Microsoft hit with SharePoint attack — one version still vulnerable

Microsoft has warned of “active attacks” targeting its SharePoint collaboration software, with security researchers noting that organizations worldwide stand to be affected by the breach.

The Cybersecurity and Infrastructure Security Agency said Sunday in a release that the vulnerability provides unauthenticated access to systems and full access to SharePoint content, enabling bad actors to execute code over the network.

CISA said that while the scope and impact of the attack continue to be assessed, the agency warned that it “poses a risk to organizations.”

Microsoft late Sunday issued fixes for customers to apply to two versions of the SharePoint software.

On Monday evening, Microsoft released a patch for SharePoint Server 2016, an older option for on-premises data centers.

Researchers at Palo Alto Networks said the hack likely reached thousands of organizations globally.

“The exploits are real, in-the-wild and pose a serious threat,” they added.

A Microsoft spokesperson declined to comment on the incident beyond what was shared in a company blog post.

In an alert Saturday, Microsoft said the attack applies only to on-premises SharePoint servers, not those in the cloud like Microsoft 365. SharePoint software is commonly used by global businesses and organizations to store and collaborate on documents.

The vulnerability is especially concerning because it allows hackers to impersonate users or services even after the SharePoint server is patched, according to researchers at European cybersecurity firm Eye Security, which said it first identified the flaw.

SharePoint servers often connect to other Microsoft services such as Outlook and Teams, meaning such a breach can “quickly” lead to data theft and password harvesting, Eye Security researchers said.

“Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys,” Michael Sikorski, CTO and head of threat intelligence for Palo Alto’s Unit 42, said in a statement. “The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold.”

Separately, Alaska Airlines briefly halted its ground operations for about three hours on Sunday due to an IT outage. It lifted the ground stop at roughly 2 a.m. EST, the carrier said in a statement.

It was unclear whether the outage was related to the SharePoint attack.