Dozens of organizations appear to have been affected over the past few days by hackers targeting Microsoft server software.
Microsoft said in a post on its website on Saturday that it was “aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities.” SharePoint is a Microsoft platform that allows customers to manage and share documents within their organizations.
Here’s what to know about the attack, and how to protect yourself.
Hackers targeted a “vulnerability” in Microsoft Sharepoint
Eye Security, a cybersecurity firm based in the Netherlands, said in a post that it identified the “large-scale exploitation” of a “vulnerability” in the Microsoft software on Friday. The vulnerability was not “widely known” before then, according to the firm.
Microsoft said that only servers housed within an organization were compromised in the hack; SharePoint Online in Microsoft 365 was not impacted.
Eye Security warned that once hackers breached Sharepoint systems, they could access all content within them and “move laterally across the Windows Domain.”
“Because SharePoint often connects to core services like Outlook, Teams, and OneDrive, a breach can quickly lead to data theft, password harvesting, and lateral movement across the network,” the firm said. “This is a rapidly evolving, targeted exploit. Organizations with unpatched SharePoint servers should not wait for a fix. They should assess for compromise immediately and respond accordingly.”
Researchers determined that nearly 100 organizations were affected in the attack over the weekend, Eye Security’s chief hacker Vaisha Bernard told Reuters. It is not yet clear who was responsible for the hack or what the motive was, according to The Washington Post.
How to protect yourself from the attack
Microsoft advised customers using SharePoint to apply the latest security updates, and to make sure that the Antimalware Scan Interface is on and configured properly. The U.S. Cybersecurity & Infrastructure Security Agency recommended that customers take several technical steps to reduce risks associated with the attack, including configuring the Antimalware Scan Interface.
Eye Security also suggested that customers who have confirmed that they’ve been impacted by the attack “isolate or shut down affected SharePoint servers,” “renew all credentials and system secrets that could have been exposed,” and “engage your incident response team or a trusted cybersecurity firm.”
