Latest news with #SharePointOnline
Techday NZ
3 hours ago
- Techday NZ
Microsoft SharePoint zero-day flaw prompts urgent global response
Organisations around the world are racing to mitigate the impact of a critical zero-day vulnerability in Microsoft's SharePoint server software, which has already been implicated in a series of significant security breaches and is being actively exploited by threat actors, including alleged Chinese nation-state groups. The flaw, catalogued as CVE-2025-53770, was revealed last week after several cyber security researchers, including Microsoft and Google's Threat Intelligence Group, published emergency advisories. Microsoft has clarified that the vulnerability affects only on-premises versions of SharePoint. SharePoint Online, the cloud-based variant included in Microsoft 365, is not impacted by this zero-day flaw. The urgency of the threat became clear after Eye Security researchers published findings that highlighted "active, large-scale exploitation" of the flaw, which they related to a set of vulnerabilities coined "ToolShell." Attackers who successfully exploit CVE-2025-53770 can access sensitive MachineKey configuration details on vulnerable servers, including the validationKey and decryptionKey. These critical parameters can then be used to craft specially designed requests that enable unauthenticated remote code execution, effectively giving attackers full control over the targeted servers. Late breaking fixes for SharePoint Server 2019 and SharePoint Subscription Edition have been made available, with a patch for SharePoint Server 2016 expected to follow. Organisations are being urged to conduct incident response investigations, apply available patches, and closely review Microsoft's temporary mitigation instructions to limit exposure. In recent reports, the scope and impact of the exploit have become clearer. More than 100 servers across at least 60 global organisations, including critical infrastructure such as the US National Nuclear Security Administration, have reportedly been breached via the vulnerability. Cyber security analysts have attributed the campaign to Chinese state-linked groups, among them Linen Typhoon, Violet Typhoon, and Storm-2603. These groups are said to have used stolen credentials to establish persistent access, potentially enabling ongoing espionage even after patches are applied. According to Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, attackers are using the vulnerability to install webshells - malicious scripts that provide ongoing unauthorised access - and to exfiltrate cryptographic secrets from compromised servers. This presents a substantial risk to organisations, as it allows persistent, unauthenticated access by malicious actors. "If your organisation has on-premises Microsoft SharePoint exposed to the internet, you have an immediate action to take," Carmakal said. He stressed that mitigation steps must be implemented without delay, as well as the application of patches as they become available. "This isn't an 'apply the patch and you're done' situation. Organisations need to assume compromise, investigate for any evidence of prior intrusion, and take appropriate remediation actions." Satnam Narang, Senior Staff Research Engineer at Tenable, warned of the widespread consequences, stating: "The active exploitation of the SharePoint zero-day vulnerability over the weekend will have far-reaching consequences for those organisations that were affected. Attackers were able to exploit the flaw to steal MachineKey configuration details, which could be used to gain unauthenticated remote code execution." Narang added that early signs of compromise could include the presence of a file named although it might carry a different extension in some cases. Bob Huber, Chief Security Officer and President of Public Sector at Tenable, commented: "The recent breach of multiple governments' systems […] is yet another urgent reminder of the stakes we're facing. This isn't just about a single flaw, but how sophisticated actors exploit these openings for long-term gain." Huber noted that because Microsoft's identity stack is so deeply embedded in government and corporate environments, a breach in SharePoint can create "a massive single point of failure." He argued for a more proactive, preventative approach to cyber security, emphasising the need for exposure management platforms that provide unified oversight across complex infrastructures. For now, the coordinated response by vendors, security firms, and government agencies continues, as organisations track for signs of compromise and await further guidance on long-term remediation. The incident serves as a stark reminder of the intricate cyber threats faced by modern institutions, and the pressing need for rigorous, ongoing defence strategies against ever-evolving adversaries.
NDTV
a day ago
- Business
- NDTV
Microsoft Server Hack Likely Single Actor, Over 8,000 Firms Hit
A global attack on Microsoft server software used by thousands of government agencies and businesses to share documents within organisations is likely the work of a single actor, a cybersecurity researcher said on Monday. Microsoft on Saturday issued an alert about "active attacks" on SharePoint servers used within organisations. It said that SharePoint Online in Microsoft 365, which is in the cloud, was not hit by the exploit, also known as a "zero day" because it was previously unknown to cybersecurity researchers. "Based on the consistency of the tradecraft seen across observed attacks, the campaign launched on Friday appears to be a single actor. However, it's possible that this will quickly change," Rafe Pilling, Director of Threat Intelligence at Sophos, a British cybersecurity firm. That tradecraft included the sending of the same digital payload to multiple targets, Pilling added. Microsoft said it had "provided security updates and encourages customers to install them," a company spokesperson said in an emailed statement. It was not clear who was behind the ongoing hack. The FBI said on Sunday it was aware of the attacks and was working closely with its federal and private-sector partners, but offered no other details. Britain's National Cyber Security Centre did not immediately respond to a request for comment. The Washington Post said unidentified actors in the past few days had exploited a flaw to launch an attack that targeted US and international agencies and businesses. According to data from Shodan, a search engine that helps to identify internet-linked equipment, over 8,000 servers online could theoretically have already been compromised by hackers. Those servers include major industrial firms, banks, auditors, healthcare companies, and several US state-level and international government entities. "The SharePoint incident appears to have created a broad level of compromise across a range of servers globally," said Daniel Card of British cybersecurity consultancy, PwnDefend. "Taking an assumed breach approach is wise, and it's also important to understand that just applying the patch isn't all that is required here."
