Microsoft Corp. warned that hackers are actively targeting customers of its document management software SharePoint, with security researchers flagging the risk of potentially widespread breaches around the world.
Vulnerabilities in the software have allowed hackers to access file systems and execute code, the US Cybersecurity and Infrastructure Security Agency warned on Sunday. While Microsoft said over the weekend that it had released a new patch for customers to apply to their SharePoint servers “to mitigate active attacks targeting on-premises servers,” the company was still working to roll out others to address ongoing security flaws.
Cybersecurity firms cautioned that a broad section of organizations may be affected by the breach. Tens of thousands — if not hundreds of thousands — of businesses and institutions worldwide use SharePoint in some fashion to store and collaborate on documents. Microsoft said hackers are specifically targeting clients running SharePoint servers from their own on-premise networks, as opposed to being hosted and managed by the tech firm. That could limit the impact to a subsection of customers.
Silas Cutler, a researcher at Michigan-based cybersecurity firm Censys, estimated that more than 10,000 companies with SharePoint servers were at risk. The US had the largest number of those companies, followed by the Netherlands, the UK and Canada, he said.
“It’s a dream for ransomware operators,” he said.
Microsoft has been trying to shore up its cybersecurity after a series of high-profile failures, hiring new executives from places like the US government and holding weekly meetings with senior executives to make its software more resilient. The company’s tech has been subject to several widespread and damaging hacks in recent years, and a 2024 US government report described the company’s security culture as in need of urgent reforms.
Palo Alto Networks Inc. warned that the SharePoint exploits are “real, in-the-wild, and pose a serious threat.” Google Threat Intelligence Group said in an e-mailed statement it had observed hackers exploiting the vulnerability, adding it allows “persistent, unauthenticated access and presents a significant risk to affected organizations.”
“When they’re able to compromise the fortress that is SharePoint, everybody is kind of at their whim because that is one of the highest security protocols out there,” said Gene Yu, CEO of Singapore-based cyber incident response firm Blackpanda.
The Washington Post reported that the breach had affected US federal and state agencies, universities, energy companies and an Asian telecommunications company, citing state officials and private researchers.
Researchers at Eye Security were first to identify the vulnerability, the company said.
Eye Security said the vulnerability allows hackers to access SharePoint servers and steal keys that can let them impersonate users or services even after the server is patched. It said hackers can maintain access through backdoors or modified components that can survive updates and reboots of systems.
Vaisha Bernard, chief hacker and co-owner of Eye Security, said his team identified a wave of attacks on Friday evening and a second wave on Saturday morning.
The attacks, he said, were not targeted and instead were aimed at compromising as many victims as possible. After scanning about 8,000 SharePoint servers, Bernard said he has so far identified at least 50 that were successfully compromised.
He declined to identify the identities of organizations that had been targeted, but said they included government agencies and private companies, including “bigger multinationals.” The victims were located in countries in North and South America, the European Union, South Africa, and Australia, he added.
It was not clear who was behind the attacks, Bernard said, but “my gut feeling says it’s one group” behind them, due to similarities in the methods he observed during the attacks.
A Microsoft spokesperson declined to comment beyond the company’s statement.
Microsoft has faced a series of recent cyberattacks, warning in March that Chinese hackers were targeting remote management tools and cloud applications to spy on a range of companies and organizations in the US and abroad.
The Cyber Safety Review Board, a White House-mandated group designed to examine major cyberattacks, said last year that Microsoft’s security culture was “inadequate” following the 2023 hack of the company’s Exchange Online mailboxes. In that incident, hackers were able to breach 22 organizations and hundreds of individuals, including former US Commerce Secretary Gina Raimondo.
Photo: Microsoft signage in New York. Photographer: Jeenah Moon/Bloomberg
Topics Cyber
Was this article valuable?
Here are more articles you may enjoy.
Travelers Q2 Net Income Soars on Less Losses, Favorable Reserves 
Insured Losses From US Hurricanes Could Rise by 50% With Global Warming 
Marsh McLennan Reports Q2 Organic Revenue Growth of 4%, Down From Q2 2024 
California Surplus Lines Take-Up Soars as Brokers Work to Find Coverage for Clients 
