Ransomware spree looms after SharePoint breach
Why it matters: Those could include organizations across the government and sectors including education, health care, transportation, technology and finance, security experts told Axios.
State of play: As of Wednesday, more than 400 systems had been actively compromised via the SharePoint zero-day vulnerability, according to researchers at Eye Security.
Several federal government agencies — including at the departments of Energy, Homeland Security, and Health and Human Services — have been hacked, likely by groups linked to the Chinese government.
Malicious hackers have attempted to break into more than 90 state and local government offices, according to Randy Rose, vice president of security operations and intelligence at the Center for Internet Security, which runs the Multi-State Information Sharing and Analysis Center.
Last week, researchers warned that the attackers were also stealing machine keys once they broke in — which would allow them to return even after a vulnerable SharePoint server was patched.
Threat level: The new Warlock ransomware gang is actively targeting vulnerable SharePoint servers, Microsoft warned last week.
Since emerging in June, the Warlock gang has claimed responsibility for attacking 19 victims across the government, finance, manufacturing, technology and consumer goods sectors, according to security firm Halcyon.
The group is believed to be a descendent of the Black Basta gang, which was known for hacking more than 500 organizations globally, per U.S. authorities.
Zoom out: Ransomware is the most pressing long-tail cyber threat for organizations to be concerned about, Rafe Pilling, director of threat intelligence at Sophos' Counter Threat Unit, told Axios.
So far, Sophos hasn't seen any active ransomware attacks tied to the SharePoint vulnerability, but Pilling said it's only a matter of time.
"No doubt, there will be people that don't patch, and we will continue to see this pop up as an entry point down the line," Pilling said.
The big picture: Ransomware gangs routinely adopt newly discovered zero-day vulnerabilities to gain access to corporate networks.
In 2021, ProxyShell — a trio of critical vulnerabilities in Microsoft Exchange Server — was discovered by security researchers and patched by Microsoft.
But before many organizations updated their systems, the flaws were exploited first by espionage-focused hackers and then by opportunistic ransomware gangs.
Within weeks, several groups had used the vulnerabilities to breach at least a thousand organizations. The incident demonstrated how quickly ransomware operators can weaponize publicly disclosed vulnerabilities.
While the initial wave subsided after widespread patching, there have still been attacks reported years later.
Reality check: Pilling said that the SharePoint attacks will likely be less detrimental than ProxyShell and similar incidents but that companies are still at risk if they haven't patched.
Between the lines: These types of complex, multistage hacks are becoming the norm, Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told Axios.
The SharePoint hacks are the result of attackers stringing together two vulnerabilities that, on their own, "weren't that big of a deal, " Steinhauer said.
"Attackers know that they're not as prioritized and that we're all already trying to patch so many vulnerabilities that we have to prioritize," he said. "They're gaming the system."
What to watch: Ransomware gangs are likely to try targeting vulnerable, unpatched SharePoint servers for months to come.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
New York Post
28 minutes ago
- New York Post
GOP Sen. Tom Cotton questions new Intel CEO Lip-Bu Tan over alleged ties to Chinese military
A top Republican senator demanded new Intel CEO Lip-Bu Tan reveal if he has any ties to China's Communist Party and military – citing national security concerns. In a letter sent Wednesday to Intel Chairman Frank Leary, Sen. Tom Cotton (R-Ark.) wrote that he is concerned 'about the security and integrity of Intel's operations and its potential impact on US national security,' according to a copy of the letter obtained by The Post. Tan replaced ousted Intel chief Pat Gelsinger in March — a year after the struggling company was awarded a whopping $8 billion in Biden-era CHIPs Act funding. Advertisement 3 Intel CEO Lip-Bu Tan speaking on stage in Taiwan in May. REUTERS Cotton's missive came after a report earlier this year claimed Tan invested at least $200 million across hundreds of Chinese firms between March 2012 and December 2024. Some of these advanced manufacturing and semiconductor firms have been linked to the Chinese Communist Party and military, Reuters reported in April. Advertisement In his letter, Cotton questioned whether the board had required Tan to divest from these stakes before assuming the CEO role. The senator asked whether Tan had disclosed his remaining investments to the US government, since Intel has a responsibility as a major recipient of federal funding. He also demanded to know whether the board was aware of subpoenas targeting Cadence Design – which Tan ran from 2008 to 2021 – before it hired him. 'Intel and Mr. Tan are deeply committed to the national security of the United States and the integrity of our role in the US defense ecosystem,' an Intel spokesperson told The Post. Advertisement Intel added that it will address the matter with Cotton, who asked for responses by Aug. 15. 3 Sen. Tom Cotton sent a letter to Intel's chairman with concerns about Lip-Bu Tan's reported ties to China. 'Intel is required to be a responsible steward of American taxpayer dollars and to comply with applicable security regulations,' Cotton wrote in the letter. 'Mr. Tan's associations raise questions about Intel's ability to fulfill these obligations.' Advertisement In 2024, Intel was awarded $8.5 billion in CHIPs funding under the Secure Enclave program, a national security initiative to make secure microchips for defense and intelligence applications. Later that year, the government slashed that figure by more than $600 million to about $7.85 billion. Intel still ranks as one of the top companies receiving the most federal funding. 3 Intel ranks as one of the top companies receiving the most federal funding. Getty Images A source familiar with the matter told Reuters in April that Tan had divested from his positions in Chinese firms. The outlet reported at the time that Chinese databases still listed many of his investments as current. While it is not illegal for US citizens to hold stakes in Chinese companies, there is a US Treasury list of banned Chinese firms. Reuters reported earlier this year that Tan was not invested directly in any company on that list. Meanwhile, Cadence Design last week agreed to plead guilty and pay more than $140 million to settle charges that it sold its chips to a Chinese military university, according to a Reuters report. Advertisement The institution was believed to be involved in simulating nuclear blasts, according to the report. Those sales took place under Tan's leadership at Cadence. After stepping down as CEO in 2021, Tan stayed on at Cadence as executive chairman through May 2023.