Malaysia Sun
a day ago
- Business
- Malaysia Sun
SharePoint flaw exploited in hacks on agencies, firms: Microsoft
WASHINGTON, D.C.: Microsoft has warned of active cyberattacks targeting a widely used server software that allows businesses and government agencies to share documents internally. The company urged customers to apply critical security updates immediately to avoid exploitation. The software under attack is Microsoft's on-premise SharePoint Server, which is commonly deployed by organizations that manage their infrastructure. Microsoft clarified that its cloud-based SharePoint Online service within Microsoft 365 is not affected. In a security advisory issued on July 19, the company described the threat as a "zero-day" attack, referring to the exploitation of a previously unknown software flaw. According to experts cited by The Washington Post, which first reported the breach, the flaw has been used in recent days to launch cyberattacks against U.S. and international government agencies and businesses. Tens of thousands of servers may be vulnerable. "We've been coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners globally throughout our response," a Microsoft spokesperson said. "Security updates have been issued and customers should install them immediately." The vulnerability allows an attacker with network access to perform "spoofing"—a type of deception in which a malicious actor impersonates a trusted entity. This technique can be used to manipulate systems, financial markets, or internal communications by masking the source of malicious activity. The FBI confirmed over the weekend that it is aware of the ongoing attacks and is working with federal agencies and private-sector partners to investigate, though it provided no further details. Microsoft said it is developing updates specifically for the 2016 and 2019 versions of SharePoint. Until those fixes are available, customers unable to implement Microsoft's recommended security configurations should consider disconnecting affected servers from the internet to limit exposure. Spoofing attacks can be hazardous in environments like government networks or financial institutions, where trust in digital communications is paramount. Microsoft has provided detailed mitigation instructions for system administrators to secure their environments while patches are rolled out. This incident is the latest in a string of cyber threats affecting critical infrastructure and enterprise tools. These often involve sophisticated attackers exploiting unpatched vulnerabilities before companies are aware they exist.
Canada News.Net
a day ago
- Business
- Canada News.Net
Microsoft issues urgent alert over document server attacks
WASHINGTON, D.C.: Microsoft has warned of active cyberattacks targeting a widely used server software that allows businesses and government agencies to share documents internally. The company urged customers to apply critical security updates immediately to avoid exploitation. The software under attack is Microsoft's on-premise SharePoint Server, which is commonly deployed by organizations that manage their infrastructure. Microsoft clarified that its cloud-based SharePoint Online service within Microsoft 365 is not affected. In a security advisory issued on July 19, the company described the threat as a "zero-day" attack, referring to the exploitation of a previously unknown software flaw. According to experts cited by The Washington Post, which first reported the breach, the flaw has been used in recent days to launch cyberattacks against U.S. and international government agencies and businesses. Tens of thousands of servers may be vulnerable. "We've been coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners globally throughout our response," a Microsoft spokesperson said. "Security updates have been issued and customers should install them immediately." The vulnerability allows an attacker with network access to perform "spoofing"—a type of deception in which a malicious actor impersonates a trusted entity. This technique can be used to manipulate systems, financial markets, or internal communications by masking the source of malicious activity. The FBI confirmed over the weekend that it is aware of the ongoing attacks and is working with federal agencies and private-sector partners to investigate, though it provided no further details. Microsoft said it is developing updates specifically for the 2016 and 2019 versions of SharePoint. Until those fixes are available, customers unable to implement Microsoft's recommended security configurations should consider disconnecting affected servers from the internet to limit exposure. Spoofing attacks can be hazardous in environments like government networks or financial institutions, where trust in digital communications is paramount. Microsoft has provided detailed mitigation instructions for system administrators to secure their environments while patches are rolled out. This incident is the latest in a string of cyber threats affecting critical infrastructure and enterprise tools. These often involve sophisticated attackers exploiting unpatched vulnerabilities before companies are aware they exist.
&w=3840&q=100)
First Post
2 days ago
- First Post
Chinese hackers exploiting SharePoint flaws to steal data, deploy malware, says Microsoft
Microsoft said it had identified three threat groups, Linen Typhoon, Violet Typhoon, and Storm-2603, that have been targeting internet-facing SharePoint servers since at least July 7 read more Chinese state-sponsored hackers are actively exploiting two critical vulnerabilities in Microsoft SharePoint servers to steal sensitive data and gain backdoor access to enterprise networks, the tech giant warned on Tuesday. Microsoft said it had identified three threat groups, Linen Typhoon, Violet Typhoon, and Storm-2603, that have been targeting internet-facing SharePoint servers since at least July 7, exploiting flaws that allow authentication bypass and remote code execution. Only on-premises SharePoint installations are affected by the campaign; Microsoft's cloud-based SharePoint Online remains unaffected. The company has issued security patches and urged customers to apply them immediately to prevent further intrusions. STORY CONTINUES BELOW THIS AD What are the hackers doing? Once inside a system, the attackers deploy malicious code that grants them backdoor access and lets them steal machine encryption keys. These tools allow persistent access and control over the compromised networks, Microsoft said in its security bulletin. Cybersecurity firm Check Point confirmed the same campaign had intensified after July 18, with multiple compromise attempts against government and private organisations in North America and Western Europe. Who are the threat actors? Linen Typhoon (active since 2012): targets governments, defence entities, and human rights groups to steal intellectual property. Violet Typhoon (since 2015): spies on NGOs, media organisations, think tanks, and former officials in the US, Europe, and East Asia. Storm-2603: suspected to be China-based, has used ransomware in the past but current motives remain unclear. The vulnerabilities exploited in this campaign allow attackers to spoof credentials and run arbitrary code remotely, making them particularly dangerous for high-value targets. Microsoft and Check Point have both advised organisations using SharePoint Server to urgently review their exposure and apply the necessary mitigations.
