Massive Cyberattack Targets Microsoft SharePoint Servers Worldwide
Hackers are actively exploiting a critical zero-day vulnerability in Microsoft’s SharePoint software, putting thousands of organizations at serious risk. According to Microsoft’s alert issued on Saturday, these “active attacks” are targeting on-premises SharePoint servers used worldwide. Although the company is working to patch the flaw, significant damage may already be underway.
Eye Security researchers discovered the vulnerability on July 18th. It enables attackers to extract authentication keys from certain SharePoint installations. These stolen keys allow hackers to impersonate users and services even after a system has been rebooted or patched. Unfortunately, this means that systems already breached could remain compromised. Thankfully, Microsoft’s cloud-based SharePoint services are not affected by this exploit.
In the meantime, Microsoft has rolled out updates that “fully protect” both SharePoint 2019 and the SharePoint Subscription Edition. However, a patch for SharePoint 2016 is still in progress. Because of the nature of the threat, the US Cybersecurity and Infrastructure Security Agency (CISA) has recommended that any affected servers be disconnected from the internet until further notice.
Exploit Impacts Extend Beyond SharePoint
The vulnerability stems from a fusion of two bugs showcased during the Pwn2Own hacking competition in May. As a result, attackers can gain unauthenticated access to SharePoint servers. After gaining a foothold, they can move laterally across the network. Services like Outlook, Teams, and OneDrive which are commonly linked to SharePoint may also be leveraged to expand the attack surface.
Due to this, hackers can steal sensitive files, harvest credentials, and infiltrate various departments within an organization. Even though the full extent of the breach is still being evaluated, the range of potentially affected targets is wide. It includes US federal and state agencies, universities, energy firms, and a telecommunications company in Asia.
Agencies Urged to Act Swiftly
CISA has emphasized the urgency of responding to this breach. While it continues to assess the scale and scope, organizations are advised to isolate vulnerable servers immediately. Notably, the Washington Post cited officials and researchers who confirmed that government and private institutions have already been impacted.
As Microsoft races to close the gap for SharePoint 2016 users, vigilance remains essential. Enterprises relying on on-premises infrastructure must act decisively. Waiting for a full patch without mitigating risk could lead to further exposure.
