Latest news with #MichaelSikorski
The Star
7 hours ago
- Business
- The Star
Microsoft flaw 'opens the door' for hackers. It will be hard to close
Waves of cyberattacks are hitting a commonly used Microsoft product, compromising dozens of organisations around the world. The hackers exploited a vulnerability in Microsoft SharePoint, an Internet-based app primarily used by government agencies and private companies for internal documents and records. The company alerted customers to the problem on July 19, and on July 20 issued guidance on how to fix it. The Cybersecurity and Infrastructure Security Agency, a branch of the US Department of Homeland Security, said on July 20 that it's still assessing the scope of the attacks. "CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action," Chris Butera, CISA acting executive assistant director for cybersecurity, said in a statement. "Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations." Cybersecurity company Eye Security scanned more than 8,000 SharePoint servers worldwide and found that dozens of organisations were compromised during attacks from Friday through Monday. Eye Security said it discovered the attacks. Microsoft and cybersecurity experts said customers who use SharePoint through a cloud-based server aren't at risk. It's organisations that use their own, on-premises servers for SharePoint are vulnerable. That likely includes government agencies, schools, hospitals and large companies. Eye Security and Microsoft urged customers to follow Microsoft's guidance for mitigating exposure from hackers floating into a network and stealing data. In other intrusions, hackers have stolen identifying information of customers as well as intellectual property and internal communications. "The risk is not theoretical," Eye Security said in a blog post. The vulnerability in the system is referred to as a "zero-day" exploit, which means it's a flaw that the company wasn't aware of. Therefore, the company's security team had zero days to prepare a patch or fix. CISA said malicious hackers are able to manipulate code within an organisation's SharePoint network if they gain access. Microsoft labelled the severity of the flaw as critical, the most serious designation in its security guide. Unit 42, a team of cyber threat researchers with Palo Alto Networks, said it was a severe and urgent threat. Michael Sikorski, chief technical officer for Unit 42, said in a statement that attackers are bypassing passwords and other security measures in SharePoint to gain access to sensitive data and establish footholds. They're able to create backdoors into networks that survive reboots and updates. "If you have SharePoint (on-premises) exposed to the Internet, you should assume that you have been compromised at this point," he said. "Patching alone is insufficient to fully evict the threat." SharePoint is deeply connected with Microsoft's suite of products, including services like Outlook and Teams, which makes the attacks especially concerning, according to Sikorski. "A compromise doesn't stay contained – it opens the door to the entire network," he said. In a threat brief on Monday, Palo Alto Networks recommended customers to follow Microsoft's guidance. The attacks come four months after researchers at cybersecurity company Trend Micro reported another zero-day exploit at Microsoft. In that case, state-sponsored attackers from North Korea, Iran, Russia and China were able to manipulate a flaw in shortcut links on Windows to steal data and cryptocurrency. – The Seattle Times/Tribune News Service
Business Times
a day ago
- Business
- Business Times
Microsoft rushes to stop hackers from wreaking global havoc
[WASHINGTON ]Hackers exploited a security flaw in common Microsoft software to breach governments, businesses and other organisations across the globe and steal sensitive information, according to officials and cybersecurity researchers. Microsoft over the weekend released a patch for the vulnerability in servers of the SharePoint document management software. The company said it was still working to roll out other fixes after warnings that hackers were targeting SharePoint clients, using the flaw to enter file systems and execute code. Multiple different hackers are launching attacks through the Microsoft vulnerability, according to representatives of two cybersecurity firms, CrowdStrike Holdings and Google's Mandiant Consulting. Hackers have already used the flaw to break into the systems of national governments in Europe and the Middle East, according to a person familiar with the matter. In the US, they've accessed government systems, including ones belonging to the US Department of Education, Florida's Department of Revenue and the Rhode Island General Assembly, said the person, who spoke on condition that they not be identified discussing the sensitive information. Representatives of the Department of Education and Rhode Island legislature didn't