Microsoft probing if Chinese hackers learned SharePoint flaws through alert: Report
A security patch Microsoft released this month failed to fully fix a critical flaw in the US tech giant's SharePoint server software, opening the door to a sweeping global cyber espionage effort.
In a blog post on Tuesday, Microsoft said two allegedly Chinese hacking groups, dubbed "Linen Typhoon" and "Violet Typhoon", were exploiting the weaknesses, along with a third, also based in China.
The tech giant is probing if a leak from the Microsoft Active Protections Program (MAPP) led to the widespread exploitation of vulnerabilities in its SharePoint software globally over the past several days, the report said.
Microsoft said in a statement provided to Reuters that the company continually evaluates "the efficacy and security of all of our partner programs and makes the necessary improvements as needed".
A researcher with Vietnamese cybersecurity firm Viettel demonstrated the SharePoint vulnerability in May at the Pwn2Own cybersecurity conference in Berlin. The conference, put on by cybersecurity company Trend Micro's Zero Day Initiative, rewards researchers in the pursuit of ethically disclosing software vulnerabilities.
The researcher, Dinh Ho Anh Khoa, was awarded US$100,000 and Microsoft issued an initial patch for the vulnerability in July, but members of the MAPP program were notified of the vulnerabilities on Jun 24, Jul 3 and Jul 7, Dustin Childs, head of threat awareness for the Zero Day Initiative at Trend Micro, told Reuters Friday.
Microsoft first observed exploit attempts on Jul 7, the company said in the Tuesday blog post.
Childs told Reuters that "the likeliest scenario is that someone in the MAPP program used that information to create the exploits".
It's not clear which vendor was responsible, Childs said, "but since many of the exploit attempts come from China, it seems reasonable to speculate it was a company in that region".
It would not be the first time that a leak from the MAPP program led to a security breach. More than a decade ago, Microsoft accused a Chinese firm, Hangzhou DPTech Technologies, of breaching its non-disclosure agreement and expelled it from the program.
'We recognise that there is the potential for vulnerability information to be misused,' Microsoft said in a 2012 blog post, around the time that information first leaked from the program. 'In order to limit this as much as possible, we have strong non-disclosure agreements (NDA) with our partners. Microsoft takes breaches of its NDAs very seriously.'
Any confirmed leak from MAPP would be a blow to the program, which is meant to give cyber defenders the upper hand against hackers who race to parse Microsoft updates for clues on how to develop malicious software that can be used against still-vulnerable users.
Launched in 2008, MAPP was meant to give trusted security vendors a head start against the hackers, for example, by supplying them with detailed technical information and, in some cases, 'proof of concept' software that mimics the operation of genuine malware.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
AsiaOne
an hour ago
- AsiaOne
Trump says he is not seeking summit with Xi, but may visit China, World News
US President Donald Trump said on Tuesday (July 29) that he was not seeking a summit with Chinese President Xi Jinping, but added that he may visit China at Xi's invitation, which Trump said had been extended. "I may go to China, but it would only be at the invitation of President Xi, which has been extended. Otherwise, no interest!," Trump said on Truth Social. Aides to Trump and Xi have discussed a potential meeting between the leaders during a trip by the US president to Asia later this year, sources previously told Reuters. A trip would be the first face-to-face encounter between the men since Trump's second term in office, at a time when trade and security tensions between the two superpower rivals remain elevated. While plans for a meeting have not been finalised, discussions on both sides of the Pacific have included a possible Trump stopover around the time of the Asia-Pacific Economic Cooperation summit in South Korea or talks on the sidelines of the October 30-November 1 event, the people said. The third round of US-China trade talks taking place in Stockholm this week may lay the groundwork ahead of a leaders' summit in the autumn, analysts say. A new flare-up of tariffs and export controls would likely impact any plans for a meeting with Xi. [[nid:720500]]
CNA
an hour ago
- CNA
Critical information infrastructure owners must report all APT incidents under new rules: Josephine Teo
