Vietnamese cybersecurity researcher Dinh Ho Anh Khoa in May uncovered a vulnerability in Microsoft Corp’s document management software, SharePoint, at an event designed to encourage ethical hacking that makes our technology more robust. He received US$100,000 from Trend Micro, the security group that sponsored the event.
As part of the deal, flaws discovered in these competitions must be kept under wraps to give affected companies time to assess the threat, work on a fix, test it and release it. In this case, Microsoft released its patch by July 8 — a reasonable timeframe, cybersecurity experts say, given there had been no indication the hack had been used “in the wild” until July 7.
However, within days of the purported fix, it became clear Microsoft engineers had missed something. Sophisticated actors, said to be working on behalf of China, had found a work-around.
The vulnerability has been used to target hundreds of entities, including government agencies. The US Nuclear Weapons Safety Agency was reported to be among those affected. The attack enables hackers to gain unrestricted access to a person’s SharePoint system and any valuable data it contains.
The exploit would also allow bad actors to “execute code” on that server, advisories said.
Microsoft hurriedly updated its patch, releasing it on Monday last week. Experts are watching now to see whether it holds.
However, Microsoft could only do so much. One critical detail of the attack is that it affects only those that use on-premises SharePoint installations — that is, a company that uses its own servers to run the software and gives its employees access to it rather than paying Microsoft to host it in the cloud. There are good (and often legally required) reasons to do this, but it also means the onus is now on affected users to carry out the recommendations set out by Microsoft and endorsed by US cyberdefense officials. These include taking steps to render stolen cryptographic keys useless.
Top of mind should be the prospect that this hack provided the groundwork for a more consequential attack to come. Companies must not be lulled into thinking “that they are secure by applying the updates a couple of days” after the attacks, warned cybersecurity specialist Vaisha Bernard from Eye Security, which has analyzed and tracked the attack.
It was possible “backdoors have already been placed, and maybe weeks later somebody else uses those backdoors and completely shuts down an organization with a ransomware attack,” he said.
Digital sleeper cells, in effect, could be waiting for an opportune moment. It is a pattern we have seen before. In 2021, several exploits were discovered in on-premises instances of the Microsoft Exchange Server, allowing administrator privileges. Ten days after a patch was issued, Microsoft security researchers warned of a new “family” of ransomware attacks exploiting servers that were hit before the patch was installed.
Even if “sensitive” data was not stored on a target’s SharePoint, as the US nuclear agency reassured, the risk is merely reduced. It does not take much “insider” context to make trickery vastly more effective. Details of next weekend’s company softball game, say, could be enough leverage for social engineering. That is one risk.
Another is that hackers with access to a company’s SharePoint server might use it to move “laterally” among a company’s information technology systems, Bernard said.
“With a little work, but quite easily, hackers could penetrate the other servers in the network,” he said. “They then can work their way up to get system administrator privileges and then access any system in these networks.”
It might be tempting to point at Microsoft alone and consider this its failure. On what we know so far, that seems unfair. No piece of software is free from vulnerabilities, and the ethical system for encouraging their discovery essentially worked in this case, alerting Microsoft to the problem before the hack method was out there for anyone to use. (Although, how it seems to have been leaked just before the July 8 patch might be cause for investigation.)
When its initial fix failed, the company acted swiftly. “Blazing fast,” in Bernard’s view.
The whole affair is indicative of the relentless high-stakes cat-and-mouse game between the cybersecurity industry and international bad actors. It is a battle that would not ever end.
Dave Lee is Bloomberg Opinion’s US technology columnist. He was previously a correspondent for the Financial Times and BBC News.
President William Lai (賴清德) attended a dinner held by the American Israel Public Affairs Committee (AIPAC) when representatives from the group visited Taiwan in October. In a speech at the event, Lai highlighted similarities in the geopolitical challenges faced by Israel and Taiwan, saying that the two countries “stand on the front line against authoritarianism.” Lai noted how Taiwan had “immediately condemned” the Oct. 7, 2023, attack on Israel by Hamas and had provided humanitarian aid. Lai was heavily criticized from some quarters for standing with AIPAC and Israel. On Nov. 4, the Taipei Times published an opinion article (“Speak out on the
Most Hong Kongers ignored the elections for its Legislative Council (LegCo) in 2021 and did so once again on Sunday. Unlike in 2021, moderate democrats who pledged their allegiance to Beijing were absent from the ballots this year. The electoral system overhaul is apparent revenge by Beijing for the democracy movement. On Sunday, the Hong Kong “patriots-only” election of the LegCo had a record-low turnout in the five geographical constituencies, with only 1.3 million people casting their ballots on the only seats that most Hong Kongers are eligible to vote for. Blank and invalid votes were up 50 percent from the previous
More than a week after Hondurans voted, the country still does not know who will be its next president. The Honduran National Electoral Council has not declared a winner, and the transmission of results has experienced repeated malfunctions that interrupted updates for almost 24 hours at times. The delay has become the second-longest post-electoral silence since the election of former Honduran president Juan Orlando Hernandez of the National Party in 2017, which was tainted by accusations of fraud. Once again, this has raised concerns among observers, civil society groups and the international community. The preliminary results remain close, but both
News about expanding security cooperation between Israel and Taiwan, including the visits of Deputy Minister of National Defense Po Horng-huei (柏鴻輝) in September and Deputy Minister of Foreign Affairs Francois Wu (吳志中) this month, as well as growing ties in areas such as missile defense and cybersecurity, should not be viewed as isolated events. The emphasis on missile defense, including Taiwan’s newly introduced T-Dome project, is simply the most visible sign of a deeper trend that has been taking shape quietly over the past two to three years. Taipei is seeking to expand security and defense cooperation with Israel, something officials
RSS