Latest news with #EyeSecurity
Fox News
03-08-2025
- Business
- Fox News
Microsoft SharePoint bug puts critical government agencies at risk
Hackers are actively exploiting a new zero-day bug in Microsoft's SharePoint Server software. The same software is used by key U.S. government agencies, including those tied to national security. The vulnerability affects on-premise versions of SharePoint, allowing attackers to break into systems, steal data and quietly move through connected services. While the cloud version is unaffected, the on-premise version is widely used by major U.S. agencies, universities and private companies. That puts far more than just internal systems at risk. Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide — free when you join my The exploit was first identified by cybersecurity firm Eye Security July 18. Researchers say it stems from a previously unknown vulnerability chain that can give attackers full control of vulnerable SharePoint servers without needing any credentials. The flaw lets them steal machine keys used to sign authentication tokens, meaning attackers can impersonate legitimate users or services even after a system is patched or rebooted. According to Eye Security, the vulnerability appears to be based on two bugs demonstrated at the Pwn2Own security conference earlier this year. While those exploits were initially shared as proof-of-concept research, attackers have now weaponized the technique to target real-world organizations. The exploit chain has been dubbed "ToolShell." Once inside a compromised SharePoint server, hackers can access connected Microsoft services. These include Outlook, Teams and OneDrive. This puts a wide range of corporate data at risk. The attack also allows hackers to maintain long-term access. They can do this by stealing cryptographic material that signs authentication tokens. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to act. It recommends checking systems for signs of compromise and isolating vulnerable servers from the internet. Early reports confirmed about 100 victims. Now, researchers believe attackers have compromised more than 400 SharePoint servers worldwide. However, this number refers to servers, not necessarily organizations. According to reports, the number of affected groups is growing rapidly. One of the highest-profile targets is the National Nuclear Security Administration (NNSA). Microsoft confirmed it was targeted but has not confirmed a successful breach. Other affected agencies include the Department of Education, Florida's Department of Revenue and the Rhode Island General Assembly. Microsoft confirmed the issue, disclosing that it was aware of "active attacks" exploiting the vulnerability. The company has released patches for SharePoint Server 2016, SharePoint Server 2019 and SharePoint Subscription Edition. Patches for all supported on-prem versions were issued as of July 21. If you're part of a business or organization that runs its own SharePoint servers, especially older on-premise versions, your IT or security team should take this seriously. Even if a system is patched, it could still be at risk if machine keys were stolen. Administrators should also rotate cryptographic keys and audit authentication tokens. For the general public, there's no action needed right now since this issue doesn't affect cloud-based Microsoft accounts like OneDrive or Microsoft 365. But it's a good reminder to stay cautious online. If your organization uses on-premise SharePoint servers, take the following steps right away to reduce risk and limit potential damage: 1. Disconnect vulnerable servers: Take unpatched SharePoint servers offline immediately to prevent active exploitation. 2. Install available updates: Apply Microsoft's emergency patches for SharePoint Server 2016, 2019 and Subscription Edition without delay. 3. Rotate authentication keys: Replace all machine keys used to sign authentication tokens. These may have been stolen and can allow ongoing access even after patching. 4. Scan for compromise: Check systems for signs of unauthorized access. Look for abnormal login behavior, token misuse or lateral movement within the network. 5. Enable security logging: Turn on detailed logging and monitoring tools to help detect suspicious activity going forward. 6. Review connected services: Audit access to Outlook, Teams and OneDrive for signs of suspicious behavior linked to the SharePoint breach. 7. Subscribe to threat alerts: Sign up for advisories from CISA and Microsoft to stay updated on patches and future exploits. 8. Consider migration to the cloud: If possible, transition to SharePoint Online, which offers built-in security protection and automatic patching. 9. Strengthen passwords and use two-factor authentication: Encourage employees to stay vigilant. Even though this exploit targets organizations, it's a good reminder to enable two-factor authentication (2FA) and use strong passwords. Create strong passwords for all your accounts and devices, and avoid using the same password for multiple online accounts. Consider using a password manager, which securely stores and generates complex passwords, reducing the risk of password reuse. Check out the best expert-reviewed password managers of 2025 at This SharePoint zero-day shows how fast research can turn into real attacks. What started as a proof-of-concept is now hitting hundreds of real systems, including major government agencies. The scariest part isn't just the access it gives but how it lets hackers stay hidden even after you patch. Should there be stricter rules around using secure software in government? Let us know by writing to us at Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide — free when you join my Copyright 2025 All rights reserved.
Epoch Times
31-07-2025
- Business
- Epoch Times
Victim Profiles in Microsoft SharePoint Attacks Point to Targeted Intelligence Campaign, Researchers Say
Eye Security, a Netherlands-based cybersecurity company that has been tracking Microsoft SharePoint attack victims, says an analysis of victims shows that nearly a third were government sector systems. 'From the data, it's clear this wasn't a random or opportunistic campaign. The attackers knew exactly what they were looking for,' Lodi Hensen, Eye Security vice president of security operations, said on July 29 in a blog post.
