Global cyberattack targets Microsoft SharePoint servers across government and business

Hackers have exploited a major security flaw in Microsoft’s widely used SharePoint server software to launch a global cyberattack affecting government agencies and businesses worldwide, according to cybersecurity researchers and state officials.

The zero-day attack, which targets a previously unknown vulnerability, has compromised tens of thousands of SharePoint servers used by organisations to share and manage documents. United States federal and state agencies, universities, energy companies and an Asian telecommunications company are among those breached, researchers said.

Microsoft has released a security patch for one version of the software but two other versions remain vulnerable. The company said it is continuing to work on developing additional patches. The attack affects only on-premises servers housed within organisations, not cloud-based services such as Microsoft 365.

“Anybody who’s got a hosted SharePoint server has got a problem,” said Adam Meyers, senior vice president with CrowdStrike, a cybersecurity firm. “It’s a significant vulnerability.”

The FBI confirmed it was aware of the matter, stating: “We are working closely with our federal government and private sector partners.”

Pete Renals, a senior manager with Palo Alto Networks’ Unit 42, said: “We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available. We have identified dozens of compromised organisations spanning both commercial and government sectors.”

The breach can lead to theft of sensitive data and password harvesting, as these servers often connect to Outlook email, Teams and other core services. Particularly concerning is that hackers have gained access to cryptographic keys that may allow them to regain entry even after systems are patched.

Eye Security, a Netherlands-based research company, has tracked more than 50 breaches, including at an energy company and several European government agencies. At least two US federal agencies have been compromised, according to researchers.

One state official in the eastern US reported that attackers had “hijacked” a repository of public documents, preventing the agency from accessing the material. Some attacks appear to be “wiper” attacks that delete data rather than simply stealing it.

The Cybersecurity and Infrastructure Security Agency was alerted to the issue on Friday by a cyber research firm and immediately contacted Microsoft. The breaches occurred after Microsoft fixed a similar security flaw earlier this month, with attackers realising they could exploit a related vulnerability.

This latest incident adds to Microsoft’s recent cybersecurity challenges. Last year, the company was criticised by government and industry experts for lapses that enabled a Chinese hack of US government emails, including those of former commerce secretary Gina Raimondo.