Microsoft used an engineering team based in China to support SharePoint before its vulnerabilities were patched. The application was exploited by at least three state-sponsored Chinese threat groups last month.
What is the China connection to the ToolShell SharePoint exploit?
An exploit chain for a remote code execution (RCE) attack on on-premises SharePoint servers dubbed ToolShell was first identified at a hacking competition in May; however, Microsoft didn’t put out patches for the vulnerabilities that made it possible until July’s Patch Tuesday rollout.
In the interim, dozens of systems were accessed, including those belonging to the National Nuclear Security Administration and the Department of Homeland Security. Successful ToolShell attacks give hackers the ability to access SharePoint content, deploy malicious code, and potentially move laterally to other Windows services, such as Outlook, Teams, and OneDrive.
Microsoft identified at least three threat groups believed to be affiliated with China that have been exploiting publicly known vulnerabilities in SharePoint; these are Linen Typhoon, Violet Typhoon, and Storm-2603, the latter of which deployed Warlock ransomware.
Did the risk of SharePoint vulnerabilities increase due to Microsoft’s China-based engineers?
It’s possible Microsoft increased the risk of SharePoint vulnerabilities being exploited by bad actors in China by putting its maintenance in the hands of engineers in the country for multiple years, according to ProPublica. An internal work-tracking system showed China-based employees recently fixing bugs for on-premises SharePoint.
China has a number of laws that allow its authorities to request access to data, and, given escalating geopolitical tensions between it and the US, this means any sensitive work handled by engineers based in China could be subject to state scrutiny or compromise.
Microsoft told ProPublica that the China-based team “is supervised by a US-based engineer and subject to all security requirements and manager code review” and that “work is already underway to shift this work to another location.”
A separate investigation by the publication found that Microsoft has been relying on workers based in China for a decade who maintain the cloud systems of federal departments, but the US workers often don’t have the technical expertise to police them properly.
A spokesperson for the Department of Energy told Bloomberg that the National Nuclear Security Administration was “minimally impacted” by the SharePoint attack, while a Department of Homeland Security spokesperson told Nextgov it could find “no evidence of data exfiltration.”
What is Microsoft’s security advice about on-prem SharePoint Servers?
Microsoft recommends that all operators of an on-premises SharePoint Server, either version 2016 or 2019, deploy the appropriate out-of-band security updates as soon as possible.
This isn’t the first time remote IT workers have posed a security risk. North Korean hackers have reportedly impersonated contractors to secure jobs and infiltrate companies in the UK.
