Hackers exploiting SharePoint zero-day seen targeting government agencies

Recent investigations reveal that hackers have been actively exploiting a critical zero-day vulnerability in Microsoft SharePoint servers, primarily targeting government entities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning after identifying the exploitation of this unknown flaw, which poses significant risks to organizations that rely on SharePoint for enterprise data management. According to Silas Cutler, the principal researcher at cybersecurity firm Censys, early indications suggest that the initial wave of attacks was directed at a select group of targets, predominantly linked to government operations. "It appears that the first exploitation was focused on a narrow set of entities, likely related to government activities," Cutler explained during a discussion with TechCrunch. Cutler emphasized the evolving nature of this situation, noting, "While the initial targeting was limited, as more attackers become aware of this vulnerability, we can expect an increase in breaches stemming from this incident." With the flaw now publicly known and Microsoft yet to fully patch it, there is a growing concern that additional hackers—possibly independent of governmental affiliations—might also begin exploiting this vulnerability. Censys has detected between 9,000 and 10,000 SharePoint instances exposed to the internet, a number that may fluctuate as the situation develops. Eye Security, which initially reported the existence of the bug, corroborated these findings, having surveyed over 8,000 SharePoint servers globally and uncovered numerous compromised systems. Given the specific targeting observed at the onset of these attacks, Cutler speculated that the hackers may belong to an advanced persistent threat group typically associated with government operations. The Washington Post subsequently reported that the attacks have extended their reach to U.S. federal and state agencies, universities, and energy companies, alongside various other commercial entities. In a blog post, Microsoft clarified that the vulnerability applies only to local installations of SharePoint, not cloud-based versions. This means that organizations utilizing SharePoint servers must either implement the necessary security patch or isolate their servers from internet access to mitigate risks.