Found 6 bookmarks
Custom sorting
SharePoint Exploit: Microsoft Used China-Based Engineers to Maintain the Software
SharePoint Exploit: Microsoft Used China-Based Engineers to Maintain the Software
propublica.org - Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in its popular SharePoint software but didn’t mention that it has long used China-based engineers to maintain the product. ast month, Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in SharePoint, the company’s widely used collaboration software, to access the computer systems of hundreds of companies and government agencies, including the National Nuclear Security Administration and the Department of Homeland Security. The company did not include in its announcement, however, that support for SharePoint is handled by a China-based engineering team that has been responsible for maintaining the software for years. ProPublica viewed screenshots of Microsoft’s internal work-tracking system that showed China-based employees recently fixing bugs for SharePoint “OnPrem,” the version of the software involved in last month’s attacks. The term, short for “on premises,” refers to software installed and run on customers’ own computers and servers. Microsoft said the China-based team “is supervised by a US-based engineer and subject to all security requirements and manager code review. Work is already underway to shift this work to another location.” It’s unclear if Microsoft’s China-based staff had any role in the SharePoint hack. But experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government systems can pose major security risks. Laws in China grant the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. The Office of the Director of National Intelligence has deemed China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.” ProPublica revealed in a story published last month that Microsoft has for a decade relied on foreign workers — including those based in China — to maintain the Defense Department’s cloud systems, with oversight coming from U.S.-based personnel known as digital escorts. But those escorts often don’t have the advanced technical expertise to police foreign counterparts with far more advanced skills, leaving highly sensitive information vulnerable, the investigation showed. ProPublica found that Microsoft developed the escort arrangement to satisfy Defense Department officials who were concerned about the company’s foreign employees, and to meet the department’s requirement that people handling sensitive data be U.S. citizens or permanent residents. Microsoft went on to win federal cloud computing business and has said in earnings reports that it receives “substantial revenue from government contracts.” ProPublica also found that Microsoft uses its China-based engineers to maintain the cloud systems of other federal departments, including parts of Justice, Treasury and Commerce. In response to the reporting, Microsoft said that it had halted its use of China-based engineers to support Defense Department cloud computing systems, and that it was considering the same change for other government cloud customers. Additionally, Defense Secretary Pete Hegseth launched a review of tech companies’ reliance on foreign-based engineers to support the department. Sens. Tom Cotton, an Arkansas Republican, and Jeanne Shaheen, a New Hampshire Democrat, have written letters to Hegseth, citing ProPublica’s investigation, to demand more information about Microsoft’s China-based support. Microsoft said its analysis showed that Chinese hackers were exploiting SharePoint weaknesses as early as July 7. The company released a patch on July 8, but hackers were able to bypass it. Microsoft subsequently issued a new patch with “more robust protections.” The U.S. Cybersecurity and Infrastructure Security Agency said that the vulnerabilities enable hackers “to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.” Hackers have also leveraged their access to spread ransomware, which encrypts victims’ files and demands a payment for their release, CISA said.
