Vietnamese cybersecurity researcher Dinh Ho Anh Khoa in May uncovered a vulnerability in Microsoft Corp’s document management software, SharePoint, at an event designed to encourage ethical hacking that makes our technology more robust. He received US$100,000 from Trend Micro, the security group that sponsored the event.
As part of the deal, flaws discovered in these competitions must be kept under wraps to give affected companies time to assess the threat, work on a fix, test it and release it. In this case, Microsoft released its patch by July 8 — a reasonable timeframe, cybersecurity experts say, given there had been no indication the hack had been used “in the wild” until July 7.
However, within days of the purported fix, it became clear Microsoft engineers had missed something. Sophisticated actors, said to be working on behalf of China, had found a work-around.
The vulnerability has been used to target hundreds of entities, including government agencies. The US Nuclear Weapons Safety Agency was reported to be among those affected. The attack enables hackers to gain unrestricted access to a person’s SharePoint system and any valuable data it contains.
The exploit would also allow bad actors to “execute code” on that server, advisories said.
Microsoft hurriedly updated its patch, releasing it on Monday last week. Experts are watching now to see whether it holds.
However, Microsoft could only do so much. One critical detail of the attack is that it affects only those that use on-premises SharePoint installations — that is, a company that uses its own servers to run the software and gives its employees access to it rather than paying Microsoft to host it in the cloud. There are good (and often legally required) reasons to do this, but it also means the onus is now on affected users to carry out the recommendations set out by Microsoft and endorsed by US cyberdefense officials. These include taking steps to render stolen cryptographic keys useless.
Top of mind should be the prospect that this hack provided the groundwork for a more consequential attack to come. Companies must not be lulled into thinking “that they are secure by applying the updates a couple of days” after the attacks, warned cybersecurity specialist Vaisha Bernard from Eye Security, which has analyzed and tracked the attack.
It was possible “backdoors have already been placed, and maybe weeks later somebody else uses those backdoors and completely shuts down an organization with a ransomware attack,” he said.
Digital sleeper cells, in effect, could be waiting for an opportune moment. It is a pattern we have seen before. In 2021, several exploits were discovered in on-premises instances of the Microsoft Exchange Server, allowing administrator privileges. Ten days after a patch was issued, Microsoft security researchers warned of a new “family” of ransomware attacks exploiting servers that were hit before the patch was installed.
Even if “sensitive” data was not stored on a target’s SharePoint, as the US nuclear agency reassured, the risk is merely reduced. It does not take much “insider” context to make trickery vastly more effective. Details of next weekend’s company softball game, say, could be enough leverage for social engineering. That is one risk.
Another is that hackers with access to a company’s SharePoint server might use it to move “laterally” among a company’s information technology systems, Bernard said.
“With a little work, but quite easily, hackers could penetrate the other servers in the network,” he said. “They then can work their way up to get system administrator privileges and then access any system in these networks.”
It might be tempting to point at Microsoft alone and consider this its failure. On what we know so far, that seems unfair. No piece of software is free from vulnerabilities, and the ethical system for encouraging their discovery essentially worked in this case, alerting Microsoft to the problem before the hack method was out there for anyone to use. (Although, how it seems to have been leaked just before the July 8 patch might be cause for investigation.)
When its initial fix failed, the company acted swiftly. “Blazing fast,” in Bernard’s view.
The whole affair is indicative of the relentless high-stakes cat-and-mouse game between the cybersecurity industry and international bad actors. It is a battle that would not ever end.
Dave Lee is Bloomberg Opinion’s US technology columnist. He was previously a correspondent for the Financial Times and BBC News.
What began on Feb. 28 as a military campaign against Iran quickly became the largest energy-supply disruption in modern times. Unlike the oil crises of the 1970s, which stemmed from producer-led embargoes, US President Donald Trump is the first leader in modern history to trigger a cascading global energy crisis through direct military action. In the process, Trump has also laid bare Taiwan’s strategic and economic fragilities, offering Beijing a real-time tutorial in how to exploit them. Repairing the damage to Persian Gulf oil and gas infrastructure could take years, suggesting that elevated energy prices are likely to persist. But the most
Taiwan should reject two flawed answers to the Eswatini controversy: that diplomatic allies no longer matter, or that they must be preserved at any cost. The sustainable answer is to maintain formal diplomatic relations while redesigning development relationships around transparency, local ownership and democratic accountability. President William Lai’s (賴清德) canceled trip to Eswatini has elicited two predictable reactions in Taiwan. One camp has argued that the episode proves Taiwan must double down on support for every remaining diplomatic ally, because Beijing is tightening the screws, and formal recognition is too scarce to risk. The other says the opposite: If maintaining
Chinese Nationalist Party (KMT) Chairwoman Cheng Li-wun (鄭麗文), during an interview for the podcast Lanshuan Time (蘭萱時間) released on Monday, said that a US professor had said that she deserved to be nominated for the Nobel Peace Prize following her meeting earlier this month with Chinese President Xi Jinping (習近平). Cheng’s “journey of peace” has garnered attention from overseas and from within Taiwan. The latest My Formosa poll, conducted last week after the Cheng-Xi meeting, shows that Cheng’s approval rating is 31.5 percent, up 7.6 percentage points compared with the month before. The same poll showed that 44.5 percent of respondents
India’s semiconductor strategy is undergoing a quiet, but significant, recalibration. With the rollout of India Semiconductor Mission (ISM) 2.0, New Delhi is signaling a shift away from ambition-driven leaps toward a more grounded, capability-led approach rooted in industrial realities and institutional learning. Rather than attempting to enter the most advanced nodes immediately, India has chosen to prioritize mature technologies in the 28-nanometer to 65-nanometer range. That would not be a retreat, but a strategic alignment with domestic capabilities, market demand and global supply chain gaps. The shift carries the imprimatur of Indian Prime Minister Narendra Modi, indicating that the recalibration is
RSS