Global businesses hit as China-linked hackers exploit Microsoft SharePoint flaw
What's the story
Microsoft has issued a warning about "active attacks" targeting its SharePoint collaboration software, which is widely used by global businesses and organizations for document storage and collaboration. The Cybersecurity and Infrastructure Security Agency (CISA) flagged the vulnerability as one that gives unauthenticated access to systems and full access to SharePoint content, enabling malicious actors to execute code over the network.
Response measures
Attack affects on-premise servers
In response to the threat, Microsoft has released fixes for two versions of the SharePoint software and has released a patch for the 2016 version. The company clarified that this attack only affects on-premise SharePoint servers and not those in the cloud such as Microsoft 365. Researchers at Palo Alto Networks believe that this hack may have affected thousands of organizations globally.
Security concerns
Vulnerability lets hackers impersonate users
The vulnerability is particularly alarming as it lets hackers impersonate users or services even after the SharePoint server has been patched. This was revealed by researchers at European cybersecurity firm Eye Security, which first discovered the flaw. They also noted that SharePoint servers often connect with other Microsoft services like Outlook and Teams, making them susceptible to data theft and password harvesting in case of a breach.
Attack details
Attackers are exfiltrating sensitive data
Michael Sikorski, CTO and head of threat intelligence for Palo Alto's Unit 42, said the attackers have exploited this vulnerability to gain access and are already establishing their foothold. "Once inside, they're exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys," he added. The attack has raised major concerns over the security of SharePoint servers and their potential impact on other connected Microsoft services.
China link
Hackers connected to the Chinese government
Hackers with ties to the Chinese government were responsible for at least some of the recent widespread attacks exploiting the Microsoft SharePoint vulnerability. "We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor," said Charles Carmakal, chief technology officer of Google's Mandiant Consulting. According to the Wall Street Journal, two additional cybersecurity responders working with the US government also traced the initial wave of intrusions back to China.