- About 100 organizations have been targeted by Microsoft SharePoint -Sorability
- Series with Cyberattacks seems to be the work of Chinese hackers
- The vulnerability has left as many as 8,000 servers at risk
A cyber-spyage campaign that utilizes the newly revealed Microsoft SharePoint question has targeted about 100 organizations that compromise server software and primarily affected state agencies in the US and Germany, experts have warned.
Google released a statement that is at least attributed to some of the attacks for a ‘China -Nexus threat actor’ and warned against further expansion of the threat -though the Chinese embassy has refused.
Microsoft recently released urgent security flaws to tackle a zero-day vulnerability affected SharePoint servers, which have been abused since July 18, with victims that allegedly include a private energy operator in California as well as a private fintech company in New York.
China-Nexus threat actors
“Cyber attacks are a common threat that all countries face, China included. China opposes and fights all kinds of cyber attacks and cyber crime – an attitude that is consistent and clear. At the same time we are also convinced to lubricate others without solid evidence,” the Chinese Embassy told Techradar Pro.
“We hope that relevant parties will take a professional and responsible attitude when characterizing cyber events, and bases their conclusions on sufficient evidence rather than unfounded speculation and accusations.”
The attacks saw hackers extract cryptographic keys from servers driven by Microsoft clients. The keys then let them install pretty much everything – including malware or back doors that hackers could use to return.
Only SharePoint versions hosted by the customer, rather than the cloud, are vulnerable. These types of attacks could allow attackers to steal business secrets or install ransomware to encrypt key files.
“We believe that at least one of the actors responsible for this early exploitation is a China-Nexus threat actor,” said Charles Carmakal, Chief Technology Officer for Google’s Mandiant Consulting.
“It is critical to understand that several actors are now actively exploiting this vulnerability. We fully expect this trend to continue, as various other threat actors, driven by different motivations, are also utilizing this exploitation.” he continued.
Researchers say the attacks can so far be attributed to a single hacker or a set of hackers rather than a large number – but there have been a wide range of goals and a large number of potential goals – with some scientists who estimate up to 8,000 vulnerable servers.
While the update is to prevent new penetration, users will also need to rotate machine keys, search for any misses and implement antimalware scan interface (AMSI) as well as antivirus software.
