Microsoft announced that three different Chinese threat actors have been identified in cyber attacks on Sharepoint servers. These attacks in the last few days reveal which groups target the system when and in what method.
According to the information shared by the company, Linen Typhoon, Violet Typhoon And Storm-2603 Three Chinese -based hacker group called called, called SharePoint 2016 He used a security vulnerability in some versions, including last week. Thanks to this deficit, attackers can access, collect passwords and move on connected systems. Microsoft believes that new attacks will increase after the public announcement of the weakness. For this reason, all system managers are recommended to install the relevant updates without wasting time.
Eye Security, a Dutch -based cyber security company, provided the first comprehensive data on the attacks using the deficit. According to the company, there is a private university between the 54 organizations affected by the attacks, an energy company serving in the US state of California, and a health institution operating at the federal level. In addition, it has been revealed that some attacks are carried out via IP addresses from China. This shows that the attacks may be directed not only by Chinese -based groups, but directly from the country.
Microsoft says that SharePoint closed the security vulnerability, but new attacks may continue
Microsoft shared the security patches for SharePoint 2016 and other affected versions with the update released on the morning of July 22nd. The company emphasized that the attackers can play data and transition between systems. The fact that institutional systems such as Sharepoint often open directly to the internet is seen as an element that increases the effect of such attacks. If the update is not installed, it is stated that the systems are still at risk of attacking. Nevertheless, some institutions do not apply this patch yet, the ground for new attacks.
Eye Security, who published the first information about the technical details of the attack, said that the abuse of deficit was quite systematic. According to the data obtained, the attackers first provide unauthorized access to SharePoint, then seize user information on the internal network and infiltrate other systems if possible. It is emphasized that institutions should carefully examine log analysis and firewall records. There are currently signs that other threat groups use the same gap, but the identities of these groups have not yet been finalized.