A critical zero-day vulnerability in Microsoft SharePoint servers is being actively weaponized by Chinese state-sponsored hacking groups in a widespread cyberespionage campaign, security researchers have confirmed. The flaw, tracked as CVE-2023-29357, carries a maximum CVSS severity score of 9.8 and enables remote code execution on vulnerable SharePoint systems.
Technical Analysis:
The vulnerability stems from improper input validation in SharePoint's document conversion feature. Attackers can exploit it by sending specially crafted requests to targeted servers, bypassing authentication mechanisms to gain SYSTEM-level privileges. This allows complete server compromise and lateral movement within enterprise networks.
Microsoft acknowledged being aware of the vulnerability since May 2023 but was unable to develop a comprehensive fix before exploits began circulating in June. While the company released a partial mitigation in its July Patch Tuesday updates, security analysts confirm the workaround can be bypassed by determined attackers.
Campaign Details:
The ongoing attacks have compromised approximately 100 organizations across 15 countries, with particular focus on:
- US defense contractors and federal agencies
- German industrial and manufacturing firms
- Southeast Asian government entities
Evidence points to involvement of China-linked APT groups (suspected to be APT40 or APT31) based on:
- Consistent use of infrastructure previously tied to Chinese operations
- Deployment of custom malware variants known to these threat actors
- Targeting patterns aligning with China's strategic intelligence priorities
Impact Assessment:
Successful exploitation allows attackers to:
- Steal sensitive documents and credentials
- Establish persistent backdoors
- Move laterally to other enterprise systems
- Deploy ransomware or wiper malware as secondary payloads
Mitigation Recommendations:
- Apply Microsoft's temporary workaround (disabling affected SharePoint features)
- Implement strict network segmentation for SharePoint servers
- Monitor for anomalous authentication events
- Conduct forensic analysis for indicators of compromise
Microsoft has not provided an estimated timeline for a complete patch, leaving organizations vulnerable to continued attacks. The incident highlights growing concerns about nation-state exploitation of enterprise collaboration platforms.
Comentarios 0
Comentando como:
¡Únete a la conversación!
Sé el primero en compartir tu opinión sobre este artículo.
¡Inicia la conversación!
Sé el primero en comentar este artículo.