Latest news with #MandiantConsulting
Techday NZ
18 hours ago
- Techday NZ
Critical SharePoint zero-day flaw exploited, urgent actions urged
A critical zero-day vulnerability in Microsoft SharePoint Server, identified as CVE-2025-53770, has been actively exploited by threat actors and now poses a significant security risk to organisations operating on-premises SharePoint environments. Security researchers and technology companies have raised urgent concerns about the sophistication and reach of the campaign, which has been dubbed "ToolShell" and enables remote code execution (RCE), system compromise, and persistent backdoor access - even in environments protected by measures such as multi-factor authentication (MFA). According to Adrian Culley, Senior Sales Engineer at SafeBreach, the situation is particularly serious because the attacks exploiting this vulnerability commenced before any security patches were made available, placing it in the most dangerous category of threats to enterprise infrastructure. "This CVE represents a critical security incident: it was exploited as a zero-day vulnerability in active attacks against production systems before any patches were available - the most severe type of threat organisations face," Culley stated. Further complicating the response, there is currently no single remediation patch for the vulnerability. Microsoft has taken the unusual and cautionary step of advising organisations to assume their systems may already be compromised, and to immediately conduct comprehensive investigations to verify the integrity of their environments. This approach is rarely adopted in public advisory language, and reinforces the gravity of the incident. SharePoint Server 2016 installations face unique challenges due to the absence of technical fixes at present. Organisations running these environments are being told to lean on breach and attack simulation, alongside current security controls, to gauge their exposure. Culley recommended, "Proactive defence requires targeted hardening measures and resilience improvements to prevent falling victim to this sophisticated attack vector." Analysis from Mandiant Consulting, part of Google Cloud, indicates that this exploit is being used by multiple threat actors, including groups linked to China. Charles Carmakal, CTO at Mandiant Consulting, stressed the breadth of the threat landscape: "We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It's critical to understand that multiple actors are now actively exploiting this vulnerability." Carmakal warned that further threat actors are expected to join as awareness and knowledge of the exploit spreads, increasing the urgency for defensive actions. Google's Threat Intelligence Group has observed attackers leveraging CVE-2025-53770 to install webshells and exfiltrate sensitive cryptographic secrets from compromised servers. This enables unauthenticated, long-term access to targeted systems, putting confidential data and business operations at risk. In its emergency guidance, Microsoft clarified that this vulnerability currently affects only on-premises versions of SharePoint Server. Organisations using SharePoint Online as part of Microsoft 365 are not impacted. For those running on-premises servers exposed to the internet, immediate action is advised. Experts recommend implementing Microsoft's mitigation advice, closely monitoring systems for signs of compromise, and preparing to deploy an emergency patch as soon as it becomes available. Carmakal summed up the reality facing organisations: "This isn't an 'apply the patch and you're done' situation. Organisations need to implement mitigations right away (and the patch when available), assume compromise, investigate whether the system was compromised prior to the patch/mitigation, and take remediation actions." Given the current lack of a comprehensive patch, vigilance in monitoring, rapid application of mitigations, and thorough investigative processes will be mandatory in defending against the expanding wave of exploitation. Security professionals emphasise that building resilience and continually reviewing security postures are critical as the situation evolves and more actors target the vulnerability.
Yomiuri Shimbun
2 days ago
- Business
- Yomiuri Shimbun
China-Backed Hackers Used Microsoft Flaw in Attacks, Defenders Say
Hackers connected to the Chinese government were behind at least some of the widespread attacks in the past few days on organizations that use collaboration software from Microsoft, defenders working on the intrusions said in interviews. The breaches in the United States and other countries took advantage of a disastrous security flaw that drew attention this month, after Microsoft issued a patch that fixed only part of the problem in SharePoint, which is widely used to coordinate work on documents and projects. 'We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor,' said Charles Carmakal, chief technology officer of Google's Mandiant Consulting. Another researcher, who, like others, spoke on the condition of anonymity because the inquiry is still underway, said federal investigators have evidence of U.S.-based servers linked to compromised SharePoint systems connecting to internet protocol addresses inside China on Friday and Saturday. The FBI, the White House, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency declined to comment Monday. Two other responders working with the U.S. government said they had identified early attacks from China as well. The Chinese Embassy in Washington did not immediately respond to a request for comment. The attacks allowed hackers to extract cryptographic keys from servers run by Microsoft clients. Those keys, in turn, would let them install anything, including back doors that they could use to return. Federal and state agencies were affected, researchers previously told The Washington Post, but it remains unclear which of them were vulnerable to follow-up attacks. Only versions of SharePoint that are hosted by the customer, not those in the cloud, are vulnerable. Microsoft issued effective patches for the last of the exposed versions by Monday. While installing the patches should prevent new intrusions, customers also need to change the machine's digital keys, apply anti-malware software and hunt for any breaches that have already occurred, Microsoft said. Some of the early targets of the attack were entities that would interest the Chinese government, two of the responders said. But a wide range of attackers were now trying similar grabs, others said, looking to steal corporate secrets or install ransomware that encrypts key files until payments are made. 'It's critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well,' Carmakal said. Piet Kerkhofs, CTO and co-founder of Europe-based Eye Security, said the SharePoint breaches share characteristics with other compromises that security researchers have attributed to China-based hackers. For instance, hackers this month exploited a vulnerability in Citrix's NetScaler virtual desktop that some researchers saw being used by Chinese actors, Kerkhofs said. That hack was similar to the SharePoint compromise in that it turned a freshly discovered vulnerability into an 'exploit' or weapon – in 'extremely fast' order, 'hours to days,'' he said. Another instance was China's global compromise of Microsoft Exchange email servers in early 2021. That case involved hackers sponsored by the Chinese government conducting widespread exploitation of core Microsoft software – its Exchange email server software. That breach has been attributed to group that Microsoft calls Silk Typhoon, which is linked to China's Ministry of State Security. It is one of the most technically advanced hacking groups in the world and has been striking sensitive U.S. targets at an increased rate in the past year, The Post reported last week. Silk Typhoon has broken into multiple U.S. federal agencies in the past and more recently hit multiple ministries in Europe, The Post reported.
NZ Herald
2 days ago
- NZ Herald
Researchers say hackers exploited a security flaw in software widely used by governments, businesses
The breaches in the United States and other countries took advantage of a disastrous security flaw that drew attention this month, after Microsoft issued a patch that fixed only part of the problem in SharePoint. Listening to articles is free for open-access content—explore other articles or learn more about text-to-speech. The breaches in the United States and other countries took advantage of a disastrous security flaw that drew attention this month, after Microsoft issued a patch that fixed only part of the problem in SharePoint. Hackers connected to the Chinese Government were behind at least some of the widespread attacks in the past few days on organisations that use collaboration software from Microsoft, defenders working on the intrusions said in interviews. The breaches in the United States and other countries took advantage of a disastrous security flaw that drew attention this month, after Microsoft issued a patch that fixed only part of the problem in SharePoint, which is widely used to co-ordinate work on documents and projects. 'We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor,' said Charles Carmakal, chief technology officer of Google's Mandiant Consulting. Another researcher, who, like others, spoke on the condition of anonymity because the inquiry is still under way, said federal investigators have evidence of US-based servers linked to compromised SharePoint systems connecting to internet protocol addresses inside China last week. The FBI, the White House, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency declined to comment today.
Washington Post
2 days ago
- Business
- Washington Post
China-backed hackers used Microsoft flaw in attacks, defenders say
Hackers connected to the Chinese government were behind at least some of the widespread attacks in the past few days on organizations that use collaboration software from Microsoft, defenders working on the intrusions said in interviews. The breaches in the United States and other countries took advantage of a disastrous security flaw that drew attention this month, after Microsoft issued a patch that fixed only part of the problem in SharePoint, which is widely used to coordinate work on documents and projects. 'We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor,' said Charles Carmakal, chief technology officer of Google's Mandiant Consulting. Another researcher, who, like others, spoke on the condition of anonymity because the inquiry is still underway, said federal investigators have evidence of U.S.-based servers linked to compromised SharePoint systems connecting to internet Protocol addresses inside China on Friday and Saturday. The FBI, White House, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency declined to comment Monday. Two other responders working with the U.S. government said they had identified early attacks from China as well. The Chinese Embassy in Washington did not immediately respond to a request for comment. The attacks allowed hackers to extract cryptographic keys from servers run by Microsoft clients. Those keys, in turn, would let them install anything, including back doors that they could use to return. Federal and state agencies were affected, researchers previously told The Washington Post, but it remains unclear which of them were vulnerable to follow-up attacks. Only versions of SharePoint that are hosted by the customer, not those in the cloud, are vulnerable. Microsoft issued effective patches for the last of the exposed versions by Monday. While installing the patches should prevent new intrusions, customers also need to change the machine's digital keys, apply anti-malware software and hunt for any breaches that have already occurred, Microsoft said. Some of the early targets of the attack were entities that would interest the Chinese government, two of the responders said. But a wide range of attackers were now trying similar grabs, others said, looking to steal corporate secrets or install ransomware that encrypts key files until payments are made. 'It's critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well,' Carmakal said. Piet Kerkhofs, CTO and co-founder of Europe-based Eye Security, said the SharePoint breaches share characteristics with other compromises that security researchers have attributed to China-based hackers. For instance, hackers this month exploited a vulnerability in Citrix's NetScaler virtual desktop that some researchers saw being used by Chinese actors, Kerkhofs said. That hack was similar to the SharePoint compromise in that it turned a freshly discovered vulnerability into an 'exploit' or weapon — in 'extremely fast' order, 'hours to days,'' he said. Another instance was China's global compromise of Microsoft Exchange email servers in early 2021. That case involved Chinese government-sponsored hackers conducting widespread exploitation of core Microsoft software — its Exchange email server software. That breach has been attributed to group that Microsoft calls Silk Typhoon, which is linked to China's Ministry of State Security. It is one of the most technically advanced hacking groups in the world and has been striking sensitive U.S. targets at an increased rate in the past year, The Post reported last week. Silk Typhoon has broken into multiple U.S. federal agencies in the past and more recently hit multiple ministries in Europe, The Post reported.
