Hackers recently attacked SharePoint, a Microsoft web platform that companies and government agencies use to store and collaborate on documents. They exploited a vulnerability in the server's security system. Hundreds of organizations around the world were affected. Some of the attacks were carried out by groups linked to the Chinese government, The Washington Post reports.
Microsoft has warned customers that hackers could have accessed their organizations' documents. The company has already released an update to address the vulnerability and is working on additional fixes. In the meantime, Microsoft is advising users to change their system digital keys, scan their computers with antivirus software, and check for previous security breaches.
More specifically, the attacks allowed hackers to obtain cryptographic keys from servers managed by Microsoft customers themselves. With these keys, attackers could install any software, including backdoors — hidden channels for re-access. The vulnerability only occurred when organizations stored files locally, not in the cloud.
Several researchers and organizations have said that at least some of the attacks were carried out by hackers from China. Google Mandiant Consulting CTO Charles Carmakal confirmed China's involvement. Another researcher said anonymously that federal investigators had found evidence that servers in the United States were linked to infected SharePoint systems that were connecting to Chinese IP addresses. Two other experts working with the U.S. government also said they had seen early attacks originating from China.
Two other cyber-incident first responders said that organizations that could be of interest to the Chinese government were among the first victims of the attacks. Later, other signals began to come in: various hackers also tried to exploit the vulnerability, some to steal trade secrets, and others to install ransomware that encrypts important files and demands a ransom.
"It’s critical to understand that multiple actors are now actively exploiting this vulnerability. We fully anticipate that this trend will continue, as various other threat actors, driven by diverse motivations, will leverage this exploit as well," said Google's Carmakal.