A sweeping cyber-espionage campaign exploiting a critical vulnerability in Microsoft’s server software has compromised at least 100 organisations worldwide, according to cybersecurity researchers who exposed the operation.
Over the weekend, Microsoft issued an urgent alert warning of “active attacks” targeting self-hosted SharePoint servers, software commonly used by firms for internal document sharing and collaboration. Microsoft-hosted SharePoint services remain unaffected.
The cyber assault, dubbed a “zero-day” attack due to its reliance on a previously undiscovered software flaw, allows hackers to infiltrate servers and potentially implant backdoors for ongoing access to compromised networks.
Vaisha Bernard, chief hacker at Netherlands-based cybersecurity firm Eye Security, revealed that nearly 100 victims had been identified through a global scan using Shadowserver Foundation tools. These findings came before the method of exploitation became widely known, suggesting more breaches may now exist.
“It’s unambiguous,” Bernard said. “Who knows what other adversaries have done since to place other backdoors.” He refrained from naming affected organisations, citing official security protocols and notification of national authorities.
The Shadowserver Foundation corroborated Bernard’s count, noting that most compromised servers were located in the United States and Germany, with victims including government agencies.
Rafe Pilling, Director of Threat Intelligence at UK-based Sophos, added that the attack, for now, appears to be the work of a single entity or coordinated group, but warned this could change rapidly as awareness of the flaw spreads.
Microsoft confirmed that security updates had been released and urged all users to apply them promptly.
The identity of the hackers remains uncertain. However, Alphabet-owned Google, leveraging its expansive visibility across internet traffic, attributed some of the breaches to a China-linked threat actor. As expected, China’s government has denied involvement.
The FBI acknowledged awareness of the attacks and stated it was working alongside both public and private partners, without divulging further details. Britain’s National Cyber Security Centre also noted a “limited number” of targets in the UK.
Analysts warn that the scale of potential exposure is massive. Shodan, a search engine that maps internet-connected devices, estimates that over 8,000 servers globally could be vulnerable. Shadowserver places the figure slightly higher, above 9,000.
High-profile potential targets include major industrial firms, financial institutions, auditors, healthcare providers, and government bodies across both U.S. state and international jurisdictions.
Daniel Card of British cybersecurity consultancy PwnDefend cautioned, “The SharePoint incident appears to have created a broad level of compromise across a range of servers globally. Assuming breach is wise—and applying the patch alone isn’t enough.”
Cybersecurity experts advise organisations to investigate server logs for signs of compromise and to undertake comprehensive incident response beyond mere patching to ensure security.
With inputs from Reuters