Again? Microsoft hit for poor security in major SharePoint hack

Once again, Microsoft software is at the center of a massive global attack that has victimized vital US government agencies and businesses around the world. This time, the security hole is in SharePoint, Microsoft’s widely used collaboration software used to build company and agency websites, manage files and documents, and help people share and work together on documents. 

SharePoint also works with Outlook email and Microsoft’s Teams collaboration software, making the hack that much more dangerous.

Only on-premises SharePoint servers have the hole and have been attacked — cloud-based SharePoint isn’t vulnerable.

The hack is one of the worst and most widespread in Microsoft’s long, sad history of failed software security. How bad is it? Tens of thousands of servers have been victimized. In addition to countless businesses, important government agencies have been hit as well. 

The National Institutes of Health as well as the National Nuclear Security Administration (NNSA), which is in charge of the nation’s nuclear security, are among the victims. According to The Washington Post, “The NNSA helps keep 5,000 nuclear warheads secure and ready, guards against radiation leaks, and ensures that weapons do not mistakenly detonate.”

Other federal agencies hacked include the Department of Homeland Security (DHS), which means the Cybersecurity and Infrastructure Security Agency, Transportation Security Administration, Customs and Border Protection, and the Federal Emergency Management Agency were also affected. The list goes on. 

As with past hacks, Microsoft’s poor security practices are under the spotlight. The company did such a bad job patching the flaw that hackers were able to make their way through even after the patch was issued, according to security firm Sophos. Even after another patch closed the hole, hackers were likely already inside company and government networks, where they could be still wreaking havoc.

This happened even though for years Microsoft has been called out for inadequate security practices. A year ago, the DHS issued a blistering report detailing Microsoft’s security failures that allowed Chinese spies to break into the accounts of high-level government officials in charge of the US relations with China, including Commerce Secretary Gina Raimondo, Ambassador to China Nicholas Burns, and Rep. Don Bacon (R-NE). 

That report found “the cascade of Microsoft’s avoidable errors…allowed this intrusion to succeed” and concluded that Microsoft’s security is “inadequate and requires an overhaul.”

Yet here we are a year later, and nothing seemed to change. How did the hack happen and what might be next for the company? Read on for details.

A look at the hack – and Microsoft’s response

According to the federal Cybersecuity and Infrastructure Security Agency (CISA), the hack allowed attackers to break into SharePoint servers and install a backdoor called “ToolShell,” giving them full access to all SharePoint content, including files and systems throughout enterprises. It also allowed hackers to remotely execute commands and completely take over SharePoint.

A blog post from Eye Security warns the attacks also steal SharePoint server ASP.NET machine keys, which “can be used to facilitate further attacks, even at a later date.” So merely patching the vulnerability isn’t enough. Enterprises and government agencies need to go further, including rotating the machine keys so the old ones won’t work and restarting Internet Information Services (IIS) on all their SharePoint servers.

Microsoft says hackers tied to the Chinese government, Linen Typhoon and Violet Typhoon, are among the groups that have exploited the hack. It adds that another Chinese group, Storm-2603, used the hack to deploy ransomware in enterprises.

Researchers say much of the damage could have been avoided if Microsoft properly patched the security hole quickly and followed up to help companies banish hackers that still had access to SharePoint. The hack is particularly dangerous, because it combines two security exploits — one that allows hackers to get into SharePoint and another that allows them to steal and use SharePoint server ASP.NET machine keys. 

Sunil Varkey, an advisor at Beagle Security, blames Microsoft for missing that several security vulnerabilities were related, which made the attack much worse. He told CSO Online: “In cybersecurity, a single vulnerability can pose a significant risk, but when vulnerabilities are combined, the consequences can be catastrophic. This wasn’t just a technical miss. It was a strategic failure to recognize how the individual parts combined to form something far more dangerous.”

What’s next for Microsoft?

In the last major Microsoft cybersecurity breach, during which Chinese spies broke into the accounts of top US government officials, Sens. Eric Schmitt (R-MO) and Ron Wyden (D-OR) sent a pointed letter to the Pentagon asking it to back off from a plan to increase its use of Microsoft products: “We write with serious concern that the Department of Defense (DoD) is doubling down on a failed strategy of increasing its dependence on Microsoft at a time when Congress and the administration are reviewing concerning cybersecurity lapses that led to a massive hack of senior US officials’ communications.”

Nothing happened at the time — the DoD didn’t do anything about it. This time around, no one from Congress has even bothered to threaten Microsoft. It’s not clear why, although it might be because Congressional Democrats are too caught up in fighting Trump’s administration to focus on anything else. 

As for Republicans, they’re too beholden to Trump to take any action he doesn’t explicitly ask for. And for the moment, the president isn’t paying attention to Microsoft’s security shortcomings. 

But Trump might want something from Microsoft at some point. And if he does, he could well point to the company’s security shortcomings as the reason he’s threatening it. So, for the company’s future, it should clean up its security lapses sooner rather than later.