Latest news with #CharlesCarmakal
Techday NZ
24-07-2025
- Techday NZ
Microsoft SharePoint zero-day flaw prompts urgent global response
Organisations around the world are racing to mitigate the impact of a critical zero-day vulnerability in Microsoft's SharePoint server software, which has already been implicated in a series of significant security breaches and is being actively exploited by threat actors, including alleged Chinese nation-state groups. The flaw, catalogued as CVE-2025-53770, was revealed last week after several cyber security researchers, including Microsoft and Google's Threat Intelligence Group, published emergency advisories. Microsoft has clarified that the vulnerability affects only on-premises versions of SharePoint. SharePoint Online, the cloud-based variant included in Microsoft 365, is not impacted by this zero-day flaw. The urgency of the threat became clear after Eye Security researchers published findings that highlighted "active, large-scale exploitation" of the flaw, which they related to a set of vulnerabilities coined "ToolShell." Attackers who successfully exploit CVE-2025-53770 can access sensitive MachineKey configuration details on vulnerable servers, including the validationKey and decryptionKey. These critical parameters can then be used to craft specially designed requests that enable unauthenticated remote code execution, effectively giving attackers full control over the targeted servers. Late breaking fixes for SharePoint Server 2019 and SharePoint Subscription Edition have been made available, with a patch for SharePoint Server 2016 expected to follow. Organisations are being urged to conduct incident response investigations, apply available patches, and closely review Microsoft's temporary mitigation instructions to limit exposure. In recent reports, the scope and impact of the exploit have become clearer. More than 100 servers across at least 60 global organisations, including critical infrastructure such as the US National Nuclear Security Administration, have reportedly been breached via the vulnerability. Cyber security analysts have attributed the campaign to Chinese state-linked groups, among them Linen Typhoon, Violet Typhoon, and Storm-2603. These groups are said to have used stolen credentials to establish persistent access, potentially enabling ongoing espionage even after patches are applied. According to Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, attackers are using the vulnerability to install webshells - malicious scripts that provide ongoing unauthorised access - and to exfiltrate cryptographic secrets from compromised servers. This presents a substantial risk to organisations, as it allows persistent, unauthenticated access by malicious actors. "If your organisation has on-premises Microsoft SharePoint exposed to the internet, you have an immediate action to take," Carmakal said. He stressed that mitigation steps must be implemented without delay, as well as the application of patches as they become available. "This isn't an 'apply the patch and you're done' situation. Organisations need to assume compromise, investigate for any evidence of prior intrusion, and take appropriate remediation actions." Satnam Narang, Senior Staff Research Engineer at Tenable, warned of the widespread consequences, stating: "The active exploitation of the SharePoint zero-day vulnerability over the weekend will have far-reaching consequences for those organisations that were affected. Attackers were able to exploit the flaw to steal MachineKey configuration details, which could be used to gain unauthenticated remote code execution." Narang added that early signs of compromise could include the presence of a file named although it might carry a different extension in some cases. Bob Huber, Chief Security Officer and President of Public Sector at Tenable, commented: "The recent breach of multiple governments' systems […] is yet another urgent reminder of the stakes we're facing. This isn't just about a single flaw, but how sophisticated actors exploit these openings for long-term gain." Huber noted that because Microsoft's identity stack is so deeply embedded in government and corporate environments, a breach in SharePoint can create "a massive single point of failure." He argued for a more proactive, preventative approach to cyber security, emphasising the need for exposure management platforms that provide unified oversight across complex infrastructures. For now, the coordinated response by vendors, security firms, and government agencies continues, as organisations track for signs of compromise and await further guidance on long-term remediation. The incident serves as a stark reminder of the intricate cyber threats faced by modern institutions, and the pressing need for rigorous, ongoing defence strategies against ever-evolving adversaries.
