
Microsoft server hack likely single actor, thousands of firms now vulnerable, researchers say
Microsoft on Saturday issued an alert about "active attacks" on SharePoint servers used within organisations. It said that SharePoint Online in Microsoft 365, which is in the cloud, was not hit by the exploit, also known as a "zero day" because it was previously unknown to cybersecurity researchers.
"Based on the consistency of the tradecraft seen across observed attacks, the campaign launched on Friday appears to be a single actor. However, it's possible that this will quickly change," Rafe Pilling, Director of Threat Intelligence at Sophos, a British cybersecurity firm.
That tradecraft included the sending of the same digital payload to multiple targets, Pilling added.
Microsoft said it had "provided security updates and encourages customers to install them," a company spokesperson said in an emailed statement.
It was not clear who was behind the ongoing hack. The FBI said on Sunday it was aware of the attacks and was working closely with its federal and private-sector partners, but offered no other details. Britain's National Cyber Security Centre did not immediately respond to a request for comment.
The Washington Post said unidentified actors in the past few days had exploited a flaw to launch an attack that targeted U.S. and international agencies and businesses.
According to data from Shodan, a search engine that helps to identify internet-linked equipment, over 8,000 servers online could theoretically have already been compromised by hackers.
Those servers include major industrial firms, banks, auditors, healthcare companies, and several U.S. state-level and international government entities.
"The SharePoint incident appears to have created a broad level of compromise across a range of servers globally," said Daniel Card of British cybersecurity consultancy, PwnDefend.
"Taking an assumed breach approach is wise, and it's also important to understand that just applying the patch isn't all that is required here."

Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles

Straits Times
an hour ago
- Straits Times
Microsoft says some SharePoint server hackers now use ransomware
WASHINGTON - A cyber-espionage campaign centered on vulnerable versions of Microsoft's server software now involves the deployment of ransomware, Microsoft said in a blog post on July 23. In the post, citing 'expanded analysis and threat intelligence,' Microsoft said a group it dubs Storm-2603 is using the vulnerability to seed the ransomware, which typically works by paralysing victims' networks until a digital currency payment is made. The disclosure marks a potential escalation in the campaign, which has already hit at least 400 victims, according to Netherlands-based cybersecurity firm Eye Security. Unlike typical state-backed hacker campaigns, which are aimed at stealing data, ransomware can cause widespread disruption depending on where it lands. The figure of 400 victims represents a sharp rise from the 100 organisations cataloged over the weekend. Eye Security says the figure is likely an undercount. 'There are many more, because not all attack vectors have left artifacts that we could scan for,' said Mr Vaisha Bernard, the chief hacker for Eye Security, which was among the first organisations to flag the breaches. The details of most of the victim organisations have not yet been fully disclosed, but a representative for the National Institutes of Health confirmed on July 23 that one of the organisation's servers had been compromised. 'Additional servers were isolated as a precaution,' he said. The news of the compromise was first reported by the Washington Post. The spy campaign kicked off after Microsoft failed to fully patch a security hole in its SharePoint server software, kicking off a scramble to fix the vulnerability when it was discovered. Microsoft and its tech rival, Google owner Alphabet, have both said Chinese hackers are among those taking advantage of the flaw. Beijing has denied the claim. REUTERS


CNA
2 hours ago
- CNA
Microsoft says some SharePoint hackers now using ransomware
WASHINGTON :Microsoft said some of the hackers involved in the cyberespionage sweep aimed at the U.S. tech giant's SharePoint servers are now using ransomware, a potential escalation in the wide-ranging spy campaign. Microsoft made the claim in a blog post issued late Wednesday.


CNA
7 hours ago
- CNA
BT to appoint Virgin Media O2's Cobian as CFO, Telegraph reports
BT Group, Britain's biggest broadband and mobile services provider, is set to name Virgin Media O2's chief financial officer, Patricia Cobian, as its first female finance chief, The Telegraph reported on Wednesday, citing unnamed sources. Cobian held the finance chief position at Telefonica's UK mobile network O2 since 2016, before transitioning to the same role at Virgin Media O2 following the completion of the 50-50 joint venture between Telefonica and Liberty Global in 2021. BT and Virgin Media O2 declined to comment on the report. Cobian would join BT at a time when it is looking to cut costs through layoffs and advances in artificial intelligence. "Depending on what we learn from AI . . . there may be an opportunity for BT to be even smaller by the end of the decade," Chief Executive Allison Kirkby told Financial Times in June. The company said in 2023 that it planned to cut as many as 55,000 jobs, including contractors, by 2030.