Latest news with #SilasCutler
Politico
7 days ago
- Politico
China behind vast global hack involving multiple US agencies
Spokespeople for the Cybersecurity and Infrastructure Security Agency and the FBI, which have said publicly they are working to address the breach, did not immediately respond to a request for comment on the number of agencies impacted. The White House did not respond to a request for comment on the suspected links to China. The Chinese embassy in Washington also did not respond to a request for comment for this story. The Washington Post first reported Monday on the scope of the breach and that private researchers believe at least two federal agencies were affected by the hack. They later reported on the suspected links to China. Microsoft and other private researchers probing the incident believe that hackers unrelated to China are already exploiting the same Microsoft software flaw — and more hacking groups could try to do so soon. 'It's critical to understand that multiple actors are now actively exploiting this vulnerability,' and other hackers are likely to 'leverage this exploit as well,' Charles Carmakal, the chief technology officer at Google's Mandiant, said in a statement Monday night. Researchers at separate leading internet scanning firms told POLITICO Monday that roughly 100 organizations across the globe appear to have been hit thus far. Silas Cutler, principal researcher at internet scanning firm Censys, and Piotr Kijewski, CEO of The Shadowserver Foundation, also said that thousands more could be vulnerable to attack. The flaws in the SharePoint software are considered severe because they allowed hackers to remotely access Microsoft customers running self-hosted versions of the service, and then burrow deeper inside their networks. The vulnerabilities did not affect those running a version of SharePoint hosted on Microsoft cloud servers. Microsoft failed to fix one software bug in its on-site SharePoint service earlier this month, and has only been able to offer partial mitigations for additional bugs since. A Microsoft spokesperson said in a statement that the company is both working to ensure its customers install fixes and 'coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners around the world throughout our response.' A spokesperson for CISA said the tech giant has been 'responding quickly' ever since the agency reached out to it.
Yahoo
21-07-2025
- Yahoo
Hackers exploiting SharePoint zero-day seen targeting government agencies
The hackers behind the initial wave of attacks exploiting a zero-day in Microsoft SharePoint servers have so far primarily targeted government organizations, according to researchers as well as news reports. Over the weekend U.S. cybersecurity agency CISA published an alert, warning that hackers were exploiting a previously unknown bug — known as a 'zero-day' — in Microsoft's enterprise data management product SharePoint. While it's still early to draw definitive conclusions, it appears that the hackers who first started abusing this flaw were targeting government organizations, according to Silas Cutler, the principal researcher at Censys, a cybersecurity firm that monitors hacking activities on the internet. 'It looks like initial exploitation was against a narrow set of targets,' Cutler told TechCrunch. 'Likely government related.' 'This is a fairly rapidly evolving case. Initial exploitation of this vulnerability was likely fairly limited in terms of targeting, but as more attackers learn to replicate exploitation, we will likely see breaches as a result of this incident,' said Cutler. Do you have more information about these SharePoint attacks? We'd love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. Now that the vulnerability is out there, and still not fully patched by Microsoft, it's possible other hackers that are not necessarily working for a government will join in and start abusing it, Cutler said. Cutler added that he and his colleagues are seeing between 9,000 and 10,000 vulnerable SharePoint instances accessible from the internet, but that could change. Eye Security, which first published the existence of the bug, reported seeing a similar number, saying its researchers scanned more than 8,000 SharePoint servers worldwide and found evidence of dozens of compromised servers. Given the limited number of targets and the types of targets at the beginning of the campaign, Cutler explained, it is likely that the hackers were part of a government group, commonly known as an advanced persistent threat. The Washington Post reported on Sunday that the attacks targeted U.S. federal and state agencies, as well as universities and energy companies, among other commercial targets. Microsoft said in a blog post that the vulnerability only affects versions of SharePoint that are installed on local networks, and not the cloud versions, which means that each organization that deploys a SharePoint server needs to apply the patch, or disconnect it from the internet.
