Microsoft Under Fire After Incomplete SharePoint Patch Enables Global Cyber Espionage

Microsoft is facing scrutiny after a critical security patch issued for its SharePoint server software failed to fully address a major vulnerability, enabling a global cyber espionage campaign. The flaw, initially exposed during a hacking competition in May, was inadequately patched, according to a timeline reviewed by Reuters. A Microsoft spokesperson later confirmed that the initial fix was ineffective but claimed that further updates have since resolved the issue.

The weekend attacks compromised about 100 organizations worldwide, with the potential for more as other hackers exploit the weakness. Microsoft suspects the involvement of three Chinese state-linked hacker groups, including “Linen Typhoon” and “Violet Typhoon.” Both Microsoft and Google have pointed to China-based hackers as likely culprits, although Beijing denies the allegations, calling them baseless and lacking evidence.

The exploited SharePoint vulnerability was first discovered during a cybersecurity contest in Berlin hosted by Trend Micro in May. A Vietnamese military-run telecom researcher found and demonstrated the exploit—dubbed “ToolShell”—earning a $100,000 bounty. While Trend Micro emphasized that vendors are responsible for timely and effective patches, it acknowledged that patch failures, like the one involving SharePoint, can occasionally occur.

One of the most alarming breaches occurred within the U.S. National Nuclear Security Administration, which oversees the country’s nuclear arsenal. Though no classified data appears to have been stolen, the breach raised significant national security concerns. Meanwhile, cybersecurity firms began reporting increased malicious activity targeting SharePoint about 10 days after Microsoft’s initial patch was released, revealing that the flaw remained exploitable.

The magnitude of the threat is considerable, with over 8,000 to 9,000 potentially vulnerable SharePoint servers still online, according to search engine Shodan and the Shadowserver Foundation. These systems span sectors such as healthcare, finance, industrial operations, and government institutions, especially in the U.S. and Germany. Although Germany’s cybersecurity agency confirmed some vulnerabilities, it reported no actual breaches in its government systems.

Source: Reuters