Two of the organizations that assisted in the discovery of the campaign have announced early this week that approximately 100 organizations had been compromised by a comprehensive cyber espionage operation that targeted Microsoft (MSFT.O).
The operation involved the opening of new tab server software.

Microsoft previously released an alert regarding “active attacks” on self-hosted SharePoint servers, which are extensively employed by organizations to facilitate document sharing and collaboration.

SharePoint instances that were hosted on Microsoft servers were not affected.

The breaches, which are referred to as “zero-day” attacks due to their ability to exploit a digital vulnerability that was previously unknown, enable agents to infiltrate vulnerable servers and potentially install a backdoor that grants them continuous access to the victim organizations.

Vaisha Bernard, the chief hacker at Eye Security, a cybersecurity firm based in the Netherlands, which discovered the hacking campaign, revealed that an internet scan conducted with the Shadowserver Foundation had identified nearly 100 victims in total.

This was prior to the public disclosure of the hacking technique. A new tab was opened to target one of Eye Security’s clients.
Bernard stated, “It is unambiguous.” “Who knows what additional adversaries have done since then to establish additional backdoors?”
He declined to disclose the organizations that were impacted, asserting that the appropriate national authorities had been informed.

The Shadowserver Foundation verified the figure of 100. It stated that the majority of those affected were in the United States and Germany, and the victims included government organizations.

According to another researcher, the surveillance has been attributed to a single hacker or a group of hackers thus far.
Rafe Pilling, director of Threat Intelligence at Sophos, a British cybersecurity firm, stated, “It is feasible that this will evolve rapidly.”

In an emailed statement, a spokesperson for Microsoft stated that the company had “provided security updates and encourages customers to install them.”

It was unclear who was responsible for the ongoing breach. However, Alphabet’s (GOOGL.O), which has access to a vast amount of internet traffic, has identified at least some of the attacks as being linked to a “China-nexus threat actor.”

The Chinese Embassy in Washington did not immediately respond to a message requesting comment; Beijing consistently denies conducting cyber operations.

The FBI acknowledged the assaults on Sunday and stated that it was in direct collaboration with its federal and private-sector partners.

However, it did not provide any additional information. In a statement, the National Cyber Security Center of the United Kingdom disclosed that it was cognizant of “a restricted number” of targets in the country.

The campaign appeared to be initially targeted at a limited number of government-related organizations, according to a researcher who is monitoring the campaign.

The pool of potential targets continues to be extensive. Over 8,000 servers online may have already been compromised by hackers, according to data from Shodan, a search engine that assists in the identification of internet-linked equipment.

Shadowserver estimated that the figure was slightly higher than 9,000, but it was important to note that this was a minimum.

These servers are comprised of numerous U.S. state-level and international government entities, as well as significant industrial firms, banks, auditors, and healthcare corporations.

“The SharePoint incident appears to have resulted in a widespread level of compromise across a variety of servers on a global scale,” stated Daniel Card of the British cybersecurity consultancy PwnDefend.”

“It is prudent to adopt an assumed breach approach, and it is crucial to recognize that the patch alone is insufficient in this situation.”