Microsoft has announced a critical security breach affecting its on-premises SharePoint servers. Chinese state-backed hacking groups, identified as Linen Typhoon and Violet Typhoon, along with the China-based Storm-2603, have exploited vulnerabilities in these systems to target sensitive business data.
Who is Affected?
This attack specifically impacts organizations using on-premises SharePoint servers, rather than the cloud-based service. Microsoft urges all customers with on-premises installations to immediately install the released security updates.
The Scope of the Attack
Charles Carmakal, chief technology officer at Mandiant Consulting (a division of Google Cloud), confirmed multiple victims across various sectors and global locations. Governments and businesses using SharePoint on their own servers appear to be the primary targets.
The attackers successfully stole encrypted data and gained persistent access to SharePoint information. The widespread and opportunistic nature of the exploit prior to the patch release underscores the severity of the situation.
The Threat Actors
Linen Typhoon
This group has a 13-year history of stealing intellectual property, focusing on organizations related to government, defense, strategic planning, and human rights.
Violet Typhoon
Primarily focused on espionage, Violet Typhoon targets former government and military personnel, NGOs, think tanks, higher education, media, finance, and healthcare sectors across the US, Europe, and East Asia.
Storm-2603
While less information is available, Storm-2603 is assessed with medium confidence to be a China-based threat actor.
Microsoft’s Response and Ongoing Investigation
Microsoft has released security updates and advises all on-premises SharePoint server customers to install them immediately. The company states it has “high confidence” that attackers will continue targeting unpatched systems. Investigations into other potential actors exploiting these vulnerabilities are ongoing, and Microsoft plans to provide further updates on its website blog.
How to Protect Yourself
- Install the latest security updates for your on-premises SharePoint servers immediately.
- Monitor your systems for any suspicious activity.
- Stay informed about the latest security advisories from Microsoft.
Conclusion
This attack serves as a stark reminder of the persistent threat of cyber espionage and the importance of maintaining robust security practices. By promptly applying security patches and remaining vigilant, organizations can significantly reduce their risk.
#cybersecurity #databreach #microsoft