Threat intel firms on alert for government systems impacted by Microsoft SharePoint vulnerability
A vulnerability in Microsoft’s SharePoint Server is under active review by threat intelligence researchers as some have found evidence that U.S. government systems have been exposed and potentially compromised.
The issue is limited to versions of SharePoint managed on customer infrastructure and does not impact Microsoft 365 environments, the company said in a blog post. The flaw affects SharePoint Enterprise Server 2016 and 2019, as well as the Subscription Edition. It was first disclosed late Saturday and, as of Sunday night, Microsoft had issued patches for 2019 and the subscription version.
“Unit 42 is tracking a high-impact, ongoing threat campaign targeting on-premises Microsoft SharePoint servers,” said Michael Sikorski, CTO and head of Threat Intelligence for Unit 42 at Palo Alto Networks. “While cloud environments remain unaffected, on-prem SharePoint deployments — particularly within government, schools, healthcare including hospitals, and large enterprise companies — are at immediate risk.”
He called the matter a “high-severity, high-urgency” threat for exposed networks.
“We are urging organizations who are running on-prem SharePoint to take action immediately and apply all relevant patches now and as they become available, rotate all cryptographic material and engage professional incident response,” Sikorski said. “A false sense of security could result in prolonged exposure and widespread compromise.”
“Unit 42’s telemetry confirms that government entities globally have been impacted,” he added. Underscoring this threat, [the Cybersecurity and Infrastructure Security Agency] has added the vulnerability to its [Known Exploited Vulnerabilities] catalog, a designation that compels action from U.S. federal agencies. CISA’s confirmation of active exploitation in the wild aligns with our own intelligence.”
The federal government, as well as thousands of state and local governments, rely heavily on Microsoft products. For the federal enterprise, Microsoft is predominantly used across civilian and defense agencies for routine tasks like file sharing, internal messaging, records management and remote collaboration.
The bug is a “zero-day” — which gets its name because developers have not discovered it before and had zero days to fix it — that’s being actively exploited. Hackers can leverage the vulnerability by sending specially crafted data to a SharePoint server, which improperly processes that input and allows them to execute malign code remotely without needing a password.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in a Sunday alert.
Netherlands cybersecurity provider Eye Security said it scanned some 8,000 SharePoint servers around the world and began alerting relevant global government computer emergency response teams over the last few days.
The firm detected some 50 breaches, The Washington Post reported Sunday, adding that at least two U.S. federal agencies were breached and that a state official in the eastern U.S. said attackers gained control of a SharePoint site used to publish public-facing documents about the state’s government.
The Multi-State Information Sharing and Analysis Center, which provides cybersecurity resources for U.S. state, local, territorial and tribal governments, was first alerted to the bug on July 8 and sent an advisory to its members. It then became aware of hackers exploiting the bug on July 19.
An initial round of direct notifications to 50 entities was sent out after CISA alerted the group, according to Randy Rose, the VP of Security Operations and Intelligence at the Center for Internet Security, which collaborates with the MS-ISAC.
“We identified more than 100 additional entities likely impacted by the vulnerabilities and sent more direct notifications,” Rose said in an email. “In all, we detected more than 1,100 servers belonging to state and local governments, including public higher education and K-12 schools, that are at risk of being impacted by these attacks due to their vulnerable posture.”
MS-ISAC was recently subjected to vast federal funding cuts. Rose said the reduction “severely impacts our ability to offer proactive defense and incident response” for active cyber campaigns, and puts state and local systems and Americans’ data at greater risk of compromise.
A CrowdStrike spokesperson said that the company has been able to detect and protect against exploitation of the SharePoint vulnerability and that its teams “are actively monitoring threat activity and continuously enhancing coverage as new details emerge.” The spokesperson declined to name specific customers affected.
Google’s threat intelligence arm “has observed threat actors exploiting this vulnerability to install webshells and exfiltrate cryptographic secrets from victim servers,” a Google spokesperson told Nextgov/FCW Sunday when asked if it was aware of any federal government customers affected. “This allows for persistent, unauthenticated access and presents a significant risk to affected organizations.”
“This isn’t an “apply the patch and you’re done” situation,” Charles Carmakal, CTO of Mandiant, the security consulting unit of Google Cloud, in a Saturday LinkedIn post. “Organizations need to implement mitigations right away (and the patch when available), assume compromise, investigate whether the system was compromised prior to the patch/mitigation and take remediation actions.”
Microsoft systems have been the target of past U.S. government hacking attempts, including one linked to China where the hackers pilfered thousands of emails in 2023 from State Department and Commerce Department email inboxes.
The tech giant said Friday it will end the use of China-based engineers to support its cloud services for the Defense Department after a ProPublica investigation found that the company was using Chinese personnel monitored by U.S.-based “digital escorts” to help maintain sensitive military systems.
Just over a year ago, millions of computers running Microsoft’s flagship Windows operating system were paralyzed after CrowdStrike released a faulty patch that crippled the computers’ functionality at the root level, impacting multiple U.S. government agencies and other worldwide systems.
