*

Ongoing attacks compromised around 100 organisations over

weekend

*

SharePoint vulnerability identified during hacker

competition

*

Microsoft ( MSFT ) subsequently released patch that did not fix

flaw

By James Pearson

LONDON, July 22 (Reuters) - A security patch released by

Microsoft ( MSFT ) last month failed to fully fix a critical

flaw in U.S. tech giant's SharePoint server software that had

been identified in May, opening the door to a sweeping global

cyber espionage operation.

It remains unclear who is behind the ongoing operation,

which targeted around 100 organisations over the weekend. But

Alphabet's Google, which has visibility into wide

swathes of internet traffic, said it tied at least some of the

hacks to a "China-nexus threat actor".

The Chinese Embassy in Washington did not respond to a

Reuters request for comment. Chinese government-linked

operatives are regularly implicated in cyberattacks, but Beijing

routinely denies carrying out hacking operations.

Contacted on Tuesday, Microsoft ( MSFT ) was not immediately able to

provide comment on the patch and its effectiveness.

The vulnerability that facilitated the attack was first

identified in May at a hacking competition in Berlin organised

by cybersecurity firm Trend Micro ( TMICF ), which offered cash

bounties for the discovery of computer bugs in popular

software.

It offered a $100,000 prize for "zero day" exploits - so

called because they leverage previously undisclosed digital

weaknesses - that could be used against SharePoint, Microsoft's ( MSFT )

flagship document management and collaboration platform.

A researcher working for the cybersecurity arm of Viettel, a

telecommunications firm operated by Vietnam's military,

identified a SharePoint bug at the event, dubbed it 'ToolShell'

and demonstrated a method of exploiting it.

The researcher was awarded $100,000 for the discovery,

according to a post on X by Trend Micro's ( TMICF ) "Zero Day

Initiative". A spokesperson for Trend Micro ( TMICF ) did not immediately

respond to Reuters' requests for comment regarding the

competition on Tuesday.

Microsoft ( MSFT ) subsequently said in a July 8 security update that

it had identified the bug, listed it as a critical

vulnerability, and released patches to fix it.

Around 10 days later, however, cybersecurity firms started

to notice an influx of malicious online activity targeting the

same software the bug sought to exploit: SharePoint servers.

"Threat actors subsequently developed exploits that appear

to bypass these patches," British cybersecurity firm Sophos said

in a blog post on Monday.

The pool of potential ToolShell targets remains vast.

According to data from Shodan, a search engine that helps to

identify internet-linked equipment, over 8,000 servers online

could theoretically have already been compromised by hackers.

The Shadowserver Foundation, which scans the internet for

potential digital vulnerabilities, put the number at a little

more than 9,000, while cautioning that the figure was a minimum.

Those servers include major industrial firms, banks,

auditors, healthcare companies, and several U.S. state-level and

international government entities.