Techday NZ
24-04-2025
- Business
- Techday NZ
Mandiant report finds rise in financially motivated cyber attacks
Mandiant has released the findings of its 16th annual M-Trends report, offering insights into global cyber attack trends and incident response data from 2024. The report outlines a marked increase in financially motivated cyber threat activity worldwide, with 55% of the threat groups tracked by Mandiant in 2024 pursuing financial gain, up from 52% in 2023 and 48% in 2022. By contrast, 8% of groups were driven by espionage, showing a slight decrease from 10% the previous year. Analysis of the methods used by attackers shows that direct exploits remained the most common initial infection vector, accounting for 33% of incidents for the fifth consecutive year. Stolen credentials constituted 16% of incidents in 2024, making it the second most frequent means of initial access and the first time it has reached this share. Email phishing accounted for 14%, web compromises 9%, and prior compromises 8% among top access vectors. The industries most frequently targeted in 2024 remained consistent, with financial organisations making up 17.4% of attacks, followed by business and professional services at 11.1%, high tech at 10.6%, government at 9.5%, and healthcare at 9.3%. Organisational detection of breaches remains an area for improvement. In 2024, 57% of compromises were first identified by external sources, such as law enforcement and cybersecurity vendors, who accounted for 43% of alerts, and adversaries themselves, often through ransom notes, who accounted for 14%. Only 43% of compromises were detected internally. The median dwell time – the period between initial compromise and detection – rose to 11 days globally, compared with 10 days in 2023. Dwell time was longer when breaches were reported by external entities (26 days) and shorter when adversaries notified organisations directly (5 days), as often occurs in ransomware incidents; internal detection resulted in a 10-day median dwell time. Vivek Chudgar, Managing Director, Mandiant Consulting, JAPAC, commented on regional and global trends: "The findings in this year's M-Trends report reinforce a critical truth for organisations across JAPAC; threat actors continue to adapt and innovate, and so must our defences. With exploits accounting for 64% of initial infection vectors in our region — which is nearly double the global average — it's clear that attackers are laser-focused on exploiting vulnerabilities at scale. "At the same time, nearly 70% of compromises were detected by external parties underscores a continued need to improve internal visibility and response capabilities. As financially motivated threats grow more sophisticated, our collective resilience depends on proactive threat intelligence, faster detection, and a relentless focus on closing security gaps before adversaries can exploit them." The report notes a rise in the use of infostealer malware, with attackers increasingly deploying such tools to harvest credentials that are then used for initial access. Stolen credentials now constitute a significant infection vector, reflecting their popularity among attackers. Gaps introduced during cloud migrations and unsecured data repositories were also identified as common exploitation points. Attackers are targeting these vulnerable environments to obtain credentials and other sensitive information. Mandiant's analysis further highlights that advanced groups, especially those with ties to China, are deploying custom malware ecosystems, exploiting zero-day vulnerabilities, leveraging proxy networks resembling botnets, and focusing on edge devices and platforms lacking traditional endpoint detection and response. Such actors also use custom obfuscators to keep their presence undetected for longer durations on compromised systems. The report also addresses activity by North Korean and Iranian actors. North Korea was observed deploying citizens as remote IT contractors under false identities, reportedly to generate revenue for national interests. Iranian-affiliated groups increased operations in 2024, particularly targeting Israeli entities and employing varied tactics to boost intrusion success. Emerging trends in cyber attacks include increased targeting of cloud-based stores of centralised authority, such as single sign-on portals, and an uptick in attempts to exploit Web3 technologies including cryptocurrencies and blockchain platforms for theft, money laundering, and financing illicit activity. Mandiant's recommendations for organisations include implementing a layered security approach based on strong fundamentals such as vulnerability management and least privilege, enforcing FIDO2-compliant multi-factor authentication—especially on privileged accounts—investment in advanced detection tools, and developing effective incident response plans. The company further advises improving logging and monitoring practices, conducting threat hunting exercises, and securing cloud environments through regular assessments and robust controls. Additional guidance involves mitigating insider risk via thorough employee vetting, monitoring for suspicious activity, and enforcing strict access controls. Mandiant encourages organisations to prioritise up-to-date threat intelligence, regularly review security policies, and adapt strategies to address the continually evolving threat landscape. The M-Trends 2025 report is based on data drawn from over 450,000 hours of frontline investigations by Mandiant Consulting between January and December 2024, offering comprehensive metrics and insights for defenders tasked with organisational cyber protection.