SINGAPORE: Owners of Singapore's critical information infrastructure (CII) will soon be required to report any incidents suspected to be caused by advanced persistent threats (APTs). The reports must be made to the Cyber Security Agency of Singapore (CSA), said Minister for Digital Development and Information Josephine Teo at the Operational Technology Cybersecurity Expert Panel (OTCEP) Forum on Tuesday (Jul 29). The new regulations, to take effect later this year, come as Singapore raises its cyber threat alert level in the face of an ongoing attack, according to Mrs Teo. Earlier this month, Coordinating Minister for National Security K Shanmugam said Singapore is actively dealing with a "highly sophisticated threat actor" attacking its critical infrastructure. Known as UNC3886, the entity has been described by Google-owned cybersecurity firm Mandiant as a "China-nexus espionage group" that has targeted prominent strategic organisations on a global scale. 'On several occasions in the past, CSA has raised the National Cyber Threat Alert Level (NCTAL). This is to urge everyone to be more alert to cyber threats across Singapore, and especially across all CIIs,' said Mrs Teo. 'Given the UNC3886 attack and heightened APT activity, it should not come as a surprise to anyone that we are currently in a heightened state of alert.' She shared that the CSA has also convened the CEOs of all CII owners for 'a classified briefing on the threat landscape, focusing particularly on the threat from APTs'. This is all part of efforts to share guidance on the threats and help the CIIs sharpen their readiness response, said Mrs Teo. She urged the sector not to view the new measures, which flow from last year's Cybersecurity Act amendments to strengthen incident reporting requirements, as a burden. Under the new regulations, CII owners must report the APT incidents verbally within two hours upon suspicion or awareness, followed by a written report within 72 hours, according to CSA. 'If organisations suspect that they have been targeted, they cannot – and should not – confront the attackers on their own,' said Mrs Teo. 'Reporting such detections early allows CSA to help you. It will also help us coordinate an appropriate national response.' REAL-WORLD CONSEQUENCES In her speech, Mrs Teo said it is easy to underestimate the importance of basic cyber hygiene, something that has caused many preventable attacks. She said that cybersecurity is often likened to a team sport. However, while sports have rules, referees, and the principle of fair play, the cyber realm is more adversarial. 'Those of us in this room today are indeed, on the same team. We are playing defence. But our opponents do not play by the same rules,' she told attendees at Tuesday's forum. 'And a loss for us could have severe consequences for the people we have been entrusted to take care of.' Mrs Teo cited cases in Ukraine, Russia and Norway, where critical functions like heating and sewage management were disrupted. In fact, there are more of such attacks taking place worldwide, with the actors driven by various reasons, she said. One is financial gain, while another is for long-term persistence, like in the case of APTs, said Mrs Teo. APTs deploy advanced tools, evade detection and maintain persistent access in high-value networks, she said. 'APTs are often state-linked, well-resourced and determined. They may conduct espionage for their state sponsor. Their other task may be to develop the capacity to disrupt the services and assets in other states,' said Mrs Teo. She noted that the ongoing UNC3886 attack on Singapore's critical infrastructure is part of a broader trend, with APT activity detected in Singapore rising over four-fold from 2021 to 2024. 'Until recently, we had not said much about APT activity. Nor had we named any of the groups involved,' said Mrs Teo. However, the Singapore authorities are now doing so for the first time to let the public know that such threats are not imagined, but real, she said. 'We also need everyone to understand that the potential consequences to our economy and society are very serious,' said Mrs Teo. APTs target critical infrastructure, which provides essential services for the country, and any attack will have serious real-world consequences. 'These 'live' attacks remind us that cybersecurity is not a nice-to-have. It is a must, not just for the IT personnel, but for the CEO and the board,' said Mrs Teo. 'In particular, the owners of CIIs must raise your vigilance, because you provide essential services that Singapore and Singaporeans depend on.' The CSA will sign a memorandum of collaboration in OT cybersecurity with ST Engineering, to secure access to the latest tools and expertise, and let engineering teams on both sides jointly study and develop solutions in the sector, said Mrs Teo. In his opening remarks at Tuesday's event, CSA chief executive David Koh said the agency will continue to work closely with local organisations and international partners to share information and take action against any threats.
