China-backed hackers used Microsoft flaw in attacks, defenders say

Washington Post

4 days ago

Hackers connected to the Chinese government were behind at least some of the widespread attacks in the past few days on organizations that use collaboration software from Microsoft, defenders working on the intrusions said in interviews.
The breaches in the United States and other countries took advantage of a disastrous security flaw that drew attention this month, after Microsoft issued a patch that fixed only part of the problem in SharePoint, which is widely used to coordinate work on documents and projects.
'We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor,' said Charles Carmakal, chief technology officer of Google's Mandiant Consulting.
Another researcher, who, like others, spoke on the condition of anonymity because the inquiry is still underway, said federal investigators have evidence of U.S.-based servers linked to compromised SharePoint systems connecting to internet Protocol addresses inside China on Friday and Saturday.
The FBI, White House, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency declined to comment Monday.
Two other responders working with the U.S. government said they had identified early attacks from China as well. The Chinese Embassy in Washington did not immediately respond to a request for comment.
The attacks allowed hackers to extract cryptographic keys from servers run by Microsoft clients. Those keys, in turn, would let them install anything, including back doors that they could use to return. Federal and state agencies were affected, researchers previously told The Washington Post, but it remains unclear which of them were vulnerable to follow-up attacks.
Only versions of SharePoint that are hosted by the customer, not those in the cloud, are vulnerable. Microsoft issued effective patches for the last of the exposed versions by Monday.
While installing the patches should prevent new intrusions, customers also need to change the machine's digital keys, apply anti-malware software and hunt for any breaches that have already occurred, Microsoft said.
Some of the early targets of the attack were entities that would interest the Chinese government, two of the responders said. But a wide range of attackers were now trying similar grabs, others said, looking to steal corporate secrets or install ransomware that encrypts key files until payments are made.
'It's critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well,' Carmakal said.
Piet Kerkhofs, CTO and co-founder of Europe-based Eye Security, said the SharePoint breaches share characteristics with other compromises that security researchers have attributed to China-based hackers.
For instance, hackers this month exploited a vulnerability in Citrix's NetScaler virtual desktop that some researchers saw being used by Chinese actors, Kerkhofs said. That hack was similar to the SharePoint compromise in that it turned a freshly discovered vulnerability into an 'exploit' or weapon — in 'extremely fast' order, 'hours to days,'' he said.
Another instance was China's global compromise of Microsoft Exchange email servers in early 2021. That case involved Chinese government-sponsored hackers conducting widespread exploitation of core Microsoft software — its Exchange email server software.
That breach has been attributed to group that Microsoft calls Silk Typhoon, which is linked to China's Ministry of State Security. It is one of the most technically advanced hacking groups in the world and has been striking sensitive U.S. targets at an increased rate in the past year, The Post reported last week.
Silk Typhoon has broken into multiple U.S. federal agencies in the past and more recently hit multiple ministries in Europe, The Post reported.