Adam Meyers said that it was a "significant vulnerability.’’
That hole in Microsoft’s software has kicked off what researchers are calling a “global attack on government agencies and businesses” in just a matter of days. US federal and state agencies, universities, energy companies and even an Asian telecom outfit have already been breached, according to both state officials and private sector researchers.
Tens of thousands of SharePoint servers are now dangling in the wind, with Microsoft offering no patch for the flaw yet. Victims are scrambling, hoping Redmond can eventually push out fixes for supported versions of SharePoint 2019 and SharePoint 2016. In the meantime, the company has issued vague mitigation tips, while the US Cybersecurity and Infrastructure Security Agency (CISA) has been forced to publish its own recommendations.
Vole is advising tweaking your SharePoint server or just yank it off the internet completely to stop the bleeding. That’s hardly comforting. The software giant fired off an alert to customers but declined to elaborate.
Palo Alto Networks’ Unit 42 senior manager Pete Renals said: “We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available. We have identified dozens of compromised organizations spanning both commercial and government sectors."
SharePoint servers often link up with Outlook email, Teams and other core Microsoft services.
Once compromised, attackers can pinch sensitive data, harvest passwords and even plant access keys to sneak back in later.
Netherlands-based Eye Security warned that even applying a future patch won’t undo the damage already done.
“So pushing out a patch on Monday or Tuesday doesn’t help anybody who’s been compromised in the past 72 hours,” one anonymous researcher said.
The breaches started after Microsoft fixed a different security flaw this month. Attackers spotted a similar vulnerability and pounced, according to the US Department of Homeland Security’s CISA.
Agency spokeswoman Marci McCarthy said the flaw was flagged on Friday by a cyber research firm, prompting an urgent call to Microsoft.
The nonprofit Center for Internet Security, which handles an information-sharing network for state and local governments, has already warned around 100 vulnerable organisations. Those included public schools, universities, a government agency in Spain, a local agency in Albuquerque and a university in Brazil, researchers said.
Eye Security has logged more than 50 breaches, including an energy company in a large US state and several European government agencies. At least two US federal agencies have also been compromised, according to researchers.
One state official in the eastern US said the attackers even hijacked a public-facing repository of government documents designed to help residents navigate their local bureaucracy. The agency itself can no longer access the material.
Nobody is sure who’s behind the campaign or what their ultimate goal might be. One private research group even spotted the hackers targeting servers in China.