respond to calls and emails seeking comment on Monday. A Florida Department of Revenue spokesperson, Bethany Wester Cutillo, said in an email that the SharePoint vulnerability is being investigated 'at multiple levels of government' but that the state agency 'does not comment publicly on the software we use for operations.' The hackers also breached the systems of a US-based health-care provider and targeted a public university in South-east Asia, according to a report from a cybersecurity firm reviewed by Bloomberg News. The report doesn't identify either entity by name, but says the hackers have attempted to breach SharePoint servers in countries including Brazil, Canada, Indonesia, Spain, South Africa, Switzerland, the UK and the US. The firm asked not to be named because of the sensitivity of the information. BT in your inbox Start and end each day with the latest news stories and analyses delivered straight to your inbox. Sign Up Sign Up In some systems they've broken into, the hackers have stolen sign-in credentials, including usernames, passwords, hash codes and tokens, according to a person familiar with the matter, who also spoke on condition that they not be identified discussing the sensitive information. 'This is a high-severity, high-urgency threat,' said Michael Sikorski, chief technology officer and head of threat intelligence for Unit 42 at Palo Alto Networks. 'What makes this especially concerning is SharePoint's deep integration with Microsoft's platform, including their services like Office, Teams, OneDrive and Outlook, which has all the information valuable to an attacker,' he said. 'A compromise doesn't stay contained–it opens the door to the entire network.' Tens of thousands – if not hundreds of thousands – of businesses and institutions worldwide use SharePoint in some fashion to store and collaborate on documents. Microsoft said that attackers are specifically targeting clients running SharePoint servers from their own on-premise networks, as opposed to being hosted and managed by the tech firm. That could limit the impact to a subsection of customers. A Microsoft spokesperson declined to comment beyond an earlier statement. 'It's a dream for ransomware operators,' said Silas Cutler, a researcher at Michigan-based cybersecurity firm Censys. He estimated that more than 10,000 companies with SharePoint servers were at risk. The US had the largest number of such firms, followed by the Netherlands, the UK and Canada, he said. The breaches have drawn new scrutiny to Microsoft's efforts to shore up its cybersecurity after a series of high-profile failures. The firm has hired executives from places like the US government and holds weekly meetings with senior executives to make its software more resilient. The company's tech has been subject to several widespread and damaging hacks in recent years, and a 2024 US government report described the company's security culture as in need of urgent reforms. The Center for Internet Security, which operates a cybersecurity information sharing system for state and local governments in the US, found more than 1,100 servers that are at risk from the SharePoint vulnerability, said Randy Rose, the organisation's vice president of security operations and intelligence. Rose said more than 100 were likely hacked. The Washington Post reported that the breach had affected US federal and state agencies, universities, energy companies and an Asian telecommunications company, citing state officials and private researchers. Eye Security was the first to identify that attackers were actively exploiting the vulnerabilities in a wave of cyberattacks that began on Friday, said Vaisha Bernard, the company's chief hacker and co-owner. Eye Security said the vulnerability allows hackers to access SharePoint servers and steal keys that can let them impersonate users or services even after the server is patched. It said hackers can maintain access through backdoors or modified components that can survive updates and reboots of systems. The SharePoint vulnerabilities, known as 'ToolShell,' were first identified in May by researchers at a Berlin cybersecurity conference. In early July, Microsoft issued patches to fix the security holes, but hackers found another way in. 'There were ways around the patches,' which enabled hackers to break into SharePoint servers by tapping into similar vulnerabilities, said Bernard. 'That allowed these attacks to happen.' The intrusions, he said, were not targeted and instead were aimed at compromising as many victims as possible. After scanning about 8,000 SharePoint servers, Bernard said he has so far identified at least 50 that were successfully compromised. He declined to identify the identity of organisations that had been targeted, but said they included government agencies and private companies, including 'bigger multinationals.' The victims were located in countries in North and South America, the EU, South Africa, and Australia, he added. BLOOMBERG
