Microsoft Issues Urgent Warning After SharePoint Vulnerability Breach Targeting State Actors
A significant security breach has occurred within Canada’s House of Commons, where hackers accessed a sensitive database containing confidential office locations and personal information of elected officials and their staff.
This breach, reported to have taken place on a Friday, involved exploitation of a vulnerability in Microsoft SharePoint. Internal communications, acquired by CBC News, disclosed that the compromised database manages computers and mobile devices used by the House of Commons.
While the internal memo did not specify the nation-state or group responsible for the attack, it is unclear which specific database was infiltrated or if any additional sensitive information was exposed. The breached data includes names, titles, email addresses, device specifications, and operational details.
Olivier Duhaime, spokesperson for the House of Commons’ Office of the Speaker, indicated that their office is collaborating with national security partners for a thorough investigation, choosing to withhold further details for security reasons.
The Canadian Center for Cyber Security had previously alerted the public in July regarding the active exploitation of a zero-day vulnerability in Microsoft SharePoint, which had also prompted Microsoft to issue an emergency patch described as “critically urgent.” This vulnerability has garnered attention due to its potential misuse, especially by threat actors associated with nation-states.
Significantly, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised alarms regarding a remote code execution flaw, known as “ToolShell,” which grants unauthorized and authenticated access via network spoofing. This vulnerability puts the integrity of SharePoint content, including important file systems and configurations, at risk.
Mandiant’s Chief Technology Officer, Charles Carmakal, has emphasized that organizations utilizing SharePoint must implement immediate mitigations beyond simply applying the patch to safeguard their environments. He highlights that various Chinese nation-state actors, including Linen Typhoon and Violet Typhoon, are reportedly engaged in these exploitative activities, posing a considerable threat to sectors such as government, healthcare, and finance in the U.S. and beyond.
According to the MITRE ATT&CK framework, tactics likely employed in this breach include initial access through known exploits, followed by potential persistence mechanisms through ongoing scans for vulnerabilities in the web infrastructure of targeted organizations. This multifaceted approach underscores the need for robust cybersecurity measures to prevent future breaches.