Axios
22-07-2025
- Axios
Microsoft hack risk spreads as cybercriminals and nation-states pile in
A critical flaw in a major Microsoft document storage tool is hitting the organizations least able to defend themselves, security researchers and incident responders tell Axios. Why it matters: Schools, hospitals and government agencies are "sitting ducks" as they determine whether their servers have even been affected, one security executive said. Hackers are rushing into the breach, including groups linked to the Chinese government. Driving the news: Microsoft warned over the weekend of "active attacks" targeting a "zero-day" vulnerability in its on-premise SharePoint server. Today, the company said it has observed at least three China-based hacking groups, including two tied to the government, exploiting the vulnerability since as early as July 7. Charles Carmakal, CTO at Google's Mandiant, added that multiple threat groups are also now exploiting the bug. The Cybersecurity and Infrastructure Security Agency confirmed that attackers could exploit the bug to gain access to sensitive files or execute code remotely. At least one estimate puts the number of already compromised organizations near 100. The Washington Post reports that victims include state and federal agencies, universities, an energy company, and an Asian telecommunications firm. "It's not one specific group that is going to be doing the hacking of this anymore," Michael Sikorski, CTO at Palo Alto Networks' Unit 42 threat intelligence team, told Axios. "Everybody's getting on the train." The big picture: Security teams will likely spend weeks, even months, unpacking the full scope of the breach and what damage is still to come. Researchers say the hackers have been stealing machine keys from targeted entities, which will allow them to keep breaking into the organizations even after they patch the SharePoint issue. "Because the attack blends in with just normal, legitimate activity, it's quite hard to detect what's unusual and what's atypical," Kayne McGladrey, a senior member of the Institute of Electrical and Electronics Engineers, told Axios. Zoom in: Sikorski said Unit 42 is actively working with Microsoft to notify affected entities, but many victims likely still don't know they've been hit. "For those organizations that don't have a threat detection or red team capability built in, they are undoubtedly going to be at a longer time of risk for this because they just don't have the visibility," McGladrey said. Between the lines: The flaw mostly threatens legacy SharePoint systems still used by smaller public-sector entities and critical-infrastructure operators. Those organizations are unlikely to have the resources to quickly spin up their own investigations and response teams, Sikorski said. "That's the scary part," Sikorski said. "Not only are they sitting ducks, but they don't have the capability to deal with it." The intrigue: While Microsoft released a patch Monday to fix the issue in all affected versions of SharePoint, even patched systems may not be fully safe if attackers already gained entry, stole machine keys or installed new backdoors. What's next: Security experts say the SharePoint hacking activity will likely unfold in waves. Opportunistic hackers, such as cybercriminal gangs, will race to exploit exposed servers, aiming to steal login credentials, plant backdoors and deploy ransomware. Meanwhile, stealthier groups, including nation-state actors, will burrow into high-value organizations for the long haul, quietly stealing sensitive data and setting up persistent access that could go undetected for months.
Forbes
22-07-2025
- Forbes
The Wiretap: Chinese Hackers Exploit Microsoft Sharepoint 0-Day, Google Warns
The Wiretap is your weekly digest of cybersecurity, internet privacy and surveillance news. To get it in your inbox, subscribe here. getty In what's one of the more significant series of cyberattacks in 2025, hackers are targeting a severe weakness in Microsoft's Sharepoint software, which is used by its customers to build and manage shared files. Among the attackers, according to Google security researchers, is a Chinese-affiliated group. Late last week, Microsoft said it was aware of attacks targeting its SharePoint customers who use the system on their own servers. Google said hackers were using the Sharepoint vulnerability to install malware on those servers, which enables them to steal data, including cryptographic keys protecting sensitive information. Though Microsoft has said a fix is available for all affected customers, it's likely many have yet to fully patch their systems. 'It's critical to understand that multiple actors are now actively exploiting this vulnerability,' said Charles Carmakal, CTO of Mandiant Consulting at Google Cloud. 'We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.' Carmakal didn't offer much details on which Chinese hackers were targeting the Sharepoint flaws. But according to the Washington Post, the system is commonly used by American federal and state agencies, making fixes that much more urgent. Got a tip on surveillance or cybercrime? Get me on Signal at +1 929-512-7964. THE BIG STORY: Microsoft Used Chinese Engineers For Department of Defense Computers (Photo by NOEL CELIS/AFP via Getty Images) AFP via Getty Images ProPublica has reported on a previously-unknown Microsoft program employing China-based coders to maintain Defense Department systems. The Chinese workers were monitored by low-paid, U.S.-based 'digital escorts,' few of whom had the technical expertise to ensure the system's integrity, the news site reported. There are fears the program may have exposed intelligence to China. Microsoft has since shut the program down. Stories You Have To Read Today Google has filed a lawsuit (PDF) claiming 25 unidentified individuals are running the BadBox botnet, which has compromised as many as 10 million internet-connected TVs that use open source Android software. The tech giant has been given permission to stop the accused from operating certain domains they used to run the botnet. Notting Hill Carnival is going to be using live facial recognition this August in an attempt to identify criminals attending the world-famous event. Privacy activists heavily criticized the move. 