&w=3840&q=100)
Business Standard
a day ago
- Business Standard
Hackers exploit SharePoint flaw to breach servers, Microsoft issues fix
Microsoft has rolled out an emergency security fix to address a serious vulnerability in its SharePoint software, which hackers are actively exploiting in cyberattacks targeting companies and US government agencies, Associated Press reported. Microsoft alerted users over the weekend, confirming that a zero-day exploit was being used and that they were working on a solution. On Sunday, the tech giant released instructions to patch the issue for SharePoint Server 2019 and SharePoint Server Subscription Edition. However, engineers are still working on a fix for the older SharePoint Server 2016. 'Anybody who's got a hosted SharePoint server has got a problem,' said Adam Meyers, senior vice president at cybersecurity firm CrowdStrike. 'It's a significant vulnerability.' Zero-day exploit A zero-day exploit refers to a security flaw that has just been discovered and for which there is no fix yet, giving attackers a head start before security teams can respond. According to the US Cybersecurity and Infrastructure Security Agency (CISA), this new threat is a variant of an existing vulnerability (CVE-2025-49706). It mainly affects organisations using on-premise SharePoint servers. Cybersecurity experts have identified the exploit, dubbed 'ToolShell', which can allow attackers full access to SharePoint file systems. This may also impact other services linked to SharePoint, like Microsoft Teams and OneDrive, Associated Press reported. Google's Threat Intelligence Group has warned that this vulnerability could potentially 'bypass future patching', making it even more dangerous. Global impact and affected systems Cybersecurity company Eye Security reported scanning more than 8,000 SharePoint servers globally. Their findings showed that at least several dozen had been compromised, and the attacks started on July 18. Microsoft clarified that this vulnerability affects only on-premise SharePoint servers and not the cloud-based SharePoint Online service. However, the risk remains high, particularly for critical sectors. What should users do? Organisations using on-premise SharePoint servers are strongly urged to apply Microsoft's latest security guidance immediately. CISA has recommended that any impacted servers be taken offline until they are properly patched. Michael Sikorski, chief technology officer and head of Threat Intelligence for Unit 42 at Palo Alto Networks, said, 'We are urging organisations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response.' Sikorski also suggested disconnecting Microsoft SharePoint from the internet as a temporary measure until a security patch is released. CERT-In warns Microsoft users in India Last week, the Indian Computer Emergency Response Team (CERT-In) issued a high-severity warning for users of Microsoft Windows and Office products. The agency flagged multiple security flaws that could put both individuals and enterprises at risk. According to CERT-In, attackers could exploit these flaws to gain higher privileges, access sensitive data, execute remote code, and bypass security protocols. In some cases, they may also spoof identities, tamper with system settings, or trigger denial-of-service (DoS) attacks. CERT-In has urged all users and IT administrators to apply necessary patches and take additional security measures to avoid potential exploitation. [With agency inputs]
The Hindu
2 days ago
- Business
- The Hindu
What to know about a vulnerability being exploited on Microsoft SharePoint servers
Microsoft has issued an emergency fix to close off a vulnerability in Microsoft's widely-used SharePoint software that hackers have exploited to carry out widespread attacks on businesses and at least some U.S. government agencies. The company issued an alert to customers Saturday saying it was aware of the zero-day exploit being used to conduct attacks and that it was working to patch the issue. Microsoft updated its guidance Sunday with instructions to fix the problem for SharePoint Server 2019 and SharePoint Server Subscription Edition. Engineers were still working on a fix for the older SharePoint Server 2016 software. 'Anybody who's got a hosted SharePoint server has got a problem,' said Adam Meyers, senior vice president with CrowdStrike, a cybersecurity firm. 'It's a significant vulnerability.' Companies and government agencies around the world use SharePoint for internal document management, data organisation and collaboration. A zero-day exploit is a cyberattack that takes advantage of a previously unknown security vulnerability. 'Zero-day' refers to the fact that the security engineers have had zero days to develop a fix for the vulnerability. