Hackers are actively exploiting a severe vulnerability affecting Microsoft’s SharePoint software, putting thousands of businesses and organizations at risk across the globe. The security flaw lets attackers access sensitive files and encryption keys that could be used to regain entry even after the vulnerability is fixed.
In a press release on Saturday, July 19, the U.S. Cybersecurity and Infrastructure Security Agency said the bug affects SharePoint servers housed within an organization and not in the cloud. Such servers are commonly used for document storage and collaboration.
Download the SAN app today to stay up-to-date with Unbiased. Straight Facts™.
Point phone camera here
The security flaw is being referred to as a “zero-day,” a term used to describe a vulnerability that was being exploited before the software’s developers were aware of it.
‘Significant’ security vulnerability
The European cybersecurity firm Eye Security, which first revealed the flaw, warned that the vulnerability could permit even greater access into a target’s system, given that SharePoint servers often connect with other Microsoft services, such as Outlook, OneDrive and Teams.
Eye Security said it already found “dozens” of SharePoint servers being exploited. Known victims include federal and state government agencies, universities, energy companies and an Asian telecommunications company, according to The Washington Post.
Adam Meyers, senior vice president with the cybersecurity firm CrowdStrike, described the vulnerability as “significant,” telling The Post that “anybody who’s got a hosted SharePoint server has got a problem.”
Security patches may not be enough
Microsoft has issued patches for two versions of SharePoint so far. One version remains vulnerable, however.
Experts warn that even with security updates, SharePoint servers could still be exploited in the future if attackers gained access to encryption keys.
“Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys,” Michael Sikorski, the head of threat intelligence for Palo Alto’s Unit 42, told The Hacker News. “The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold.”
Charles Carmakal, the chief technology officer at Google Cloud’s Mandiant, also warned of the bug’s severity in a statement on LinkedIn.
“This isn’t an ‘apply the patch and you’re done’ situation,” Carmakal said. “Organizations need to implement mitigations right away (and the patch when available), assume compromise, investigate whether the system was compromised prior to the patch/mitigation, and take remediation actions.”
Aside from security patches, those using on-premises SharePoint servers are also urged to rotate their encryption keys.
It is not yet publicly known who is actively exploiting the SharePoint flaw. The FBI has said it is “working closely with our federal government and private sector partners” on the matter.
