Microsoft Probes Leak in Early Alert System as Chinese Hackers Exploit SharePoint Vulnerabilities
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Microsoft Corp. is investigating whether a leak from its Microsoft Active Protections Program (MAPP) enabled Chinese state-sponsored hackers to exploit critical SharePoint vulnerabilities before patches were fully deployed, according to a Bloomberg report.<\/p>\n
The investigation comes as cyber espionage attacks have compromised more than 400 organizations worldwide, including the U.S. National Nuclear Security Administration.<\/p>\n
The timing of the attacks has raised significant red flags among cybersecurity experts. Vietnamese researcher Dinh Ho Anh Khoa first demonstrated the SharePoint vulnerabilities in May at the Pwn2Own cybersecurity conference in Berlin, earning $100,000 for his discovery.<\/p>\n
Microsoft issued initial patches in July, but MAPP partners were notified of the vulnerabilities on June 24, July 3, and July 7.<\/p>\n
Crucially, Microsoft first observed exploit attempts on July 7 \u2013 the same day as the final MAPP notification wave. \u201cThe likeliest scenario is that someone in the MAPP program used that information to create the exploits,\u201d said Dustin Childs, head of threat awareness at Trend Micro\u2019s Zero Day Initiative, whose company is a MAPP member.<\/p>\n
The sophisticated attack chain, dubbed \u201cToolShell<\/a>\u201d by researchers, allows hackers to bypass authentication controls and execute malicious code on SharePoint servers. What makes this vulnerability particularly dangerous is that attackers can steal cryptographic machine keys, enabling them to maintain persistent access even after systems are patched.<\/p>\n The cyberattack campaign has affected organizations across multiple sectors, with Microsoft attributing the breaches to three Chinese hacking groups: Linen Typhoon, Violet Typhoon<\/a>, and Storm-2603. <\/p>\n The National Nuclear Security Administration, responsible for designing and maintaining America\u2019s nuclear weapons stockpile, was among the high-profile victims<\/a>, though officials say no classified information was compromised.<\/p>\n \u201cOn Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA,\u201d a Department of Energy spokesperson confirmed. The agency said it was \u201cminimally impacted\u201d due to its widespread use of Microsoft\u2019s cloud services.<\/p>\n Eye Security, the cybersecurity firm that first detected the attacks, reported more than 400 systems actively compromised across four confirmed waves of exploitation. Victims span government agencies, educational institutions, energy companies, and private corporations from North America to Europe and Asia.<\/p>\n This wouldn\u2019t be the first time the MAPP program has been compromised. In 2012, Microsoft expelled Chinese firm Hangzhou DPtech Technologies Co. for violating its non-disclosure agreement after the company leaked proof-of-concept code for a Windows vulnerability. More recently, Qihoo 360 Technology Co. was removed from the program after being placed on the U.S. Entity List.<\/p>\n At least a dozen Chinese companies currently participate in the 17-year-old MAPP program, which provides cybersecurity vendors with advance notice of vulnerabilities \u2013 typically 24 hours before public disclosure, with some trusted partners receiving information up to five days earlier, according to<\/a> Bloomberg.<\/p>\n \u201cAs part of our standard process, we\u2019ll review this incident, find areas to improve, and apply those improvements broadly,\u201d a Microsoft spokesperson said, emphasizing that partner programs remain \u201can important part of the company\u2019s security response.\u201d<\/p>\n The Chinese Embassy in Washington has denied involvement, with Foreign Ministry spokesman Guo Jiakun stating that \u201cChina opposes and fights hacking activities in accordance with the law\u201d while opposing \u201csmears and attacks against China under the excuse of cybersecurity issues.\u201d<\/p>\n The investigation highlights the delicate balance Microsoft faces in sharing vulnerability information with security partners while preventing malicious actors from exploiting advanced knowledge to accelerate attacks. Any confirmed leak would deal a significant blow to the MAPP program\u2019s credibility and effectiveness.<\/p>\n As the probe continues, cybersecurity experts warn that the rapid weaponization of these vulnerabilities<\/a> \u2013 from discovery to mass exploitation in just over two months \u2013 demonstrates the evolving sophistication and speed of modern cyber threats.<\/p>\n Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now<\/a><\/strong><\/p>\n The post Microsoft Probes Leak in Early Alert System as Chinese Hackers Exploit SharePoint Vulnerabilities<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nWidespread Global Impact<\/strong><\/h2>\n