TechCrunch
21-07-2025
- TechCrunch
Hackers exploiting SharePoint zero-day seen targeting government agencies, say researchers
The hackers behind the initial wave of attacks exploiting a zero-day in Microsoft SharePoint servers have so far primarily targeted government organizations, according to researchers as well as news reports. Over the weekend U.S. cybersecurity agency CISA published an alert, warning that hackers were exploiting a previously unknown bug — known as a 'zero-day' — in Microsoft's enterprise data management product SharePoint. While it's still early to draw definitive conclusions, it appears that the hackers who first started abusing this flaw were targeting government organizations, according to Silas Cutler, the principal researcher at Censys, a cybersecurity firm that monitors hacking activities on the internet. 'It looks like initial exploitation was against a narrow set of targets,' Cutler told TechCrunch. 'Likely government related.' 'This is a fairly rapidly evolving case. Initial exploitation of this vulnerability was likely fairly limited in terms of targeting, but as more attackers learn to replicate exploitation, we will likely see breaches as a result of this incident,' said Cutler. Contact Us Do you have more information about these SharePoint attacks? We'd love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or Do you have more information about these SharePoint attacks? We'd love to hear from you. From a non-work device and network, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email . Now that the vulnerability is out there, and still not fully patched by Microsoft, it's possible other hackers that are not necessarily working for a government will join in and start abusing it, Cutler said. Cutler added that he and his colleagues are seeing between 9,000 and 10,000 vulnerable SharePoint instances accessible from the internet, but that could change. Eye Security, which first published the existence of the bug, reported seeing a similar number, saying its researchers scanned more than 8,000 SharePoint servers worldwide and found evidence of dozens of compromised servers. Given the limited number of targets and the types of targets at the beginning of the campaign, Cutler explained, it is likely that the hackers were part of a government group, commonly known as an advanced persistent threat. Techcrunch event Tech and VC heavyweights join the Disrupt 2025 agenda Netflix, ElevenLabs, Wayve, Sequoia Capital — just a few of the heavy hitters joining the Disrupt 2025 agenda. They're here to deliver the insights that fuel startup growth and sharpen your edge. Don't miss the 20th anniversary of TechCrunch Disrupt, and a chance to learn from the top voices in tech — grab your ticket now and save up to $675 before prices rise. Tech and VC heavyweights join the Disrupt 2025 agenda Netflix, ElevenLabs, Wayve, Sequoia Capital — just a few of the heavy hitters joining the Disrupt 2025 agenda. They're here to deliver the insights that fuel startup growth and sharpen your edge. Don't miss the 20th anniversary of TechCrunch Disrupt, and a chance to learn from the top voices in tech — grab your ticket now and save up to $675 before prices rise. San Francisco | REGISTER NOW The Washington Post reported on Sunday that the attacks targeted U.S. federal and state agencies, as well as universities and energy companies, among other commercial targets. Microsoft said in a blog post that the vulnerability only affects versions of SharePoint that are installed on local networks, and not the cloud versions, which means that each organization that deploys a SharePoint server needs to apply the patch, or disconnect it from the internet.
Boston Globe
21-07-2025
- Business
- Boston Globe
Hackers exploit Microsoft SharePoint as firm works to patch
Get Starting Point A guide through the most important stories of the morning, delivered Monday through Friday. Enter Email Sign Up Silas Cutler, a researcher at Michigan-based cybersecurity firm Censys, estimated that more than 10,000 companies with SharePoint servers were at risk. The US had the largest number of those companies, followed by the Netherlands, the UK and Canada, he said. Advertisement 'It's a dream for ransomware operators,' he said. Microsoft has been trying to shore up its cybersecurity after a series of high-profile failures, hiring new executives from places like the US government and holding weekly meetings with senior executives to make its software more resilient. The company's tech has been subject to several widespread and damaging hacks in recent years, and a 2024 US government report described the company's security culture as in need of urgent reforms. Advertisement Palo Alto Networks Inc. warned that the SharePoint exploits are 'real, in-the-wild, and pose a serious threat.' Google Threat Intelligence Group said in an e-mailed statement it had observed hackers exploiting the vulnerability, adding it allows 'persistent, unauthenticated access and presents a significant risk to affected organizations.' 'When they're able to compromise the fortress that is SharePoint, everybody is kind of at their whim because that is one of the highest security protocols out there,' said Gene Yu, CEO of Singapore-based cyber incident response firm Blackpanda. The Washington Post reported that the breach had affected US federal and state agencies, universities, energy companies and an Asian telecommunications company, citing state officials and private researchers. Researchers at Eye Security were first to identify the vulnerability, the company said. Eye Security said the vulnerability allows hackers to access SharePoint servers and steal keys that can let them impersonate users or services even after the server is patched. It said hackers can maintain access through backdoors or modified components that can survive updates and reboots of systems. Vaisha Bernard, chief hacker and co-owner of Eye Security, said his team identified a wave of attacks on Friday evening and a second wave on Saturday morning. The attacks, he said, were not targeted and instead were aimed at compromising as many victims as possible. After scanning about 8,000 SharePoint servers, Bernard said he has so far identified at least 50 that were successfully compromised. He declined to identify the identities of organizations that had been targeted, but said they included government agencies and private companies, including 'bigger multinationals.' The victims were located in countries in North and South America, the European Union, South Africa, and Australia, he added. Advertisement It was not clear who was behind the attacks, Bernard said, but 'my gut feeling says it's one group' behind them, due to similarities in the methods he observed during the attacks. A Microsoft spokesperson declined to comment beyond the company's statement. Microsoft has faced a series of recent cyberattacks, warning in March that Chinese hackers were targeting remote management tools and cloud applications to spy on a range of companies and organizations in the US and abroad. The Cyber Safety Review Board, a White House-mandated group designed to examine major cyberattacks, said last year that Microsoft's security culture was 'inadequate' following the 2023 hack of the company's Exchange Online mailboxes. In that incident, hackers were able to breach 22 organizations and hundreds of individuals, including former US Commerce Secretary Gina Raimondo. --With assistance from Lynn Doan.