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the exploit affecting SharePoint is 'a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers.' Security researchers warn that the exploit, reportedly known as 'ToolShell,' is a serious one and can allow actors to fully access SharePoint file systems, including services connected to SharePoint, such as Teams and OneDrive. Google's Threat Intelligence Group warned that the vulnerability may allow bad actors to 'bypass future patching.' Eye Security said in its blog post that it scanned over 8,000 SharePoint servers worldwide and discovered that at least dozens of systems were compromised. The cybersecurity company said the attacks likely began on July 18. Microsoft said the vulnerability affects only on-site SharePoint servers used within businesses or organisations, and does not affect Microsoft's cloud-based SharePoint Online service. But Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, warns that the exploit still leaves many potentially exposed to bad actors. 'While cloud environments remain unaffected, on-prem SharePoint deployments — particularly within government, schools, health care including hospitals, and large enterprise companies — are at immediate risk.' The vulnerability targets SharePoint server software so customers of that product will want to immediately follow Microsoft's guidance to patch their on-site systems. Although the scope of the attack is still being assessed, CISA warned that the impact could be widespread and recommended that any servers impacted by the exploit should be disconnected from the internet until they are patched. 'We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response. An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,' Sikorski advises.
Asahi Shimbun
2 days ago
- Business
- Asahi Shimbun
What to know about a vulnerability being exploited on Microsoft SharePoint servers
The Microsoft company logo is displayed at their offices in Sydney, Australia, on Feb. 3, 2021. (AP Photo) NEW YORK--Microsoft has issued an emergency fix to close off a vulnerability in Microsoft's widely-used SharePoint software that hackers have exploited to carry out widespread attacks on businesses and at least some U.S. government agencies. The company issued an alert to customers Saturday saying it was aware of the zero-day exploit being used to conduct attacks and that it was working to patch the issue. Microsoft updated its guidance Sunday with instructions to fix the problem for SharePoint Server 2019 and SharePoint Server Subscription Edition. Engineers were still working on a fix for the older SharePoint Server 2016 software. 'Anybody who's got a hosted SharePoint server has got a problem,' said Adam Meyers, senior vice president with CrowdStrike, a cybersecurity firm. 'It's a significant vulnerability.' Companies and government agencies around the world use SharePoint for internal document management, data organization and collaboration. A zero-day exploit is a cyberattack that takes advantage of a previously unknown security vulnerability. 'Zero-day' refers to the fact that the security engineers have had zero days to develop a fix for the vulnerability. According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the exploit affecting SharePoint is 'a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers.' Security researchers warn that the exploit, reportedly known as 'ToolShell,' is a serious one and can allow actors to fully access SharePoint file systems, including services connected to SharePoint, such as Teams and OneDrive. Google's Threat Intelligence Group warned that the vulnerability may allow bad actors to 'bypass future patching.' Eye Security said in its blog post that it scanned over 8,000 SharePoint servers worldwide and discovered that at least dozens of systems were compromised. The cybersecurity company said the attacks likely began on July 18. Microsoft said the vulnerability affects only on-site SharePoint servers used within businesses or organizations and does not affect Microsoft's cloud-based SharePoint Online service. But Michael Sikorski, CTO and Head of Threat Intelligence for Unit 42 at Palo Alto Networks, warns that the exploit still leaves many potentially exposed to bad actors. 'While cloud environments remain unaffected, on-prem SharePoint deployments — particularly within government, schools, health care including hospitals, and large enterprise companies — are at immediate risk.' The vulnerability targets SharePoint server software so customers of that product will want to immediately follow Microsoft's guidance to patch their on-site systems. Although the scope of the attack is still being assessed, CISA warned that the impact could be widespread and recommended that any servers impacted by the exploit should be disconnected from the internet until they are patched. 'We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material, and engage professional incident response. An immediate, band-aid fix would be to unplug your Microsoft SharePoint from the internet until a patch is available,' Sikorski advises.
