Latest news with #Mandiant


Axios
2 hours ago
- Axios
Chinese hackers targeting SharePoint flaw for weeks, Microsoft says
At least three China-based hacking teams have been exploiting a previously unknown flaw in Microsoft SharePoint since at least July 7, the company said in a blog post. Why it matters: Microsoft and security researchers didn't uncover the vulnerability until this past weekend, leaving thousands of customers exposed to potential nation-state hacking. Driving the news: Microsoft said in a blog post Tuesday that it's observed three China-based hacking teams — two of which are based within the Chinese government — attempting to break into companies' networks using the SharePoint flaw. Microsoft tracks those groups under the names Linen Typhoon, Violet Typhoon and Storm-2603. Each cybersecurity company has their own naming convention for hacking teams based on their own internal data and telemetry. Google's Mandiant also said Monday that it has observed at least one China-backed group targeting the SharePoint flaws, but that multiple threat actors have started getting involved. Catch up quick: Over the weekend, Microsoft and several researchers warned about a new flaw in SharePoint servers that only affects those who use the technology on-premise, or on their own servers and not in the shared Microsoft cloud. The vulnerability could allow hackers to access content stored in SharePoint and execute code. Some experts also said they've seen hackers stealing machine keys when they break in, which would allow them to break back-in even after the SharePoint flaw is patched. So far, victims have included the Education Department, national governments in Europe and the Middle East, universities, energy companies and an Asian telecommunications firm, according to news reports. Zoom in: Linen Typhoon and Violet Typhoon are both government hacker teams that focus on espionage and stealing intellectual property, according to Microsoft. Storm-2603 takes a different approach and is known for stealing machine keys and deploying ransomware onto victims' devices. Microsoft says it's unclear what this hacking group's motives are. The Chinese Embassy did not immediately respond to a request for comment.


NBC News
2 hours ago
- Business
- NBC News
Chinese hackers race to target Microsoft SharePoint vulnerability, tech giants say
A newly discovered critical flaw in Microsoft's SharePoint platform has spurred a mad frenzy from hackers — including some working for the Chinese government, Google and Microsoft say. The identities of which organizations have been hacked are still not public, but they are increasing and include multiple government agencies around the world, Charles Carmakal, the chief technology officer at Mandiant, Google's cloud security service, told NBC News. SharePoint works as a shared version of Microsoft Office, letting people in the same organization directly collaborate. The flaw in the software — initially classified as a 'zero day,' because there was not a patch for victims to defend themselves when it was first discovered — lets hackers gain significant access to the computers of organizations that host SharePoint. Cloud customers were not affected. Microsoft announced Saturday that the flaw was being exploited but only made a downloadable fix for it available Monday, prompting a scramble for organizations to patch it while capable hackers hurried to find additional victims who hadn't protected themselves. The incident echoes one in 2021, when a flaw in another Microsoft product, the email program Exchange, allowed a similar mad dash of hacking. In that case, the U.S. formally accused China of snooping on government emails, but a review board also blamed Microsoft for allowing it to happen. In a blog post published Tuesday morning, Microsoft said at least three Chinese hacking groups, two of which are associated with Chinese intelligence, have been exploiting the flaw. The U.S. government and its allies, as well as Western cybersecurity companies, routinely attribute cyber espionage efforts to China, which often downplays the accusations. A spokesperson for China's Embassy in Washington did not directly deny that Chinese intelligence has been using the exploit, but said, 'Cyber attacks are a common threat faced by all countries, China included.' 'China firmly opposes and combats all forms of cyber attacks and cyber crime — a position that is consistent and clear,' the spokesperson said. Neither the White House nor the Cybersecurity and Infrastructure Security Agency, which protects U.S. federal networks, responded to a request for comment.


CNBC
3 hours ago
- Business
- CNBC
Microsoft says Chinese hacking groups exploited SharePoint vulnerability in attacks
Microsoft on Tuesday said Chinese hacking groups were part of the recent attacks on its SharePoint collaboration software. As early as July 7, the Chinese nation-state actors it calls Linen Typhoon and Violet Typhoon have been trying to exploit the vulnerability, as has a China-based actor called Storm-2603, Microsoft said in a Tuesday blog post. On Monday, Charles Carmakal, technology chief of the Google-owned Mandiant cybersecurity consulting group, said in a LinkedIn post that "we assess that at least one of the actors responsible for the early exploitation is a China-nexus threat actor." On Sunday, the U.S. Cybersecurity and Infrastructure Security Agency said it was "aware of active exploitation" of the vulnerability, and Microsoft rolled out patches for two versions of its on-premises SharePoint releases. The software company issued a fix for a third version on Monday. SharePoint is frequently used by businesses and organizations around the world to store and collaborate on documents. Last year, Microsoft CEO Satya Nadella made cybersecurity a top priority after a U.S. government report criticized the company's handling of China's breach of U.S. government officials' email accounts. Last week, the company said it would stop relying on engineers based in China to support the Pentagon's use of cloud services, after a media report suggested that the architecture could have led to China-sponsored attacks against the U.S. defense arm. SharePoint is a key component of Microsoft's widely used Office productivity software, enabling many people inside organizations to access internal files. In 2021, attackers affiliated with the Chinese nation-state group known as Hafnium targeted a different piece of Office software, Exchange Server, which provides mail and calendar services.


CNA
a day ago
- Business
- CNA
CNA938 Rewind - Groups like UNC3886 focus on online espionage and exploiting vulnerabilities
What is UNC3886 - the entity targeting prominent strategic organisations globally - and how could it threaten Singapore's national security infrastructure? Lance Alexander and Daniel Martin speak with Vivek Chudgar, Managing Director for Asia Pacific & Japan at Mandiant, Google Cloud.


South China Morning Post
a day ago
- Business
- South China Morning Post
Why did Singapore name cyberthreat group UNC3886 and is it linked to China?
Singapore has made a rare move to identify the UNC3886 cyberthreat group that it says is attacking local critical infrastructure. UNC3886 has been identified by Google-owned cybersecurity firm Mandiant as a China-linked cyber espionage group, although Beijing's embassy in Singapore has vehemently rejected the claim. Singapore's Coordinating Minister for National Security K Shanmugam said during a speech at the 10th anniversary of the Cyber Security Agency last Friday that from 2021 to last year, suspected advanced persistent threats against Singapore had increased more than fourfold. These threats often carried out state objectives, the minister noted. Shanmugam, who is also home affairs minister, said one advanced persistent threat group Singapore was facing was UNC3886, which the industry had associated with cyberattacks against critical areas such as defence, telecommunications and technology organisations in the United States and Asia. 'The intent of this threat actor in attacking Singapore is quite clear. They are going after high value, strategic targets. Vital infrastructure that delivers our essential services. If it succeeds, it can conduct espionage, and it can cause major disruption to Singapore and Singaporeans,' he said, without naming the suspected country linked to UNC3886. Less than a day after his speech, the minister posted that lottery numbers for 3886 in Singapore had been sold out. 'I said Singaporeans need to know that UNC3886 is attacking us in cyberspace. And that it's very serious. One reaction: No 3886 has been sold out for 4D today,' he wrote on social media.