Stay one step ahead of cyber criminals with our regular news and tips
Are on-premises systems sufficiently secure compared to cloud environment set-ups?
Hundreds of organisations affected by the ongoing Microsoft on-premises SharePoint server breach will be asking that question.
In the meantime, they are scrambling to shore up their security in the wake of recently discovered flaws and subsequent exploitation by nation-state actors. This month, we look at this attack and give our view on the on-premises / cloud-hosted debate.
Also, we examine new proposals to crack down on ransomware, provide advice for keeping tabs on your third-party tools and report on new attacks on enterprise virtualisation infrastructure.
Chinese hackers target on-premises SharePoint servers
Microsoft has warned that hostile state actors from China are actively exploiting zero-day vulnerabilities recently discovered in its on-premises SharePoint servers.
These security flaws were found on three separate on-premises Microsoft SharePoint servers: ‘Subscription Edition’, ‘2019’ and ‘2016’. SharePoint online in Microsoft 365 is not affected.
Security researchers at Checkpoint have observed hackers targeting a range of organisations in sectors such as telecom, government and technology across North American and Western Europe since early July. The National Cyber Security Centre (NCSC) has said there was a ‘limited number’ of on-premises SharePoint server customers in the UK who have been affected and has urged any affected organisation to immediately report it to the NCSC.
Microsoft has issued comprehensive security updates for all supported versions of the impacted SharePoint servers and is urging customers to apply these at once.
The tech giant has accused Chinese nation-state actors Linen-Typhoon, Violet Typhoon and Storm-2603 of exploiting these vulnerabilities to access victims’ systems and data.
Says Intersys’ MD Matthew Geyman, “The challenge with software like SharePoint is that it’s designed to enable collaboration and be internet connected, so hosting it on-prem (for security) almost shoehorns it into a role that it’s less well-equipped for. It’s therefore very difficult to protect against zero-day vulnerabilities without reducing functionality.”
Why criminals love your third-party tools
Intersys’ Head of Security Jake Ives has highlighted the importance of conducting due diligence on third-party suppliers and tools.
“Recently, I’ve received multiple phishing emails sent to my work address via legitimate SendGrid (a popular email marketing tool) accounts that had been compromised. In response, I’ve contacted four organisations directly to report the incidents and offer guidance.
“In nearly all cases, the affected businesses had either outsourced their email marketing to third parties who failed to implement adequate security controls on their SendGrid account, or to another team in the organisation who were not keeping the IT / compliance department updated on the changes they were making. As a result, large volumes of malicious emails were sent from trusted infrastructure and successfully delivered. SPF, DKIM and DMARC tests were all passed because the messages originated from legitimate, authenticated systems.”
Jake advises organisations to close security gaps with third-party vendors by keeping an updated inventory of all systems and services and conducting thorough due diligence on every supplier’s security. This should include who in the organisation or outside of the organisation looks after a given system, and what security controls they have put in place.
Please, don’t wait until it’s too late: take action before your organisation becomes the next victim.
Stop! Paying ransomware will break the law, say new proposals
Public sector bodies including schools, hospitals and guardians of critical national infrastructure could all be banned from making ransomware payments under new government proposals.
The plans were unveiled following a recent public consultation, where nearly three-quarters of respondents favoured the proposed ban. Private sector organisations not covered by the ban would be required to notify the government of any intention to pay a ransom. There are also plans to enforce mandatory reporting of ransomware incidents to help authorities track down cyber criminals and support victims.
Mark Kirby, Professional Services Director at Intersys, welcomed the move. “It is never a good idea to relent and pay a ransom – you are dealing with criminals and there really is no guarantee that they will unencrypt your data. Furthermore, the decryption program may not work properly and, after the ransom has been paid, there is no incentive for threat actors to provide assistance. Of course, making a payment also encourages this egregious industry – something we must collectively avoid.”
Recent high-profile ransomware incidents include attacks on M&S, Co-op, NHS Trusts, TfL and The British Library. The latter famously refused to pay ransom and has openly shared its experience with other organisations to help prevent future attacks.
The big hacker target for 2025: your virtualisation infrastructure
It’s becoming increasingly clear as the year rolls on: hackers are ramping up their campaigns against enterprise virtualisation infrastructure such as VMware ESXi.
Virtualisation infrastructure such as VMware hypervisors allows organisations to run multiple virtual machines from a single physical server. Unfortunately, what is convenient for organisations also whets the appetite of hacker groups: controlling several virtual machines at once allows them to escalate their activities for espionage and extortion.
Cyber crime group Scattered Spider (believed to be behind the M&S, Co-op and MGM Resorts hack) is understood to have targeted ESXi environments in the retail, insurance and aviation sectors, using social engineering tactics such as vishing and fake voice calls to company IT help desks.
Virtualisation infrastructure has also been targeted by adversarial nation-state actors such as China-backed Fire Ant, for espionage purposes. The group has exploited vulnerabilities to infiltrate ESXi environments even in highly segmented networks.
The issue has gathered more urgency as VMware vSphere 7 nears end-of-life in October 2025. Organisations that are still running older versions risk becoming vulnerable.
All organisations employing virtualised infrastructure must adopt key security measures such as:
- Hardening helpdesk protocols to resist social engineering
- Patching hypervisors (and, if applicable, vCenter)
- Adopting backup strategies that are immune to virtualisation-compromise
- Testing offline backups regularly
Other vulnerabilities
Microsoft SharePoint Improper Authentication Vulnerability
Cisco Identity Services Engine Injection Vulnerability
PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability