacks, Microsoft has blamed Linen Typhoon and Violet Typhoon, groups sponsored by the Chinese government, as well as another China-based group it calls Storm-2603. In response to the allegations, the Chinese Embassy has said it opposes all forms of cyberattacks, while also objecting to 'smearing others without solid evidence'. Mr Dinh Ho Anh Khoa, a researcher who works for the Vietnamese cybersecurity firm Viettel, revealed that SharePoint had unknown vulnerabilities in May at Pwn2Own, a conference in Berlin run by Mr Childs' organisation where hackers sit on stage and search for critical security vulnerabilities in front of a live audience. After the public demonstration and celebration, Mr Khoa headed to a private room with Childs and a Microsoft representative, Mr Childs said. Mr Khoa explained the exploit in detail and handed over a full white paper. Microsoft validated the research and immediately began working on a fix. Mr Khoa won US$100,000 (S$128,160) for the work. It took Microsoft about 60 days to come up with a fix. On July 7, the day before it released a patch publicly, hackers attacked SharePoint servers, cybersecurity researchers said. It is possible that hackers found the bugs independently and began exploiting them on the same day that Microsoft shared them with MAPP members, says Mr Childs. But he adds that this would be an incredible coincidence. The other obvious possibility is that someone shared the information with the attackers. The leak of news of a pending patch would be a substantial security failure, but 'it has happened before,' says Mr Jim Walter, senior threat researcher the cyber firm SentinelOne. MAPP has been the source of alleged leaks as far back as 2012, when Microsoft accused the Hangzhou DPtech Technologies, a Chinese network security company, of disclosing information that exposed a major vulnerability in Windows. Hangzhou DPtech was removed from the MAPP group. At the time, a Microsoft representative said in a statement that it had also 'strengthened existing controls and took actions to better protect our information'. In 2021, Microsoft suspected at least two other Chinese MAPP partners of leaking information about vulnerabilities in its Exchange servers, leading to a global hacking campaign that Microsoft blamed on a Chinese espionage group called Hafnium. It was one of the company's worst breaches ever – tens of thousands of exchange servers were hacked, including at the European Banking Authority and the Norwegian Parliament. Following the 2021 incident, the company considered revising the MAPP program, Bloomberg previously reported. But it did not disclose whether any changes were ultimately made or whether any leaks were discovered. A 2021 Chinese law mandates that any company or security researcher who identifies a security vulnerability must report it within 48 hours to the government's Ministry of Industry and Information Technology, according to an Atlantic Council report. Some of the Chinese companies that remain involved in MAPP, such as Beijing CyberKunlun Technology, are also members of a Chinese government vulnerabilities programme, the China National Vulnerability Database, which is operated by the country's Ministry of State Security, according to Chinese government websites. Mr Eugenio Benincasa, a researcher at ETH Zurich's Center for Security Studies, says there is a lack of transparency about how Chinese companies balance their commitments to safeguard vulnerabilities shared by Microsoft with requirements that they share information with the Chinese government. 'We know that some of these companies collaborate with state security agencies and that the vulnerability management system is highly centralised,' says Mr Benincasa. 'This is definitely an area that warrants closer scrutiny.' BLOOMBERG
Business Times
12 hours ago
- Business Times
HSBC cuts equities team in Germany as CEO Georges Elhedery continues revamp
[LONDON] HSBC Holdings is planning to let go of several staff in its Germany-based equities team as it continues to pare the investment banking division outside Asia and the Middle East. The London-headquartered lender is preparing to cut equities sales and trading jobs in the Dusseldorf office, according to sources familiar with the matter. The move is part of chief executive officer Georges Elhedery's effort to revamp the investment bank, the sources said, asking not to be identified discussing private information. Europe's largest financial institution has already culled dozens of analysts in its investment bank in the last couple of months and it has shut down its US, UK and European equity capital markets and M&A units. 'Equities sales and trading supports the growth of our Prime and Wealth businesses, facilitates equities distribution to the market and supports our global clients investing in equities in both developed markets and emerging markets,' an HSBC spokesperson said in response to questions about the cuts at the German unit. Since taking over as CEO last September, Elhedery has instituted a widespread overhaul of the bank that has involved creating four new divisions under what he has called his 'simplification' plan. He has also combined HSBC's commercial and investment banking units, while making operations in the UK and Hong Kong standalone businesses. BLOOMBERG
Business Times
12 hours ago
- Business Times
HSBC cuts equities team in Germany as CEO Elhedery continues revamp
[LONDON] HSBC Holdings is planning to let go of several staff in its Germany-based equities team as it continues to pare the investment banking division outside Asia and the Middle East. The London-headquartered lender is preparing to cut equities sales and trading jobs in the Dusseldorf office, according to sources familiar with the matter. The move is part of chief executive officer Georges Elhedery's effort to revamp the investment bank, the sources said, asking not to be identified discussing private information. Europe's largest financial institution has already culled dozens of analysts in its investment bank in the last couple of months and it has shut down its US, UK and European equity capital markets and M&A units. 'Equities sales and trading supports the growth of our Prime and Wealth businesses, facilitates equities distribution to the market and supports our global clients investing in equities in both developed markets and emerging markets,' an HSBC spokesperson said in response to questions about the cuts at the German unit. Since taking over as CEO last September, Elhedery has instituted a widespread overhaul of the bank that has involved creating four new divisions under what he has called his 'simplification' plan. He has also combined HSBC's commercial and investment banking units, while making operations in the UK and Hong Kong standalone businesses. BLOOMBERG
