‘Secure Future’, 400 hacked servers, ‘A working exploit’, A back door

In response to a U.S. government report last year, Microsoft pledged to rededicate itself to protecting itself and its customers from bad actors.

Last year, Satya Nadella pledged to make security priority number one at Microsoft. A new hack involving China is showing just how difficult that can be.

The attack involves several versions of Microsoft’s SharePoint software that serve as a document storage platform for customers who don’t want to use the cloud. Microsoft released patches for a pair of SharePoint bugs earlier this month, but the fixes were quickly bypassed, allowing China-linked hackers to break into hundreds of organizations, according to security researchers.

Instead of protecting customers, the faulty patches may have served as a road map for hackers to hone their attacks, the researchers said.

It’s the latest in a string of lapses by the technology giant that have benefited China’s vast and global cyber-espionage operations, a top U.S. national security threat.

Last year, the Department of Homeland Security released a scathing report detailing Microsoft’s mistakes during a 2023 hack in which China stole thousands of emails from top government officials. Two years before that, China-linked cyberattackers compromised more than 250,000 Microsoft Exchange servers.

“They are too big to keep failing like this,” said Jeff Greene, a former top U.S. cybersecurity official who helped write last year’s withering report on Microsoft’s missteps. “While I credit them for leaning into security after our report, they need to do better—and show publicly how they’re doing better.”

In response to last year’s report, Nadella promised to rededicate Microsoft to protecting its products and its customers from bad actors, something he called the Secure Future Initiative.

Microsoft CEO Satya Nadella onstage at a company conference in Seattle this year.

‘Secure Future’

“As part of our Secure Future Initiative we are committed to continual improvement in security response and remediation,” said Ann Johnson, Microsoft’s deputy chief information security officer. She noted that the company released its new fixes for the bugs within 72 hours of learning of the attack, directly reached out to customers, and published two blog posts on the issue.

“The feedback we have received from customers has been largely positive,” she said.

Microsoft has faced serious security challenges for years, many of which revolve around its software and products for customers who run their own servers. Shortly after Nadella took the reins, Microsoft eliminated the group that had companywide responsibility for Microsoft’s security work, pushing security decisions to the individual business units.

Around the same time, Microsoft changed the way it developed software, laying off many of the test engineers charged with uncovering bugs before products ship to customers.

The moves made Microsoft more nimble and better able to compete in the cloud-computing and artificial-intelligence realms, but they have come at a price, especially for noncloud users of products like SharePoint, former employees and security researchers say.

400 hacked servers

As of Wednesday, researchers said more than 400 SharePoint servers had been hacked—many of them belonging to government entities—and Microsoft had linked some of the attacks to the Chinese government. A China foreign ministry spokesman characterized the allegations as smears.

The SharePoint incident has spurred renewed criticism of Microsoft, which has attempted to quell U.S. concerns that it has failed to give priority to cybersecurity and instead focused on expanding its artificial intelligence business and maximizing profits.

“Government agencies have become dependent on a company that not only doesn’t care about security, but is making billions of dollars selling premium cybersecurity services to address the flaws in its products,” said Sen. Ron Wyden (D., Ore.), a leading cybersecurity advocate in Congress. “The government will never escape this cycle unless it stops rewarding Microsoft for its negligence with bigger and bigger contracts.”

Dinh Khoa at Pwn2Own in Berlin.

In previous episodes, such as the massive 2021 hack of the Microsoft Exchange email system, China pulled off impressive technical feats before being caught. In the SharePoint attack, however, the issue began in May, at a hacking contest in Berlin where the Vietnamese researcher Dinh Khoa won $100,000 and a laptop.

“This is a very hard target so we spent a lot of time digging into it,” Khoa said in an interview posted online after the contest.

To the applause of audience members, he showed how to break into a SharePoint system and was soon escorted into a private room where he explained the bugs to a representative from Microsoft and Dustin Childs, head of threat awareness with cybersecurity company Trend Micro’s Zero Day Initiative. Two months later, on July 8, Microsoft fixed the bugs. They were two of the 130 bugs that Microsoft fixed that month.

Although the two bugs had been chained together to hack a SharePoint server in front of an audience of about 50 people just two months earlier, Microsoft said the likelihood of one of the bugs being used in a real-world attack was “unproven.”

‘A working exploit’

Childs said he found that curious. “We handed them a working exploit,” he said.

Both Microsoft and Trend Micro later said that hackers had actually begun exploiting the bugs on July 7, a day before the patches. It is unclear how these hackers learned of these flaws, Childs said. Trend Micro said a technology company—which it declined to identify—was compromised in the attack that it observed.

In the days after Microsoft’s patches went out, security researchers examined them to learn more about how Dinh Khoa’s hack had worked. On July 9, Microsoft learned it was possible to bypass its patches and began readying new fixes, the company said. Within a week, researchers were publicly claiming to have found the bypass, too. Last Friday, a security researcher publicly showed how this was possible. He said he discovered his technique with the help of Google’s Gemini artificial intelligence technology.

“That post enabled a larger audience to do it as well,” said Piet Kerkhofs, chief technology officer with cybersecurity company Eye Security.

That same Friday, Eye researchers discovered an unauthorized script on a SharePoint server belonging to one of their customers. As the Eye team dug in, they started finding the same script on about 150 other SharePoint servers all over the internet.

A back door

The script opened a back door to the SharePoint servers, creating an encryption key that could be used later to run commands on the machine. “It was just like a door key left on the street,” said Kerkhofs. “It was accessible for everybody. We just started scanning and we grabbed all the keys.”

Now it was clear: Hackers were breaking into SharePoint all over the world.

Microsoft, learning that hackers were exploiting the bugs, called in its security team. They would work through the weekend, rushing out a new set of patches.

By that evening Kerkhofs’s team had discovered 80 infected organizations. European government agencies were compromised, as were U.S. federal agencies, municipalities and universities.

On Saturday, Microsoft took the unusual step of issuing two emergency patches, which contain “more robust protections” to the bugs that Khoa had found, the company said. SharePoint customers should also change the cryptographic keys used by their servers, a move that—when combined with the new patches—effectively closes the back door created by the attack, Microsoft said.

Some of the attacks have been on unpatched machines, Microsoft said. Johnson, the company’s deputy chief information security officer, said she doesn’t consider the July 8 patches a failure because they blocked the attack that was demonstrated at Pwn2Own, the Berlin hacking contest.

On Wednesday, the Energy Department confirmed that it was a victim, but said that it had since restored its systems and it wasn’t aware of any compromises of classified or sensitive information. News of the compromise was reported earlier by Bloomberg, which said that the National Nuclear Security Administration was specifically victimized.