A widespread cyberattack targeting Microsoft SharePoint server software has raised alarms among security agencies and businesses worldwide, with experts suggesting that a single threat actor may be behind the coordinated assault.
Over the weekend, Microsoft issued a critical security alert warning of “active attacks” on on-premise SharePoint servers, widely used by organisations and government bodies to manage and share internal documents. Notably, the tech giant clarified that SharePoint Online, part of its Microsoft 365 cloud suite, was not affected by the exploit, which is being classified as a “zero-day” vulnerability, meaning it was previously unknown to cybersecurity professionals.
Rafe Pilling, Director of Threat Intelligence at British cybersecurity firm Sophos, indicated that evidence pointed towards a single entity executing the campaign. “Based on the consistency of the tradecraft seen across observed attacks, the campaign launched on Friday appears to be a single actor. However, it is possible that this will quickly change,” Pilling noted. He highlighted the use of identical digital payloads across various targets as a significant indicator of a singular source.
While Microsoft confirmed that it had released security updates to address the flaw, the company urged users to install the patches without delay. However, cybersecurity experts caution that remediation may require more than just patch deployment.
Daniel Card, of the UK-based consultancy PwnDefend, warned that the scope of the attack suggested a broad level of compromise. “The SharePoint incident appears to have created a broad level of compromise across a range of servers globally. Taking an assumed breach approach is wise, and it is also important to understand that just applying the patch is not all that is required here,” he said.
According to Shodan, a search engine that indexes internet-connected devices, over 8,000 SharePoint servers currently accessible online may have already been exposed to the exploit. These include systems belonging to prominent industrial companies, financial institutions, healthcare providers, auditors, and multiple U.S. state and international government organisations.
The identity of the attacker remains unknown. Moreover, the US Federal Bureau of Investigation (FBI) acknowledged the incident on Sunday, stating that it was working alongside both federal partners and private sector entities to assess the situation.
Meanwhile, the UK’s National Cyber Security Centre has yet to respond publicly.
The Washington Post reported that unidentified cyber actors had recently leveraged the SharePoint vulnerability to target both American and international agencies, suggesting the campaign could have extensive geopolitical ramifications.
(With inputs from Reuters)