Time of India
21-07-2025
- Business
- Time of India
Explained: 10000-plus companies at risk and …, what makes the Microsoft SharePoint attack very dangerous right now
Microsoft is scrambling to contain a widespread cyberattack targeting SharePoint servers worldwide, with cybersecurity experts warning that over 10,000 companies could be at risk. Tired of too many ads? go ad free now The software giant confirmed that hackers are actively exploiting previously unknown security flaws in on-premises SharePoint servers used by government agencies, universities, and major corporations to share internal documents. The Cybersecurity and Infrastructure Security Agency ( CISA ) added the vulnerability to its Known Exploited Vulnerability catalog on Saturday, giving federal agencies just one day to apply patches once they become available. "These exploits are real, in-the-wild, and pose a serious threat," warned Palo Alto Networks, while Google's Threat Intelligence Group confirmed observing active exploitation attempts. Dutch cybersecurity firm Eye Security first detected the attacks on July 18th and reports that at least 85 SharePoint servers across 54 organizations have already been compromised. Among the victims are a California university, energy companies, federal health organizations, and government entities in Florida and New York. Microsoft Sharepoint's zero-day exploits leave tens and thousands of organisations vulnerable The attack leverages what's known as a "zero-day" vulnerability – a security flaw unknown to software makers until it's actively exploited by hackers. Cybersecurity researchers estimate that over 10,000 companies with SharePoint servers are potentially at risk, with the United States, Netherlands, United Kingdom, and Canada having the highest concentrations of vulnerable systems. "It's a dream for ransomware operators, and a lot of attackers are going to be working this weekend as well," said Silas Cutler, a researcher at Michigan-based Censys. Tired of too many ads? go ad free now The vulnerability allows hackers to access file systems, steal sensitive configurations, and execute malicious code across networks without authentication. The attackers are using a technique called "ToolShell" that was originally demonstrated at the Pwn2Own security conference . They upload malicious files to steal critical server keys, then use these stolen credentials to create valid access tokens that bypass security measures entirely. Government agencies among primary targets in Microsoft Sharepoint attack Federal and state agencies appear to be prime targets in this campaign, with the FBI confirming it's "aware of the matter" and working with government and private sector partners to assess the threat. The Washington Post reported that the breach has affected multiple U.S. agencies, though specific details remain classified for security reasons. CISA's Acting Executive Assistant Director for Cybersecurity Chris Butera emphasized the urgency: "Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations. CISA encourages all organizations with on-premise Microsoft SharePoint servers to take immediate recommended action." Organizations can detect if they've been compromised by checking for suspicious files named " on their servers or unusual network activity from specific IP addresses that security firms have identified as attack sources. Microsoft releases emergency updates Microsoft has released emergency security updates for SharePoint 2019 and Subscription Edition servers, with a patch for SharePoint 2016 expected soon. The company recommends that organizations unable to immediately apply updates should disconnect their SharePoint servers from the internet until patches can be installed. For additional protection, Microsoft advises enabling its Antimalware Scan Interface (AMSI) feature and deploying Windows Defender Antivirus on all SharePoint servers. Organizations should also rotate their server security keys after applying patches to prevent further unauthorized access. This incident adds to Microsoft's recent cybersecurity challenges, including Chinese hacker attacks earlier this year and criticism from the White House's Cyber Safety Review Board, which called the company's security culture "inadequate" following previous breaches.