Axios
29-07-2025
- Axios
Ransomware spree looms after SharePoint breach
Ransomware gangs are on the hunt for organizations that have yet to patch their vulnerable Microsoft SharePoint servers. Why it matters: Those could include organizations across the government and sectors including education, health care, transportation, technology and finance, security experts told Axios. State of play: As of Wednesday, more than 400 systems had been actively compromised via the SharePoint zero-day vulnerability, according to researchers at Eye Security. Several federal government agencies — including at the departments of Energy, Homeland Security, and Health and Human Services — have been hacked, likely by groups linked to the Chinese government. Malicious hackers have attempted to break into more than 90 state and local government offices, according to Randy Rose, vice president of security operations and intelligence at the Center for Internet Security, which runs the Multi-State Information Sharing and Analysis Center. Last week, researchers warned that the attackers were also stealing machine keys once they broke in — which would allow them to return even after a vulnerable SharePoint server was patched. Threat level: The new Warlock ransomware gang is actively targeting vulnerable SharePoint servers, Microsoft warned last week. Since emerging in June, the Warlock gang has claimed responsibility for attacking 19 victims across the government, finance, manufacturing, technology and consumer goods sectors, according to security firm Halcyon. The group is believed to be a descendent of the Black Basta gang, which was known for hacking more than 500 organizations globally, per U.S. authorities. Zoom out: Ransomware is the most pressing long-tail cyber threat for organizations to be concerned about, Rafe Pilling, director of threat intelligence at Sophos' Counter Threat Unit, told Axios. So far, Sophos hasn't seen any active ransomware attacks tied to the SharePoint vulnerability, but Pilling said it's only a matter of time. "No doubt, there will be people that don't patch, and we will continue to see this pop up as an entry point down the line," Pilling said. The big picture: Ransomware gangs routinely adopt newly discovered zero-day vulnerabilities to gain access to corporate networks. In 2021, ProxyShell — a trio of critical vulnerabilities in Microsoft Exchange Server — was discovered by security researchers and patched by Microsoft. But before many organizations updated their systems, the flaws were exploited first by espionage-focused hackers and then by opportunistic ransomware gangs. Within weeks, several groups had used the vulnerabilities to breach at least a thousand organizations. The incident demonstrated how quickly ransomware operators can weaponize publicly disclosed vulnerabilities. While the initial wave subsided after widespread patching, there have still been attacks reported years later. Reality check: Pilling said that the SharePoint attacks will likely be less detrimental than ProxyShell and similar incidents but that companies are still at risk if they haven't patched. Between the lines: These types of complex, multistage hacks are becoming the norm, Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told Axios. The SharePoint hacks are the result of attackers stringing together two vulnerabilities that, on their own, "weren't that big of a deal, " Steinhauer said. "Attackers know that they're not as prioritized and that we're all already trying to patch so many vulnerabilities that we have to prioritize," he said. "They're gaming the system." What to watch: Ransomware gangs are likely to try targeting vulnerable, unpatched SharePoint servers for months to come.
Yahoo
26-07-2025
- Business
- Yahoo
3 Top Cybersecurity Stocks to Buy Now
Some administrators who logged in last week found their on-premises Microsoft SharePoint servers silently uploading web shells instead of documents. A single, carefully forged packet had slipped past every guardrail and granted attackers full remote control before any human had typed a password. What unfolded is now known as the ToolShell exploit chain. Security researchers at the Dutch firm Eye Security noticed an unusual file on a client's server and sounded the alarm. More News from Barchart Dear Palantir Stock Fans, Mark Your Calendars for August 4 The 3 Buffett-Backed Dividend Stocks That Beat the Market in 2025 Should You Buy the Post-Earnings Plunge in Intel Stock? Get exclusive insights with the FREE Barchart Brief newsletter. Subscribe now for quick, incisive midday market analysis you won't find anywhere else. Thousands of organizations worldwide use SharePoint. Does this prove that hackers are becoming better and more dangerous? The uncomfortable answer is yes. As the internet becomes the primary place where corporations store their valuable data, cybersecurity is only going to get more important. Here are three cybersecurity stocks that have seen positive price action since the exploit. They have also topped Barchart's cybersecurity stocks list, sorted by analyst recommendations. Cybersecurity Stock #1: Cyberark Software (CYBR) CyberArk Software (CYBR) is not as familiar as a name as CrowdStrike (CRWD) or Palo Alto (PANW), but the Israeli company has built its reputation on privileged access management. More than half of Fortune 500 companies and roughly 35% of the Global 2000 rely on CyberArk to lock down the credentials that attackers prize most. Its solutions portfolio stretches from the classic Privileged Access Manager to newer software-as-a-service offerings such as Privilege Cloud, Endpoint Privilege Manager, and Secure Cloud Access, all unified under an identity security platform that now includes machine identities and, most recently, artificial intelligence agents. Q1 revenue increased 43% to $318 million. Subscription sales grew 60% year-over-year, and annual recurring revenue crossed the $1 billion mark for the first time at $1.215 billion. 