Victims Mounting In Microsoft SharePoint Attacks: Researchers

More than 400 systems have been compromised so far, according to researchers at Eye Security, and reports indicate that federal education and energy agencies are among the victims.

More than 400 systems have been compromised so far in the widespread cyberattacks exploiting vulnerabilities in Microsoft SharePoint servers, according to researchers at Eye Security.

Bloomberg reported Wednesday that the U.S. National Nuclear Security Administration, which is part of the Department of Energy, is among the victims of the hack. In a statement Wednesday, the Energy Department said that “on Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy.”

[Related: This Is ‘Just The Beginning’ Of Threats From Microsoft SharePoint Flaw: Researchers]

The statement, which did not mention the National Nuclear Security Administration, indicated that the Energy Department was “minimally impacted” with a “very small number of systems” affected.

Bloomberg had reported earlier this week that the U.S. Department of Education had been compromised in the SharePoint attacks. CRN has reached out to the department for comment.

Cybersecurity vendor Eye Security—which is credited with first disclosing the SharePoint Server attacks late last week—said in an update to a post Wednesday that it has now “discovered more then 400 systems actively compromised during four confirmed waves of attack.”

The discoveries are based on scans of more than 23,000 SharePoint servers globally, the company’s researchers said.

Microsoft has released all patches for on-premises SharePoint Servers to protect against the wave of compromises, but attackers will be looking to exploit the vulnerabilities for months to come, researchers have told CRN.

In part, that’s because patching is not sufficient to evict the threats, with rotation of machine keys being another essential step to ensure attackers no longer have access to systems, the experts said.

“This is not a situation where you patch and you’re done,” said Nick Hyatt, senior threat intelligence analyst at Herndon, Va.-based GuidePoint Security, in a previous interview with CRN.

Meanwhile, researchers at Google Cloud-owned Mandiant and Microsoft have pointed to at least some of the attacks originating from China-based threat actors.

Microsoft researchers said Tuesday that they have observed exploitation activity from a pair of Chinese nation-state threat groups, tracked as Linen Typhoon and Violet Typhoon, as well as from a China-linked threat actor that is tracked as Storm-2603.

“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” Microsoft researchers wrote in the post.