Microsoft on Saturday issued an alert about “active attacks” on self-managed SharePoint servers, which are widely used by government agencies and businesses to share documents within organisations. Dubbed a “zero day” because it leverages a previously undisclosed digital weaknesses, the hacks allow spies to penetrate vulnerable servers and potentially drop a back door to secure continuous access to victim organizations.
Vaisha Bernard, the chief hacker at Eye Security, a Netherlands-based cybersecurity firm which
discovered the hacking campaign
targeting one of its clients on Friday, said that an internet scan carried out with the ShadowServer Foundation had uncovered nearly 100 victims altogether – and that was before the technique behind the hack was widely known.
“It’s unambiguous,” Bernard said. “Who knows what other adversaries have done since to place other back doors.”
He declined to identify the affected organizations, saying that the relevant national authorities had been notified. The ShadowServer Foundation didn’t immediately return a message seeking comment.
Another researcher said that, so far, the spying appeared to be the work of a single hacker or set of hackers.
“It’s possible that this will quickly change,” said Rafe Pilling, Director of Threat Intelligence at Sophos, a British cybersecurity firm.
Microsoft said it had “provided security updates and encourages customers to install them,” a company spokesperson said in an emailed statement. It was not clear who was behind the ongoing hack. The FBI said on Sunday it was aware of the attacks and was working closely with its federal and private-sector partners, but offered no other details. Britain’s National Cyber Security Center said in a statement that it was aware of “a limited number” of targets in the United Kingdom.
According to data from Shodan, a search engine that helps to identify internet-linked equipment, over 8,000 servers online could theoretically have already been compromised by hackers.
Those servers include major industrial firms, banks, auditors, healthcare companies, and several U.S. state-level and international government entities.
“The SharePoint incident appears to have created a broad level of compromise across a range of servers globally,” said Daniel Card of British cybersecurity consultancy, PwnDefend.
“Taking an assumed breach approach is wise, and it’s also important to understand that just applying the patch isn’t all that is required here.”
