*

Weekend attacks compromised about 100 organisations

*

May hacker contest uncovered SharePoint weak spot

*

Initial Microsoft ( MSFT ) patch did not fully fix flaw

By James Pearson

LONDON, July 22 (Reuters) - A security patch Microsoft ( MSFT )

released this month failed to fully fix a critical flaw

in the U.S. tech giant's SharePoint server software, opening the

door to a sweeping global cyber espionage effort, a timeline

reviewed by Reuters shows.

On Tuesday, a Microsoft ( MSFT ) spokesperson confirmed that its

initial solution to the flaw, identified at a hacker competition

in May, did not work, but added that it released further patches

that resolved the issue.

It remains unclear who is behind the spy effort, which

targeted about 100 organisations over the weekend, and is

expected to spread as other hackers join the fray.

In a blog post Microsoft ( MSFT ) said two allegedly Chinese hacking

groups, dubbed "Linen Typhoon" and "Violet Typhoon," were

exploiting the weaknesses, along with a third, also based in

China.

Microsoft ( MSFT ) and Alphabet's Google have said

China-linked hackers were probably behind the first wave of

hacks.

Chinese government-linked operatives are regularly

implicated in cyberattacks, but Beijing routinely denies such

hacking operations.

In an emailed statement, its embassy in Washington said

China opposed all forms of cyberattacks, and "smearing others

without solid evidence."

The vulnerability opening the way for the attack was first

identified in May at a Berlin hacking competition organised by

cybersecurity firm Trend Micro ( TMICF ) that offered cash

bounties for finding computer bugs in popular software.

It offered a $100,000 prize for so-called "zero-day"

exploits that leverage previously undisclosed digital weaknesses

that could be used against SharePoint, Microsoft's ( MSFT ) flagship

document management and collaboration platform.

The U.S. National Nuclear Security Administration, charged

with maintaining and designing the nation's cache of nuclear

weapons, was among the agencies breached, Bloomberg News said on

Tuesday, citing a person with knowledge of the matter.

No sensitive or classified information is known to have been

compromised, it added.

The U.S. Energy Department, the U.S. Cybersecurity and

Infrastructure Security Agency, and Microsoft ( MSFT ) did not

immediately respond to Reuters' requests for comment on the

report.

A researcher for the cybersecurity arm of Viettel, a

telecoms firm run by Vietnam's military, identified a SharePoint

bug at the May event, dubbed it "ToolShell" and demonstrated a

way to exploit it.

The discovery won the researcher an award of $100,000, an X

posting by Trend Micro's ( TMICF ) "Zero Day Initiative" showed.

Participating vendors were responsible for patching and

disclosing security flaws in "an effective and timely manner,"

Trend Micro ( TMICF ) said in a statement.

"Patches will occasionally fail," it added. "This has

happened with SharePoint in the past."

In a July 8 security update Microsoft ( MSFT ) said it had identified

the bug, listed it as a critical vulnerability, and released

patches to fix it.

About 10 days later, however, cybersecurity firms started to

notice an influx of malicious online activity targeting the same

software the bug sought to exploit: SharePoint servers.

"Threat actors subsequently developed exploits that appear

to bypass these patches," British cybersecurity firm Sophos said

in a blog post on Monday.

The pool of potential ToolShell targets remains vast.

Hackers could theoretically have already compromised more

than 8,000 servers online, data from search engine Shodan, which

helps identify internet-linked equipment, shows.

Such servers were in networks ranging from auditors, banks,

healthcare companies and major industrial firms to U.S.

state-level and international government bodies.

The Shadowserver Foundation, which scans the internet for

potential digital vulnerabilities, put the number at a little

more than 9,000, cautioning that the figure is a minimum.

It said most of those affected were in the United States and

Germany.

Germany's federal office for information security, BSI, said

on Tuesday it had found no compromised SharePoint servers in

government networks, despite some being vulnerable to the

ToolShell attack.