Cyber Attack On Microsoft Server Allegedly Carried Out By One Perpetrator, Thousands Of Companies Now Vulnerable

Microsoft SharePoint experiences attacks globally (photo: x @fofabot)

JAKARTA Global attack on Microsoft server software, SharePoint, which is used by thousands of government agencies and companies to share documents, is likely carried out by one perpetrator or group. This was said by a cybersecurity researcher on Monday, July 21.

Microsoft on Saturday 19 July issued a warning about an "active attack" on the SharePoint server used within the organization. The company stated that SharePoint Online in Microsoft 365, which is cloud-based, was not affected by this exploit, known as "zero day" because it was previously unknown to cybersecurity researchers.

"Based on the consistency of the techniques seen in various attacks, the campaign, which began on Friday, appears to have been carried out by one perpetrator. However, this could change rapidly," saidten Pilling, Director of Threat Intelligence at Sophos, a cybersecurity company from England. The technique includes sending the same digital payload to several targets, Pilling added.

"Microsoft has provided security updates and prompted customers to install them," a company spokesman said in an emailed statement.

It is not clear who was behind this ongoing attack. The FBI on Sunday, July 20 stated that it was aware of the attack and was working with federal partners and the private sector, but did not provide further details.

According to data from Shodan, search engines that help identify devices connected to the internet, more than 8,000 online servers have the potential to have been compromised by hackers. The servers include large industry companies, banks, audit firms, health companies, as well as several government entities at the US and international state levels.

"The SharePoint incident appears to have created a broad level of compromise on various servers globally," said Daniel Card of UK cybersecurity consultant PwnDefend. "Taking an approach to assuming abuse is a wise move, and it is important to understand that only implementing patching is not enough."

SharePoint Attacks Become A Big Problem

This attack was first detected by Eye Security on July 18, with the execution of a remote code detected on the SharePoint server. The attack took advantage of two bugs found in the Pwn2Own hacking contest in May. The bug allows attackers to access the SharePoint server without the need for authentication and is given a CVE number with the name ToolShell.

Microsoft has addressed some of these issues with a patch for SharePoint 2019 and SharePoint Subscription Edition, and is working on further security updates for SharePoint 2019 and 2016.

How Mac Users Can Protect Themselves

As these attacks target corporate servers and not individual systems, Mac users and other computers will not find their personal systems directly affected. However, indirect problems involving the servers they use can pose a threat.

The attackers can steal credentials from the SharePoint server, which allows them to re-access the server even after being patched and secured. Therefore, the server administrators need to be very vigilant and careful in locking the system and managing user access.

Final users must also be very vigilant, especially if they have access to an internal SharePoint server managed by a large company. Attackers who have obtained user credentials can send legitimate messages via corporate networks, such as emails containing links to malicious websites. Unsuspected users may believe the message because it comes from legitimate corporate accounts.

For more information on security updates, visit Microsoft's official website. Authorities in the US, Canada, and Australia are investigating the attack, according to a Washington Post report.