More than 400 systems around the world have been actively compromised by the recently uncovered security vulnerability affecting Microsoft SharePoint installations, with more than 90 state and local government bodies targeted by attackers, security experts have said.
Netherlands-based computer security firm Eye Security said it was aware of more than 400 hacks in total, with several US federal government agencies acknowledging attacks.
The Departments of Energy, Homeland Security and Health and Human Services said they had been compromised by the attacks, which Microsoft earlier said was being actively exploited by Chinese state-backed groups.
Government targets
Hackers have attempted to break into more than 90 state and local government organisations’ systems using the SharePoint flaw, said Randy Rose, the vice president of security operations and intelligence at the Center for Internet Security.
The non-profit group runs the Multi-State Information Sharing and Analysis Centre that helps local authorities collaborate to ward off cyber-threats.
Rose said it did not have evidence that the attacks had succeeded, and none of the attempts it recorded had resulted in confirmed security incidents so far.
On Wednesday the US Department of Energy confirmed that the Fermi National Accelerator Laboratory, one of the department’s 17 national labs, had been affected by what it described as a “minimal” incident, confirming an earlier Bloomberg report.
“Attackers did attempt to access Fermilab’s SharePoint servers,” said a spokesperson for the department.
“The attackers were quickly identified, and the impact was minimal, with no sensitive or classified data accessed.”
The department previously said attacks using the SharePoint vulnerability had affected “a very small number” of its systems.
Security experts have said hackers are using the flaw to target organisations in the government, finance, manufacturing, healthcare, education, technology and consumer goods sectors and are stealing keys that could allow them to establish persistent access.
Incomplete patch
The vulnerability was provided to Microsoft by a Vietnamese researcher on 29 May, and Microsoft provided a patch with its monthly security updates on 8 July.
But the patch only partially resolved the issue, and Microsoft said on 19 July that it was aware of ongoing attacks using the flaw.
It has since issued further patches that it says fully protect users’ systems.
Microsoft warned in March that Chinese hackers were targeting remote management tools and cloud applications to conduct espionage attacks on companies and organisations in the US and elsewhere.
The White House Cyber Safety Review Board said last year that Microsoft’s security culture was “inadequate” following a 2023 hack that targeted Exchange Online mailboxes, resulting in the breach of hundreds of individuals’ data including then-US Commerce Secretary Gina Raimondo.