- Around 100 organizations have been targeted by Microsoft SharePoint vulnerability
- Series of cyberattacks appear to be the work of Chinese hackers
- The vulnerability has left as many as 8,000 servers at risk
A cyberespionage campaign exploiting the recently-revealed Microsoft SharePoint issue has targeted roughly 100 organizations, compromising server software and primarily hitting government agencies in the US and Germany, experts have warned.
Google released a statement in which it attributed at least some of the attacks to a ‘China-Nexus threat actor,’ and warned against further expansion of the threat.
Microsoft recently released urgent security flaw patches to address a zero-day vulnerability that affected SharePoint servers, which have been abused in attacks since July 18, with victims reportedly including a private energy operator in California as well as a private fintech firm in New York.
China-Nexus threat actors
The attacks saw hackers extract cryptographic keys from servers that are run by Microsoft clients. The keys would then let them install pretty much anything – including malware or backdoors that hackers could use to return.
Only SharePoint versions that are hosted by the customer, rather than the cloud, are vulnerable. These types of attacks could allow attackers to steal corporate secrets or install ransomware to encrypt key files.
“We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor” said Charles Carmakal, chief technology officer of Google’s Mandiant Consulting.
“It’s critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well.” he continued.
Researchers say that so far, the attacks can be attributed to a single hacker or a set of hackers, rather than a large number – but there has been a broad range of targets, and a vast number of potential targets – with some researchers estimating up to 8,000 vulnerable servers.
Whilst the update should prevent new intrusion, users will also need to rotate machine keys, search for any missed breaches, and deploy Antimalware Scan Interface (AMSI) as well as antivirus software.
You might also like
https://cdn.mos.cms.futurecdn.net/G8QNviZt3KrDbfWVANJrNM.jpg
Source link