85% of that total now comes from subscriptions rather than older perpetual licenses. Management guided full-year revenue to roughly $1.3 billion, implying 31.5% growth without assuming any additional large deals. The mean price target here is $449, with targets going up to $500. Cybersecurity Stock #2: Broadcom (AVGO) Broadcom (AVGO) is as much a cybersecurity company as it is a chip designer. It acquired the Symantec division in 2019, and its Endpoint Security Complete is now the default choice for enterprises that run virtual machines like VMware. Broadcom's infrastructure software grew 47% year-over-year to $6.7 billion in Q1. In Q2, it grew 25% year-over-year. Looking ahead, the company guided to $15.8 billion of revenue for Q3, up 21% year-over-year, and reiterated that AI-driven security will be one of the two main growth vectors alongside custom AI accelerators. Free cash flow is already running at more than $6.4 billion per quarter, and management returned $7 billion to shareholders through buybacks and dividends last quarter alone. Out of 36 analysts, 32 tag it as a 'Strong Buy,' with one 'Moderate Buy' and three 'Hold' ratings. Price targets go up to $400, with the mean price target at $298.55. Cybersecurity Stock #3: Zscaler (ZS) Zscaler (ZS) is a cloud-based cybersecurity company. It sends all traffic through a single cloud checkpoint before anything touches the open web or a private server. It is becoming more popular as many see it as a better solution due to its Zero Trust mode, which does not give any device trusted access. Hence, hackers can't take over the network if any device is hacked. Fiscal Q3 results exceeded even the most optimistic projections. Revenue rose 23% year over year to $678 million. Calculated billings, a forward-looking gauge of contract signings, jumped 25% to $785 million, while deferred revenue climbed 26% to just under $2 billion. Earnings per share came in at 84 cents, 12% ahead of expectations and nearly 20% higher than the year-ago quarter. The balance sheet is equally sturdy. Zscaler now holds more than $3 billion in cash and short-term investments. There are price targets going to $385, with the mean price target at $310.33. On the date of publication, Omor Ibne Ehsan did not have (either directly or indirectly) positions in any of the securities mentioned in this article. All information and data in this article is solely for informational purposes. This article was originally published on Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
The Hindu
25-07-2025
- Business
- The Hindu
Risk highlighted as Chinese hackers hit Microsoft
Software giant Microsoft is at the centre of cybersecurity storm after China-linked hackers exploited flaws in SharePoint servers to target hundreds of organisations. While such cyberattacks are not new, the scale of the onslaught and the speed with which the hackers took advantage of freshly discovered vulnerabilities is fuelling concern. Dutch startup Eye Security warned Saturday of online attacks targeting SharePoint file-sharing servers, with Microsoft quick to confirm the report and release patches to protect systems. The vulnerability allowed hackers to retrieve credentials and then access SharePoint servers kept at users' facilities, according to Microsoft. Cloud-based SharePoint software was safe from the problem, the company said. Eye Security determined that more than 400 computer systems were compromised by hackers during waves of attacks. Targets included government organisations in Europe, the Middle East and the United States, among them the U.S. nuclear weapons agency, media reports indicated. "On-premises SharePoint deployments - particularly within government, schools, healthcare and large enterprise companies - are at immediate risk," cybersecurity firm Palo Alto Networks warned in a note. Microsoft has not disclosed the number of victims in the attacks. SharePoint had more than 200 million active users as of 2020, according to the most recent figures available from Microsoft. Microsoft has attributed the cyberattacks to groups backed by China. The culprits are believed to include Chinese state actors known as Linen Typhoon and Violet Typhoon along with a group called Storm-2603 which "is considered with moderate confidence to be a threat actor based in China." The Typhoon groups have been active for a decade or more, and are known for intellectual property theft as well as espionage, according to Microsoft. Less was known about Storm-2603 and its motives. "Investigations into other actors also using these exploits are ongoing," Microsoft said, urging users to patch SharePoint servers to avoid becoming hacking victims. Cybersecurity specialist Damien Bancal noted in a recent blog post that he found "ready-to-use exploit code" for the vulnerability at a popular website. The assault on SharePoint servers is the latest in a series of sophisticated attacks carried out by state-sponsored groups against "the Microsoft ecosystem," according to Bancal. In 2021, attacks by a Chinese hacker group known as Silk Typhoon compromised tens of thousands of email servers using Microsft Exchange software. Microsoft's success at making its software commonplace in offices and homes also makes it a prime target for hackers out to steal money or information. Microsoft software can hold sensitive and valuable information. "It's not Microsoft that is being targeted, it's its customers," said Shane Barney, head of information security at US-based Keeper. Targeting Microsoft programmes is a means to an end, and tomorrow it could be software from another company, said Rodrigue Le Bayon, head of Orange Cyberdefense computer emergency response team. China is not the only nation backing hacker operations as countries around the world hone cyber capabilities, according to Le Bayon. Nevertheless, China is repeatedly singled out by companies and governments hit by hacks. Western countries have accused hacker groups allegedly supported by China of conducting a global cyber espionage campaign against figures critical of Beijing, democratic institutions, and companies in various sensitive sectors.
