Microsoft said it has released a security patch for customers to apply to SharePoint servers amidst ongoing attacks that researchers said have already affected at least 100 organisations.
The company said it was working to roll out more patches for the zero-day attacks, which make use of a previously undisclosed flaw.
The flaw allows hackers to access filesystems and internal configurations and to execute code on networks, the US Cybersecurity and Infrastructure Security Agency said.
Espionage attacks
The attacks affect self-hosted SharePoint servers, used to share documents and collaborate within organisations. They do not affect instances hosted on Microsoft servers.
Eye Security and the Shadowserver Foundation said a scan carried out over the weekend found that at least 100 organisations had already been targeted, with most being in the US and Germany.
The FBI said it was aware of the attacks but offered no further details, while the UK’s National Cyber Security Centre said it was aware of a “limited number” of affected organisations with in the UK.
A researcher tracking the campaign said it appeared to be initially aimed at a narrow set of government-related organisations, Reuters reported.
Shodan, a search engine that identifies internet-linked equipment, said more than 8,000 servers were vulnerable to the attacks and could already have been affected.
The servers belong to major industrial companies, banks, auditors, healthcare firms and several US state and international government bodies, Shodan said.
Security researcher Censys estimated that more than 10,000 companies with SharePoint servers could be vulnerable.
The US had the largest proportion of those companies, followed by the Netherlands, the UK and Canada, Censys said.
‘Inadequate’ security
The company warned the bug could leave organisations vulnerable to ransomware attacks, such as the one that significantly disrupted operations at Marks & Spencer and the Co-op earlier this year.
Google Threat Intelligence Group said it had observed hackers exploiting the vulnerability and that it allows persistent, unauthenticated access presenting a “significant risk” to organisations.
Microsoft warned in March that Chinese hackers were targeting remote management tools and cloud applications to conduct espionage attacks on companies and organisations in the US and elsewhere.
The White House Cyber Safety Review Board said last year that Microsoft’s security culture was “inadequate” following a 2023 hack that targeted Exchange Online mailboxes, resulting in the breach of hundreds of individuals’ data including then-US Commerce Secretary Gina Raimondo.