Vietnamese cybersecurity researcher Dinh Ho Anh Khoa in May uncovered a vulnerability in Microsoft Corp’s document management software, SharePoint, at an event designed to encourage ethical hacking that makes our technology more robust. He received US$100,000 from Trend Micro, the security group that sponsored the event.
As part of the deal, flaws discovered in these competitions must be kept under wraps to give affected companies time to assess the threat, work on a fix, test it and release it. In this case, Microsoft released its patch by July 8 — a reasonable timeframe, cybersecurity experts say, given there had been no indication the hack had been used “in the wild” until July 7.
However, within days of the purported fix, it became clear Microsoft engineers had missed something. Sophisticated actors, said to be working on behalf of China, had found a work-around.
The vulnerability has been used to target hundreds of entities, including government agencies. The US Nuclear Weapons Safety Agency was reported to be among those affected. The attack enables hackers to gain unrestricted access to a person’s SharePoint system and any valuable data it contains.
The exploit would also allow bad actors to “execute code” on that server, advisories said.
Microsoft hurriedly updated its patch, releasing it on Monday last week. Experts are watching now to see whether it holds.
However, Microsoft could only do so much. One critical detail of the attack is that it affects only those that use on-premises SharePoint installations — that is, a company that uses its own servers to run the software and gives its employees access to it rather than paying Microsoft to host it in the cloud. There are good (and often legally required) reasons to do this, but it also means the onus is now on affected users to carry out the recommendations set out by Microsoft and endorsed by US cyberdefense officials. These include taking steps to render stolen cryptographic keys useless.
Top of mind should be the prospect that this hack provided the groundwork for a more consequential attack to come. Companies must not be lulled into thinking “that they are secure by applying the updates a couple of days” after the attacks, warned cybersecurity specialist Vaisha Bernard from Eye Security, which has analyzed and tracked the attack.
It was possible “backdoors have already been placed, and maybe weeks later somebody else uses those backdoors and completely shuts down an organization with a ransomware attack,” he said.
Digital sleeper cells, in effect, could be waiting for an opportune moment. It is a pattern we have seen before. In 2021, several exploits were discovered in on-premises instances of the Microsoft Exchange Server, allowing administrator privileges. Ten days after a patch was issued, Microsoft security researchers warned of a new “family” of ransomware attacks exploiting servers that were hit before the patch was installed.
Even if “sensitive” data was not stored on a target’s SharePoint, as the US nuclear agency reassured, the risk is merely reduced. It does not take much “insider” context to make trickery vastly more effective. Details of next weekend’s company softball game, say, could be enough leverage for social engineering. That is one risk.
Another is that hackers with access to a company’s SharePoint server might use it to move “laterally” among a company’s information technology systems, Bernard said.
“With a little work, but quite easily, hackers could penetrate the other servers in the network,” he said. “They then can work their way up to get system administrator privileges and then access any system in these networks.”
It might be tempting to point at Microsoft alone and consider this its failure. On what we know so far, that seems unfair. No piece of software is free from vulnerabilities, and the ethical system for encouraging their discovery essentially worked in this case, alerting Microsoft to the problem before the hack method was out there for anyone to use. (Although, how it seems to have been leaked just before the July 8 patch might be cause for investigation.)
When its initial fix failed, the company acted swiftly. “Blazing fast,” in Bernard’s view.
The whole affair is indicative of the relentless high-stakes cat-and-mouse game between the cybersecurity industry and international bad actors. It is a battle that would not ever end.
Dave Lee is Bloomberg Opinion’s US technology columnist. He was previously a correspondent for the Financial Times and BBC News.
Jaw Shaw-kong (趙少康), former chairman of Broadcasting Corp of China and leader of the “blue fighters,” recently announced that he had canned his trip to east Africa, and he would stay in Taiwan for the recall vote on Saturday. He added that he hoped “his friends in the blue camp would follow his lead.” His statement is quite interesting for a few reasons. Jaw had been criticized following media reports that he would be traveling in east Africa during the recall vote. While he decided to stay in Taiwan after drawing a lot of flak, his hesitation says it all: If
When Democratic Progressive Party (DPP) caucus whip Ker Chien-ming (柯建銘) first suggested a mass recall of Chinese Nationalist Party (KMT) legislators, the Taipei Times called the idea “not only absurd, but also deeply undemocratic” (“Lai’s speech and legislative chaos,” Jan. 6, page 8). In a subsequent editorial (“Recall chaos plays into KMT hands,” Jan. 9, page 8), the paper wrote that his suggestion was not a solution, and that if it failed, it would exacerbate the enmity between the parties and lead to a cascade of revenge recalls. The danger came from having the DPP orchestrate a mass recall. As it transpired,
Much has been said about the significance of the recall vote, but here is what must be said clearly and without euphemism: This vote is not just about legislative misconduct. It is about defending Taiwan’s sovereignty against a “united front” campaign that has crept into the heart of our legislature. Taiwanese voters on Jan. 13 last year made a complex decision. Many supported William Lai (賴清德) for president to keep Taiwan strong on the world stage. At the same time, some hoped that giving the Chinese Nationalist Party (KMT) and the Taiwan People’s Party (TPP) a legislative majority would offer a
Owing to the combined majority of the opposition Chinese Nationalist Party (KMT) and Taiwan People’s Party (TPP), the legislature last week voted to further extend the current session to the end of next month, prolonging the session twice for a total of 211 days, the longest in Taiwan’s democratic history. Legally, the legislature holds two regular sessions annually: from February to May, and from September to December. The extensions pushed by the opposition in May and last week mean there would be no break between the first and second sessions this year. While the opposition parties said the extensions were needed to
RSS