'Plans to use this dangerous and discriminatory technology should be immediately scrapped,' said Big Brother Watch interim director Rebecca Vincent. The U.K. government sanctioned three Russian spy units for their part in cyber operations and said it had identified malware developed by Kremlin hackers that had obtained 'persistent endpoint access to Microsoft cloud accounts by blending in with legitimate activity.' Winner of the Week Exein, a cyber startup that's created a 'digital immune system' for connected devices, has announced a $80 million Series C funding round. Founded in Italy, its security tech is aimed at providers of so-called Internet-of-Things devices, from routers to smart TVs. Loser of the Week New Jersey man Navin Khanna has pleaded guilty to running a criminal enterprise that stole thousands of catalytic converters from vehicles and sold them on, making as much as $600 million in the process. Such converters are designed to reduce toxic pollutants from car exhausts. Khanna found he could sell them to a metal refinery that extracted precious metals to make his fortune. More On Forbes Forbes Why JPMorgan Is Hitting Fintechs With Stunning New Fees For Data Access Forbes The Best Places To Retire Abroad In 2025 Forbes Inside America's Top Small Business Bank
Politico
22-07-2025
- Politico
China behind vast global hack involving multiple US agencies
Spokespeople for the Cybersecurity and Infrastructure Security Agency and the FBI, which have said publicly they are working to address the breach, did not immediately respond to a request for comment on the number of agencies impacted. The White House did not respond to a request for comment on the suspected links to China. The Chinese embassy in Washington also did not respond to a request for comment for this story. The Washington Post first reported Monday on the scope of the breach and that private researchers believe at least two federal agencies were affected by the hack. They later reported on the suspected links to China. Microsoft and other private researchers probing the incident believe that hackers unrelated to China are already exploiting the same Microsoft software flaw — and more hacking groups could try to do so soon. 'It's critical to understand that multiple actors are now actively exploiting this vulnerability,' and other hackers are likely to 'leverage this exploit as well,' Charles Carmakal, the chief technology officer at Google's Mandiant, said in a statement Monday night. Researchers at separate leading internet scanning firms told POLITICO Monday that roughly 100 organizations across the globe appear to have been hit thus far. Silas Cutler, principal researcher at internet scanning firm Censys, and Piotr Kijewski, CEO of The Shadowserver Foundation, also said that thousands more could be vulnerable to attack. The flaws in the SharePoint software are considered severe because they allowed hackers to remotely access Microsoft customers running self-hosted versions of the service, and then burrow deeper inside their networks. The vulnerabilities did not affect those running a version of SharePoint hosted on Microsoft cloud servers. Microsoft failed to fix one software bug in its on-site SharePoint service earlier this month, and has only been able to offer partial mitigations for additional bugs since. A Microsoft spokesperson said in a statement that the company is both working to ensure its customers install fixes and 'coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners around the world throughout our response.' A spokesperson for CISA said the tech giant has been 'responding quickly' ever since the agency reached out to it.
NBC News
22-07-2025
- Business
- NBC News
Chinese hackers race to target Microsoft SharePoint vulnerability, tech giants say
A newly discovered critical flaw in Microsoft's SharePoint platform has spurred a mad frenzy from hackers — including some working for the Chinese government, Google and Microsoft say. The identities of which organizations have been hacked are still not public, but they are increasing and include multiple government agencies around the world, Charles Carmakal, the chief technology officer at Mandiant, Google's cloud security service, told NBC News. SharePoint works as a shared version of Microsoft Office, letting people in the same organization directly collaborate. The flaw in the software — initially classified as a 'zero day,' because there was not a patch for victims to defend themselves when it was first discovered — lets hackers gain significant access to the computers of organizations that host SharePoint. Cloud customers were not affected. Microsoft announced Saturday that the flaw was being exploited but only made a downloadable fix for it available Monday, prompting a scramble for organizations to patch it while capable hackers hurried to find additional victims who hadn't protected themselves. The incident echoes one in 2021, when a flaw in another Microsoft product, the email program Exchange, allowed a similar mad dash of hacking. In that case, the U.S. formally accused China of snooping on government emails, but a review board also blamed Microsoft for allowing it to happen. In a blog post published Tuesday morning, Microsoft said at least three Chinese hacking groups, two of which are associated with Chinese intelligence, have been exploiting the flaw. The U.S. government and its allies, as well as Western cybersecurity companies, routinely attribute cyber espionage efforts to China, which often downplays the accusations. A spokesperson for China's Embassy in Washington did not directly deny that Chinese intelligence has been using the exploit, but said, 'Cyber attacks are a common threat faced by all countries, China included.' 'China firmly opposes and combats all forms of cyber attacks and cyber crime — a position that is consistent and clear,' the spokesperson said. Neither the White House nor the Cybersecurity and Infrastructure Security Agency, which protects U.S. federal networks, responded to a request for comment.
