- Around 100 organizations have been targeted by Microsoft SharePoint vulnerability
- Series of cyberattacks appear to be the work of Chinese hackers
- The vulnerability has left as many as 8,000 servers at risk
A cyberespionage campaign exploiting the recently-revealed Microsoft SharePoint issue has targeted roughly 100 organizations, compromising server software and primarily hitting government agencies in the US and Germany, experts have warned.
Google released a statement in which it attributed at least some of the attacks to a ‘China-Nexus threat actor,’ and warned against further expansion of the threat - although the Chinese Embassy has denied this.
Microsoft recently released urgent security flaw patches to address a zero-day vulnerability that affected SharePoint servers, which have been abused in attacks since July 18, with victims reportedly including a private energy operator in California as well as a private fintech firm in New York.
China-Nexus threat actors
"Cyber attacks are a common threat faced by all countries, China included. China firmly opposes and combats all forms of cyber attacks and cyber crime — a position that is consistent and clear. At the same time, we also firmly oppose smearing others without solid evidence," the Chinese Embassy told TechRadar Pro.
"We hope that relevant parties will adopt a professional and responsible attitude when characterizing cyber incidents, basing their conclusions on sufficient evidence rather than unfounded speculation and accusations."
The attacks saw hackers extract cryptographic keys from servers that are run by Microsoft clients. The keys would then let them install pretty much anything - including malware or backdoors that hackers could use to return.
Only SharePoint versions that are hosted by the customer, rather than the cloud, are vulnerable. These types of attacks could allow attackers to steal corporate secrets or install ransomware to encrypt key files.
“We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor” said Charles Carmakal, chief technology officer of Google’s Mandiant Consulting.
“It's critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well." he continued.
Researchers say that so far, the attacks can be attributed to a single hacker or a set of hackers, rather than a large number - but there has been a broad range of targets, and a vast number of potential targets - with some researchers estimating up to 8,000 vulnerable servers.
Whilst the update should prevent new intrusion, users will also need to rotate machine keys, search for any missed breaches, and deploy Antimalware Scan Interface (AMSI) as well as antivirus software.
You might also like
- Take a look at our picks for the best malware removal software around
- Check out our choice for best antivirus software
- US government wants to ban Chinese technology in submarine cables
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.