Microsoft Knew of Flaw, Failed to Fully Patch SharePoint

• A security flaw in Microsoft’s SharePoint server, discovered in May, was not fully fixed by an initial patch, leading to a new cyber espionage campaign.

A security patch released by Microsoft this month failed to fully fix a critical flaw in its SharePoint server software. The vulnerability was first identified at a hacking competition in May, opening the door for a global cyber espionage operation. A Microsoft spokesperson confirmed that the initial fix was ineffective, but the company has since released additional patches to address the issue. The company’s timeline of events, reviewed by Reuters, shows the progression of the problem.

The Discovery and the Initial Fix

The vulnerability that facilitated this attack was first discovered in May at a hacking competition in Berlin hosted by cybersecurity firm Trend Micro. This event offered cash rewards for finding bugs in popular software, particularly “zero-day” exploits. A researcher for the cybersecurity division of Viettel, a Vietnamese military-operated telecommunications company, identified a SharePoint bug, named it “ToolShell,” and demonstrated a method of exploiting it. The researcher was awarded $100,000 for the discovery. Trend Micro emphasized that it is the vendor’s responsibility to patch and disclose security flaws effectively and promptly.

Microsoft’s July 8 security update acknowledged the critical vulnerability and released patches to fix it. However, cybersecurity firms started noticing a surge in malicious online activity targeting the same software approximately ten days later. The exploits developed by these threat actors appeared to bypass the original patches, as noted in a blog post by the British cybersecurity firm Sophos. The company’s initial solution was not comprehensive.

The Scope of the Attack

It remains unclear who is behind the ongoing operation, which targeted about 100 organizations over a recent weekend and is expected to grow. Microsoft’s blog post indicated that two Chinese hacking groups, “Linen Typhoon” and “Violet Typhoon,” along with another China-based group, were exploiting the vulnerabilities. Microsoft and Google have stated that China-linked hackers were likely responsible for the initial wave of attacks. The Chinese embassy in Washington, in an emailed statement, denied these allegations and stated that China opposes all forms of cyberattacks.

The pool of potential targets for the ToolShell exploit is vast. Data from the search engine Shodan indicates that over 8,000 online servers could be at risk. This includes major industrial firms, banks, auditors, healthcare companies, and several government entities in the U.S. and abroad. The Shadowserver Foundation, which scans the internet for vulnerabilities, reported a minimum of 9,000 affected servers, primarily in the United States and Germany, including government organizations. Germany’s federal office for information security, BSI, confirmed that vulnerable SharePoint servers were found within their government networks, though none had been compromised.

Further Information on the Vulnerability

The security flaw highlights the ongoing challenges companies face in managing complex software and responding to newly discovered vulnerabilities. Even with dedicated security teams and bug bounty programs, a complete and effective patch can be difficult to implement on the first try. The failure of the initial patch shows the sophistication of modern cyber threats, which can quickly adapt to and bypass security measures. This incident also underscores the importance of a layered security approach and continuous monitoring for organizations.