A security patch released by Microsoft last month failed to fully fix a critical flaw in U.S. tech giant’s SharePoint server software that had been identified in May, opening the door to a sweeping global cyber espionage operation.
It remains unclear who is behind the ongoing operation, which targeted around 100 organisations over the weekend. But Alphabet’s Google, which has visibility into wide swathes of internet traffic, said it tied at least some of the hacks to a “China-nexus threat actor”.
The Chinese Embassy in Washington did not respond to a Reuters request for comment. Chinese government-linked operatives are regularly implicated in cyberattacks, but Beijing routinely denies carrying out hacking operations.
Contacted on Tuesday, Microsoft was not immediately able to provide comment on the patch and its effectiveness.
The vulnerability that facilitated the attack was first identified in May at a hacking competition in Berlin organised by cybersecurity firm Trend Micro which offered cash bounties for the discovery of computer bugs in popular software.
It offered a $100,000 prize for “zero day” exploits – so called because they leverage previously undisclosed digital weaknesses – that could be used against SharePoint, Microsoft’s flagship document management and collaboration platform.
A researcher working for the cybersecurity arm of Viettel, a telecommunications firm operated by Vietnam’s military, identified, opens new tab a SharePoint bug at the event, dubbed it ‘ToolShell’ and demonstrated a method of exploiting it.
The researcher was awarded $100,000 for the discovery, according to a post, opens new tab on X by Trend Micro’s “Zero Day Initiative”. A spokesperson for Trend Micro did not immediately respond to Reuters’ requests for comment regarding the competition on Tuesday.
Microsoft subsequently said in a July 8 security update that it had identified, opens new tab the bug, listed it as a critical vulnerability, and released patches to fix it.
Around 10 days later, however, cybersecurity firms started to notice an influx of malicious online activity targeting the same software the bug sought to exploit: SharePoint servers.
“Threat actors subsequently developed exploits that appear to bypass these patches,” British cybersecurity firm Sophos said in a blog post, on Monday.
The pool of potential ToolShell targets remains vast.
According to data from Shodan, a search engine that helps to identify internet-linked equipment, over 8,000 servers online could theoretically have already been compromised by hackers.
The Shadowserver Foundation, which scans the internet for potential digital vulnerabilities, put the number at a little more than 9,000, while cautioning that the figure was a minimum.
Those servers include major industrial firms, banks, auditors, healthcare companies, and several U.S. state-level and international government entities.
DISCLAIMER: The Views, Comments, Opinions, Contributions and Statements made by Readers and Contributors on this platform do not necessarily represent the views or policy of Multimedia Group Limited.
DISCLAIMER: The Views, Comments, Opinions, Contributions and Statements made by Readers and Contributors on this platform do not necessarily represent the views or policy of Multimedia Group Limited.
