Vietnamese cybersecurity researcher Dinh Ho Anh Khoa in May uncovered a vulnerability in Microsoft Corp’s document management software, SharePoint, at an event designed to encourage ethical hacking that makes our technology more robust. He received US$100,000 from Trend Micro, the security group that sponsored the event.
As part of the deal, flaws discovered in these competitions must be kept under wraps to give affected companies time to assess the threat, work on a fix, test it and release it. In this case, Microsoft released its patch by July 8 — a reasonable timeframe, cybersecurity experts say, given there had been no indication the hack had been used “in the wild” until July 7.
However, within days of the purported fix, it became clear Microsoft engineers had missed something. Sophisticated actors, said to be working on behalf of China, had found a work-around.
The vulnerability has been used to target hundreds of entities, including government agencies. The US Nuclear Weapons Safety Agency was reported to be among those affected. The attack enables hackers to gain unrestricted access to a person’s SharePoint system and any valuable data it contains.
The exploit would also allow bad actors to “execute code” on that server, advisories said.
Microsoft hurriedly updated its patch, releasing it on Monday last week. Experts are watching now to see whether it holds.
However, Microsoft could only do so much. One critical detail of the attack is that it affects only those that use on-premises SharePoint installations — that is, a company that uses its own servers to run the software and gives its employees access to it rather than paying Microsoft to host it in the cloud. There are good (and often legally required) reasons to do this, but it also means the onus is now on affected users to carry out the recommendations set out by Microsoft and endorsed by US cyberdefense officials. These include taking steps to render stolen cryptographic keys useless.
Top of mind should be the prospect that this hack provided the groundwork for a more consequential attack to come. Companies must not be lulled into thinking “that they are secure by applying the updates a couple of days” after the attacks, warned cybersecurity specialist Vaisha Bernard from Eye Security, which has analyzed and tracked the attack.
It was possible “backdoors have already been placed, and maybe weeks later somebody else uses those backdoors and completely shuts down an organization with a ransomware attack,” he said.
Digital sleeper cells, in effect, could be waiting for an opportune moment. It is a pattern we have seen before. In 2021, several exploits were discovered in on-premises instances of the Microsoft Exchange Server, allowing administrator privileges. Ten days after a patch was issued, Microsoft security researchers warned of a new “family” of ransomware attacks exploiting servers that were hit before the patch was installed.
Even if “sensitive” data was not stored on a target’s SharePoint, as the US nuclear agency reassured, the risk is merely reduced. It does not take much “insider” context to make trickery vastly more effective. Details of next weekend’s company softball game, say, could be enough leverage for social engineering. That is one risk.
Another is that hackers with access to a company’s SharePoint server might use it to move “laterally” among a company’s information technology systems, Bernard said.
“With a little work, but quite easily, hackers could penetrate the other servers in the network,” he said. “They then can work their way up to get system administrator privileges and then access any system in these networks.”
It might be tempting to point at Microsoft alone and consider this its failure. On what we know so far, that seems unfair. No piece of software is free from vulnerabilities, and the ethical system for encouraging their discovery essentially worked in this case, alerting Microsoft to the problem before the hack method was out there for anyone to use. (Although, how it seems to have been leaked just before the July 8 patch might be cause for investigation.)
When its initial fix failed, the company acted swiftly. “Blazing fast,” in Bernard’s view.
The whole affair is indicative of the relentless high-stakes cat-and-mouse game between the cybersecurity industry and international bad actors. It is a battle that would not ever end.
Dave Lee is Bloomberg Opinion’s US technology columnist. He was previously a correspondent for the Financial Times and BBC News.
The conflict in the Middle East has been disrupting financial markets, raising concerns about rising inflationary pressures and global economic growth. One market that some investors are particularly worried about has not been heavily covered in the news: the private credit market. Even before the joint US-Israeli attacks on Iran on Feb. 28, global capital markets had faced growing structural pressure — the deteriorating funding conditions in the private credit market. The private credit market is where companies borrow funds directly from nonbank financial institutions such as asset management companies, insurance companies and private lending platforms. Its popularity has risen since
The Donald Trump administration’s approach to China broadly, and to cross-Strait relations in particular, remains a conundrum. The 2025 US National Security Strategy prioritized the defense of Taiwan in a way that surprised some observers of the Trump administration: “Deterring a conflict over Taiwan, ideally by preserving military overmatch, is a priority.” Two months later, Taiwan went entirely unmentioned in the US National Defense Strategy, as did military overmatch vis-a-vis China, giving renewed cause for concern. How to interpret these varying statements remains an open question. In both documents, the Indo-Pacific is listed as a second priority behind homeland defense and
Every analyst watching Iran’s succession crisis is asking who would replace supreme leader Ayatollah Ali Khamenei. Yet, the real question is whether China has learned enough from the Persian Gulf to survive a war over Taiwan. Beijing purchases roughly 90 percent of Iran’s exported crude — some 1.61 million barrels per day last year — and holds a US$400 billion, 25-year cooperation agreement binding it to Tehran’s stability. However, this is not simply the story of a patron protecting an investment. China has spent years engineering a sanctions-evasion architecture that was never really about Iran — it was about Taiwan. The
After “Operation Absolute Resolve” to capture former Venezuelan president Nicolas Maduro, the US joined Israel on Saturday last week in launching “Operation Epic Fury” to remove Iranian supreme leader Ayatollah Ali Khamenei and his theocratic regime leadership team. The two blitzes are widely believed to be a prelude to US President Donald Trump changing the geopolitical landscape in the Indo-Pacific region, targeting China’s rise. In the National Security Strategic report released in December last year, the Trump administration made it clear that the US would focus on “restoring American pre-eminence in the Western hemisphere,” and “competing with China economically and militarily
RSS