A sweeping cyber espionage operation targeting Microsoft (MSFT.O), opens new tab server software compromised about 100 organizations as of the weekend, two of the organizations that helped uncover the campaign said on Monday.
Microsoft on Saturday issued an alert about “active attacks” on self-hosted SharePoint servers, which are widely used by organizations to share documents and collaborate within organizations. SharePoint instances run off of Microsoft servers were unaffected.
Dubbed a “zero-day” because it leverages a previously undisclosed digital weakness, the hacks allow spies to penetrate vulnerable servers and potentially drop a backdoor to secure continuous access to victim organizations.
Vaisha Bernard, the chief hacker at Eye Security, a Netherlands-based cybersecurity firm, which discovered the hacking campaign, opens new tab targeting one of its clients on Friday, said that an internet scan carried out with the Shadowserver Foundation had uncovered nearly 100 victims altogether – and that was before the technique behind the hack was widely known.
“It’s unambiguous,” Bernard said. “Who knows what other adversaries have done since to place other backdoors.”
He declined to identify the affected organizations, saying that the relevant national authorities had been notified.
The Shadowserver Foundation confirmed the 100 figure. It said most of those affected were in the United States and Germany, and the victims included government organizations.
Another researcher said that, so far, the spying appeared to be the work of a single hacker or set of hackers.
“It’s possible that this will quickly change,” said Rafe Pilling, director of Threat Intelligence at Sophos, a British cybersecurity firm.
Microsoft said it had “provided security updates and encourages customers to install them,” a company spokesperson said in an emailed statement.
It was not clear who was behind the ongoing hack, but Alphabet’s (GOOGL.O), opens new tab Google, which has visibility into wide swaths of internet traffic, said it tied at least some of the hacks to a “China-nexus threat actor.”