#propublica.org#EN#2025#Microsoft#Sharepoint#China-Based#Engineers#US
·propublica.org·
SharePoint Exploit: Microsoft Used China-Based Engineers to Maintain the Software
Blame a leak for Microsoft SharePoint attacks: researcher
Blame a leak for Microsoft SharePoint attacks: researcher
theregister.com - A week after Microsoft told the world that its July software updates didn't fully fix a couple of bugs, which allowed miscreants to take over on-premises SharePoint servers and remotely execute code, researchers have assembled much of the puzzle — with one big missing piece. How did the attackers, who include Chinese government spies, data thieves, and ransomware operators, know how to exploit the SharePoint CVEs in such a way that would bypass the security fixes Microsoft released the following day? "A leak happened here somewhere," Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative (ZDI), told The Register. "And now you've got a zero-day exploit in the wild, and worse than that, you've got a zero-day exploit in the wild that bypasses the patch, which came out the next day." Countdown to mass exploitation It all began back in May, on stage at the Pwn2Own competition. Pwn2Own is the hackers' equivalent of the World Series, and ZDI usually hosts these competitions twice a year. The most recent contest occurred in Berlin, beginning May 15. On day 2 of the event, Vietnamese researcher Dinh Ho Anh Khoa combined an auth bypass and an insecure deserialization bug to exploit Microsoft SharePoint and win $100,000. "What happens on the stage is just one part of Pwn2Own," Childs said. After demonstrating a successful exploit, the bug hunter and vendor are whisked away into a private room where the researcher explains what they did and provides the technology company with a full write-up of the exploit. Assuming it's not a duplicate or already known vulnerability, the vendor then has 90 days to issue a fix before the bug and exploit are made public. "So Microsoft received the working exploit in a white paper describing everything on that day," Childs said. Less than two months later, on July 8, the software giant disclosed the two CVEs – CVE-2025-49704, which allows unauthenticated remote code execution, and CVE-2025-49706, a spoofing bug – and released software updates intended to patch the flaws. But mass exploitation had already started the day before, on July 7. "Sixty days to fix really isn't a bad timeline for a bug that stays private and stays under coordinated disclosure rules," Childs said. "What is bad: a leak happened." There's another key date that may shed light on when that leak happened. Patch Tuesday happens the second Tuesday of every month – in July, that was the 8th. But two weeks before then, Microsoft provides early access to some security vendors via the Microsoft Active Protections Program (MAPP). These vendors are required to sign a non-disclosure agreement about the soon-to-be-disclosed bugs, and Microsoft gives them early access to the vulnerability information so that they can provide updated protections to customers faster. "The first MAPP drop occurs at what we call r minus 14, which is two weeks ahead of the [Patch Tuesday] release," Childs said – that is, beginning on June 24. "Then, on July 7, we started to see attacks. July 8, the patches were out and were almost immediately bypassed." ZDI, along with other security providers, poked holes in the initial patches and determined that the authentication bypass piece was too narrow, and attackers could easily bypass this fix. In fact, anyone who received the early MAPP information about the CVEs and software updates "would be able to tell that this is an easy way to get past it," Childs said. On July 18, Eye Security first sounded the alarm on "large-scale exploitation of a new SharePoint remote code execution (RCE) vulnerability chain in the wild." A day later, Microsoft warned SharePoint server users that three on-prem versions of the product included a zero-day flaw that was under attack – and that its own failure to completely patch the holes was to blame. By July 21, Redmond had issued software updates for all three versions. But by then, more than 400 organizations had been compromised by at least two Chinese state-sponsored crews, Linen Typhoon and Violet Typhoon, plus a gang Microsoft tracks as Storm-2603, which was abusing the vulnerabilities to deploy ransomware. Microsoft declined to answer The Register's specific questions for this story. "As part of our standard process, we'll review this incident, find areas to improve, and apply those improvements broadly," a Microsoft spokesperson said in an emailed statement. One researcher suggests a leak may not have been the only pathway to exploit. "Soroush Dalili was able to use Google's Gemini to help reproduce the exploit chain, so it's possible the threat actors did their own due diligence, or did something similar to Dalili, working with one of the frontier large language models like Google Gemini, o3 from OpenAI, or Claude Opus, or some other LLM, to help identify routes of exploitation," Tenable Research Special Operations team senior engineer Satnam Narang told The Register. "It's difficult to say what domino had to fall in order for these threat actors to be able to leverage these flaws in the wild," Narang added.
