Skip to content
Gadget Hype's Tech HubProtect Your Gadgets from Cyber Threats

Unknown cyber attackers breached Microsoft servers, affecting roughly 100 businesses, according to research findings

Cyber surveillance operation breaches Microsoft server software of approximately 100 companies, as revealed by two organizations involved in its uncovering, on Monday.

 and  Administrator
3 min read
Hack on Microsoft servers affects approximately 100 companies, claim researchers
Hack on Microsoft servers affects approximately 100 companies, claim researchers

Unknown cyber attackers breached Microsoft servers, affecting roughly 100 businesses, according to research findings

A widespread cyber espionage campaign, believed to have originated from Chinese state-affiliated groups, has been targeting Microsoft SharePoint server software. The ongoing hack, known as a "zero-day," allows spies to penetrate vulnerable servers and potentially drop a backdoor for continuous access.

Attribution of the Cyber Espionage Operation

Multiple sources attribute the cyber espionage campaign to Chinese state-affiliated groups. Microsoft has specifically named the groups “Linen Typhoon” and “Violet Typhoon,” and has also linked the activity to another China-based hacking entity. Google’s cybersecurity team, a division of Alphabet, has corroborated the Chinese link. Microsoft refers to one of the main groups involved in ransomware deployment as “Storm-2603.” The Chinese government routinely denies involvement in such cyber operations.

Scale of the Campaign

The campaign has hit over 400 victims according to Eye Security, a Dutch cybersecurity firm. Researchers from Censys have identified 9,717 on-premises SharePoint servers exposed to the internet, highlighting the potential scale of the attack surface. An internet scan carried out with the Shadowserver Foundation uncovered nearly 100 victims of the hacking campaign before the technique became widely known.

Tactics and Impact

The attacks exploited a previously disclosed but incompletely patched vulnerability chain in Microsoft SharePoint, enabling initial espionage and later ransomware deployment. The breach strategy allowed unauthorized access to file systems, internal configurations, and ultimately the ability to execute code remotely, leading to widespread file encryption and ransom demands.

Key Points

  • Chinese state-aligned groups are most frequently cited as behind the operation, with strong corroboration from both Microsoft and Alphabet/Google.
  • At least 300–400 organizations have been confirmed as victims, with potentially thousands more at risk due to exposed servers.
  • The operation expanded from pure espionage to ransomware deployment, indicating a shift toward greater disruption.
  • Incomplete patching of the initial vulnerabilities contributed to the scale and persistence of the attack.
  • Government organizations, major industrial firms, banks, auditors, healthcare companies, and several U.S. state-level and international government entities are among the victims.
  • The FBI is working closely with its federal and private-sector partners regarding the attacks.
  • Just applying the patch may not be enough to secure self-hosted SharePoint servers, according to Daniel Card, a cybersecurity consultant at PwnDefend.
  • The hacking campaign appears to be the work of a single hacker or set of hackers, according to another researcher.
  • The attacks target vulnerabilities in self-hosted SharePoint servers, which are used by organizations for document sharing and collaboration.

Mitigation and Response

Microsoft has provided security updates for self-hosted SharePoint servers. It is crucial for organizations using SharePoint to apply these updates promptly and thoroughly. Additionally, regular security audits and network monitoring can help detect and respond to potential intrusions.

The ongoing cyber espionage campaign serves as a stark reminder of the importance of vigilance and proactive cybersecurity measures in the digital age. As the threat landscape continues to evolve, staying informed and prepared is essential for protecting against such attacks.

  • The ongoing cyber espionage operation, previously linked to Chinese state-affiliated groups, has now also been correlated by Google’s cybersecurity team.
  • The potential impact of the campaign extends beyond the initial espionage, with the deployment of ransomware posing a threat to the finance sector, particularly in instances of unpaid demands leading to potential business disruptions.
  • The tourism industry might also be affected if the compromised data includes sensitive travel information, possibly causing reputational damage and financial losses.
  • The international business community should be aware of the implications of this campaign, as victims include government entities from various countries, raising concerns about data protection and national security.
  • Enhancing cybersecurity measures, such as regular updating and auditing of self-hosted SharePoint servers, could help mitigate risks posed by such attacks and protect organizations, irrespective of their sector, from potential breaches in the future.

Read also:

    Related

    Latest