Experts warn of single actor behind widespread Microsoft SharePoint hack

A significant cyber assault on Microsoft SharePoint server software has emerged, prompting urgent warnings from security experts and organizations across the globe. Analysts believe a singular threat actor may be orchestrating this widespread attack. Over the weekend, Microsoft issued an urgent security advisory about ongoing attacks targeting on-premise SharePoint servers, which are commonly utilized by various organizations and government entities for document management and sharing. It is important to note that SharePoint Online, part of the Microsoft 365 cloud suite, is not impacted by this vulnerability, which has been identified as a 'zero-day'—a flaw that was previously unknown to cybersecurity experts. Rafe Pilling, the Director of Threat Intelligence at British cybersecurity firm Sophos, suggested that the evidence points to a single entity behind the coordinated campaign. "The uniformity in the tactics observed during the attacks indicates that a single actor is likely responsible for the campaign initiated last Friday," Pilling remarked. He emphasized that the use of identical digital payloads across various targets supports this theory. In response to the vulnerability, Microsoft confirmed that it has rolled out security updates and strongly advised users to implement these patches immediately. However, cybersecurity professionals warn that merely applying patches may not be sufficient. Daniel Card from the UK-based consultancy PwnDefend highlighted that the scale of the attack signifies a comprehensive breach. "The SharePoint incident seems to have compromised a wide array of servers globally. It’s prudent to adopt an assumed breach strategy, as simply applying the patch won’t resolve the issue entirely," Card stated. Data from Shodan, a search engine for internet-connected devices, reveals that over 8,000 SharePoint servers currently exposed online may have already fallen victim to this exploit. These servers belong to various sectors, including major industrial firms, financial institutions, healthcare providers, auditors, and numerous U.S. state and international government organizations. Although the perpetrator's identity remains unclear, the FBI confirmed on Sunday that it is collaborating with federal partners and the private sector to investigate the situation. The UK’s National Cyber Security Centre has yet to publicly address the issue. Reports indicate that unidentified cyber actors have exploited the SharePoint vulnerability to target both U.S. and international agencies, raising concerns about potential geopolitical implications.