Axios
28 minutes ago
- Axios
Truth Social's Perplexity search comes with Trump-friendly media sources
President Trump's social media company Truth Social unveiled a new search tool powered by AI answer engine Perplexity on Wednesday — but Truth Social users who run Perplexity searches may find their results limited to a narrow set of typically Trump-supporting media outlets. Why it matters: Increasingly, where you ask online matters as much as what you ask. Catch up quick: Trump Media & Technology Group on Wednesday said it was launching a public beta test of a search engine, Truth Search AI, powered by Perplexity. Perplexity has been seen as a nascent Google-killer and is often touted by investors as a possible acquisition target for the likes of Apple. How it works: Axios asked seven questions on both a logged-in Truth Social account and the free, logged-out Perplexity website … What happened on January 6, 2021? Why was Donald Trump impeached? What crimes was President Trump convicted of? Did Donald Trump lose the 2020 election? What is Hunter Biden's laptop a reference to? Was Hillary Clinton ever charged with a crime? Is the new "Naked Gun" movie good? Between the lines: In most cases, the responses were generally similar — but the sources linked to the answers were not. In all seven responses on Truth Social, either was the most common, or the only, listed source of information. Other sources were Washington Times or Epoch Times. In contrast, answers via the public version of Perplexity returned a wider variety of sources, including Wikipedia, Reddit, YouTube, NPR, Esquire and Politico. Although the questions were matched and asked at roughly the same time, there was no source overlap. What they're saying: A Perplexity spokesperson tells Axios that Truth Social is a customer of Perplexity's API, which means it — like tens of thousands of other developers — is building tools to its own specifications, and with its own restrictions. Any customization, like limiting the sources for its answers, would happen entirely on the Truth Social side. While it's standard practice for platforms to put their own layers of rules and information on top of tools, search tools usually cast a broader net. Truth Social did not mention any restrictions in its announcement, although it did say it plans to "refine and expand our search function based on user feedback." Perplexity's Sonar API specifically includes the ability for users to customize sources, which the company noted in January was a top user request. The bottom line: When you ask a search tool a question, particularly in the age of AI, it's best to know exactly where your information is coming from, and whether there are any limits on what the tool will tell you. Expect more of this as governments and businesses increasingly put their thumbs on the AI scale to serve their interests.
Yahoo
an hour ago
- Yahoo
OpenAI Employee Share Sale Could Value Firm at $500 Billion
OpenAI, backed by Microsoft (MSFT, Financials), is in early talks for an employee share sale that could value the artificial intelligence firm at about $500 billion, a source familiar with the matter said. The deal would let current and former employees sell several billion dollars' worth of shares ahead of a possible initial public offering; it would mark a significant increase from OpenAI's current $300 billion valuation. Warning! GuruFocus has detected 7 Warning Sign with MSFT. The company's flagship product, ChatGPT, has driven rapid growth; revenue doubled in the first seven months of the year to an annualized $12 billion and is expected to reach $20 billion by year-end, according to the source. Weekly active users climbed to about 700 million from 400 million in February. The proposed sale follows a $40 billion primary funding round earlier this year, led by SoftBank Group, which committed $22.5 billion to the round; the rest of the funding was raised at a $300 billion valuation. Existing investors, including Thrive Capital, are in talks to participate in the share sale. The transaction would come as competition for AI talent intensifies; tech giants like Meta Platforms (META, Financials) are making multibillion-dollar investments to poach executives and researchers. Private firms such as ByteDance, Databricks and Ramp have also used secondary share sales to refresh valuations and reward long-term employees. OpenAI is planning a corporate restructuring to move away from its capped-profit model, which could pave the way for a future IPO; the company has said an offering would come only when market conditions are right. This article first appeared on GuruFocus. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