#theregister.com#EN#blame#2025#CVE-2025-49704#CVE-2025-49706#SharePoint#Microsoft
·theregister.com·
Blame a leak for Microsoft SharePoint attacks: researcher
Microsoft knew of SharePoint security flaw but failed to effectively patch it, timeline shows
Microsoft knew of SharePoint security flaw but failed to effectively patch it, timeline shows
Weekend attacks compromised about 100 organisations May hacker contest uncovered SharePoint weak spot Initial Microsoft patch did not fully fix flaw LONDON, July 22 (Reuters) - A security patch Microsoft (MSFT.O), opens new tab released this month failed to fully fix a critical flaw in the U.S. tech giant's SharePoint server software, opening the door to a sweeping global cyber espionage effort, a timeline reviewed by Reuters shows. On Tuesday, a Microsoft spokesperson confirmed that its initial solution to the flaw, identified at a hacker competition in May, did not work, but added that it released further patches that resolved the issue. It remains unclear who is behind the spy effort, which targeted about 100 organisations over the weekend, and is expected to spread as other hackers join the fray. In a blog post Microsoft said two allegedly Chinese hacking groups, dubbed "Linen Typhoon" and "Violet Typhoon," were exploiting the weaknesses, along with a third, also based in China. Microsoft and Alphabet's (GOOGL.O), opens new tab Google have said China-linked hackers were probably behind the first wave of hacks. Chinese government-linked operatives are regularly implicated in cyberattacks, but Beijing routinely denies such hacking operations. In an emailed statement, its embassy in Washington said China opposed all forms of cyberattacks, and "smearing others without solid evidence." The vulnerability opening the way for the attack was first identified in May at a Berlin hacking competition, opens new tab organised by cybersecurity firm Trend Micro (4704.T), opens new tab that offered cash bounties for finding computer bugs in popular software. It offered a $100,000 prize for so-called "zero-day" exploits that leverage previously undisclosed digital weaknesses that could be used against SharePoint, Microsoft's flagship document management and collaboration platform. The U.S. National Nuclear Security Administration, charged with maintaining and designing the nation's cache of nuclear weapons, was among the agencies breached, Bloomberg News said on Tuesday, citing a person with knowledge of the matter.
#reuters.com#EN#2025#Microsoft#SharePoint#flaw
·reuters.com·
Microsoft knew of SharePoint security flaw but failed to effectively patch it, timeline shows
Microsoft Confirms Ongoing Mass SharePoint Attack — No Patch Available
Microsoft Confirms Ongoing Mass SharePoint Attack — No Patch Available
forbes.com - Microsoft has confirmed that SharePoint Server is under mass attack and no patch is yet available — here’s what you need to know and how to mitigate the threat. Microsoft Confirms CVE-2025-53770 SharePoint Server Attacks It’s been quite the few weeks for security warnings, what with Amazon informing 220 million customers of Prime account attacks, and claims of a mass hack of Ring doorbells going viral. The first of those can be mitigated by basic security hygiene, and the latter appears to be a false alarm. The same cannot be said for CVE-2025-53770, a newly uncovered and confirmed attack against users of SharePoint Server which is currently undergoing mass exploitation on a global level, according to the Eye Research experts who discovered it. Microsoft, meanwhile, has admitted that not only is it “aware of active attacks” but, worryingly, “a patch is currently not available for this vulnerability.” CVE-2025-53770, which is also being called ToolShell, is a critical vulnerability in on-premises SharePoint. The end result of which is the ability for attackers to gain access and control of said servers without authentication. If that sounds bad, it’s because it is. Very bad indeed. “The risk is not theoretical,” the researchers warned, “attackers can execute code remotely, bypassing identity protections such as MFA or SSO.” Once they have, they can then “access all SharePoint content, system files, and configurations and move laterally across the Windows Domain.” And then there’s the theft of cryptographic keys. That can enable an attacker to “impersonate users or services,” according to the report, “even after the server is patched.” So, even when a patch is eventually released, and I would expect an emergency update to arrive fairly quickly for this one, the problem isn’t solved. You will, it was explained, “need to rotate the secrets allowing all future tokens that can be created by the malicious actor to become invalid.” And, of course, as SharePoint will often connect to other core services, including the likes of Outlook and Teams, oh and not forgetting OneDrive, the threat, if exploited, can and will lead to “data theft, password harvesting, and lateral movement across the network,” the researchers warned.
#forbes.com#EN#2025#ToolShell#SharePoint#SharePoint-attack#Microsoft#CVE-2025-53770#vulnerabilty
·forbes.com·
Microsoft Confirms Ongoing Mass SharePoint Attack — No Patch Available
File hosting services misused for identity phishing
File hosting services misused for identity phishing
Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks.
#microsoft#EN#2024#File#hosting#SharePoint#OneDrive#Dropbox#social-engineering#identity#phishing#research
·microsoft.com·
File hosting services misused for identity phishing