Straits Times
an hour ago
- Straits Times
Suspected advanced attacks must be reported under Singapore's amended Cybersecurity Act
Find out what's new on ST website and app. Mandatory reporting to Singapore's cyber-security watchdog, Cyber Security Agency, is expected to take effect later in 2025. SINGAPORE - Operators of critical systems such as those that manage Singapore's energy, water and transportation services will soon be required to report suspected advanced persistent threat attacks. Mandatory reporting to Singapore's cyber-security watchdog, Cyber Security Agency, is expected to take effect later in 2025, said Minister for Digital Development and Information Josephine Teo on July 29. The new measure under the amended Cybersecurity Act comes after July 18 's revelation of serious threats from cyber espionage group UNC3886, which experts said is China-linked. It is one of several advanced persistent threat (APT) actors - whose activities have increased more than four-fold from 2021 to 2024 - that target Singapore's critical information infrastructure (CII). 'If organisations suspect that they have been targeted, they cannot and should not confront the attackers on their own,' said Mrs Teo at the 5th annual Operational Technology Cybersecurity Expert Panel forum organised by the Cyber Security Agency of Singapore. 'These requirements will support the early detection of APT activities, and enable CSA to take more timely actions, together with other government agencies, to defend CII owners against the attacks.' APT actors are typically state-sponsored and are well resourced. They use advanced tools to evade detection, lurk in high-value networks and spy over the long term to steal sensitive information or disrupt essential services. Singapore's 11 CII sectors are aviation, healthcare, land transport, maritime, media, security and emergency services, water, banking and finance, energy, infocomm and government. Singapore's Cybersecurity Act was last amended in 2024 to expand CSA's oversight to include risks that come from suppliers and cloud services. In particular, CII operators must declare any cyber-security outage, and attack on their premises or along their supply chain. Soon the mandatory reporting of APT attacks will be included as part of CSA's expanded oversight. The amended Act, its first update since the law came into force in 2018, also require temporary systems set up to support high-profile events - such as vaccines distribution and key international summits - to come under CSA's supervision. Until recently, Singapore had not publicly said much about APT activity, or named any of the groups involved. 'Why are we doing so for the first time?' said Mrs Teo. 'We want the public to know that these threats are not imagined, but real,' she said, adding that the potential consequences to Singapore's economy and society are very serious. She cited the losses some countries suffered in recent years, such as how 600 Ukrainian homes lost heating for two days during the winter in January 2024 after a malware was used to exploit a zero-day vulnerability in Internet-facing routers. Separately, the hacking of a Norwegian dam's systems in April caused seven billion litres of water to be released. While the damage may have been limited in this instance, this could have resulted in more dire consequences such as flooding or disruptions to essential services, said Mrs Teo. 'The owners of CIIs must raise your vigilance, because you provide essential services that Singapore and Singaporeans depend on. The threats you face are no longer simple ransomware attacks. APTs have you in their sights,' said Mrs Teo. Singapore is currently in a heightened state of alert following the UNC3886 attack and increased APT activities. The government is actively working with CII owners to enhance the security of critical systems, said Mrs Teo. She added that CSA has brought together the chief executives of all CII owners for a classified briefing on Singapore's threat landscape. The OTCEP forum is another platform to prepare critical sectors through engagements with tech providers and experts. On July 29, CSA signed a memorandum of collaboration with ST Engineering to jointly study and develop operational technology tools for the critical services sectors. 'A partnership approach will help to ensure a safe and resilient digital future for Singapore,' said Mrs Teo.
