Hackers have exploited vulnerabilities in Microsoft’s SharePoint software, placing tens of thousands of on-premises servers used by global businesses and agencies at risk. Microsoft issued an alert on Saturday disclosing that it was aware of “active attacks,” and that it was working to patch the zero-day exploit.
Researchers at Eye Security first identified the vulnerability on July 18th, which allows hackers to access certain on-premises versions of SharePoint and steal keys that can let them impersonate users or services even after the server is rebooted or patched. That means servers that have already been compromised may still be a risk for businesses, but cloud versions of SharePoint aren’t vulnerable to the exploit and are unaffected.
Hackers can use the zero-day exploit to steal sensitive data, harvest passwords, and move across the breached network through services that are often connected to SharePoint, including Outlook, Teams, and OneDrive. The exploit appears to have originated from a combination of two bugs that were presented at the Pwn2Own hacking contest in May, allowing unauthenticated access to SharePoint servers.
Microsoft has released patches to “fully protect” SharePoint 2019 and SharePoint Subscription Edition servers, and the company is actively working on a patch for SharePoint 2016.
The US Cybersecurity and Infrastructure Security Agency (CISA) says that the scope and impact of the attacks are still being assessed, and that any servers that have been impacted by the exploit should be disconnected from the internet until an official resolution is available. The exploit has been used to attack US federal and state agencies, universities, energy companies, and an Asian telecommunications company, the Washington Post reported, citing state officials and private researchers.
