Hackers exploiting SharePoint zero-day seen targeting government agencies

The infiltrators were targeted by the primary wave of attacks that are exploited on the zero day in Microsoft SharePoint servers in the first place, according to researchers as well as news reports.

During the weekend, CISA published an alert, a warning that infiltrators were using an unknown mistake-known as “zero day”-in the Microsoft Entertainment Management Management SharePoint product. Although it is still too early to extract final conclusions, it seems that the infiltrators who started to misuse this defect were targeting government organizations, according to Silas Cutler, the main researcher at Censys, a cybersecurity company that monitors piracy activities on the Internet.

“It seems that the initial exploitation was against a narrow set of goals,” Kotler told Techcrunch. “The government is likely to be relevant.”

“This is a fairly developed issue,” Kotler said. “The initial exploitation of this weakness was somewhat limited in terms of targeting, but with learning more attackers repeated exploitation, we will likely see violations as a result of this incident,” Kotler said.

Now that the weakness has become present, and is still fully corrected by Microsoft, it is possible that other infiltrators who are not necessarily working for the government will join him and start misuse, Cutler said.

Cutler added that he and his colleagues see between 9000 and 10,000 vulnerable SharePoints that can be accessed from the Internet, but this may change. Eye Security, which first published the existence of BUG, said a similar number, saying that its researchers wiped more than 8000 SharePoint servers worldwide and found evidence of dozens of risk servers.

Cutler explained that the limited number of goals and goals at the beginning of the campaign is likely that infiltrators are part of a government group, known as an advanced continuous threat.

The Washington Post reported on Sunday that the attacks targeted the American federal and state agencies, as well as universities and energy companies, among other commercial goals.

Microsoft said in a blog post that the security vulnerability only affects the SharePoint versions that are installed on local networks, not cloud versions, which means that every institution publishes the SharePoint servant needs to apply the correction, or separate it from the Internet.