Microsoft suspects that hackers employed by the Chinese state have actively exploited the zero-day bug in SharePoint with the aim of stealing information from large companies and government agencies.
Microsoft points to two hacker groups sponsored by China as responsible for the active exploitation of a newly discovered bug in SharePoint. This zero-day bug was discovered on Friday after attackers used it to infiltrate the SharePoint environments of organizations worldwide.
Three Chinese Collectives
Three Chinese hacker collectives are under suspicion: Linen Typhoon, Violet Typhoon, and Storm-2603. The Dutch Eye Security, which discovered the attack last Friday, speaks of a coordinated campaign of massive exploitation. Hackers have already breached systems of companies and institutions in the US and the Middle East, and there are also likely victims in Europe.
read also
Hackers are Attacking Microsoft SharePoint Worldwide via Zero-Day: Patch Now
It is not ruled out that other groups are exploiting the vulnerability. Research into this is still ongoing, according to Microsoft. The company indicates that it is almost certain that criminals will continue to target the bug in future attacks.
Those running SharePoint on-premises must urgently patch the environment and take other measures such as rotating ASP.NET keys. Administrators should assume that malicious access to the systems has occurred.
Reissue of Exchange 2021
The whole story almost sounds like a reissue of the major Exchange hack in 2021. At that time, Chinese hackers were able to penetrate the environment of companies and government institutions worldwide via a zero-day bug in Microsoft Exchange. After investigation, the blame for the attack campaign was placed on the Chinese State Security.
The scale of the exploitation with this SharePoint bug seems smaller, although the true impact will only become clear in the coming days and weeks. In any case, the whole incident does not reflect well on Microsoft, which despite extra security efforts could not prevent a large-scale hack due to a bug in its own software once again.
It is notable that SharePoint customers within the Microsoft 365 environment remain unaffected. Only users of SharePoint on-premises are at (significant) risk.