Microsoft SharePoint Server 0-Day Exploit Targets African Treasury, Companies, and University

Microsoft SharePoint Server 0-Day Exploit Targets African Treasury, Companies, and University

A sophisticated zero-day exploit campaign targeting unpatched vulnerabilities in Microsoft SharePoint Server has compromised approximately 400 organizations worldwide, with potential for a far higher victim count due to underreporting and delayed detections.

The attacks, first identified last week by Dutch cybersecurity firm Eye Security, leverage critical flaws in on-premise SharePoint installations, allowing threat actors to inject malware, exfiltrate sensitive data, and establish persistent access without triggering immediate alerts.

Global Wave of Zero-Day Attacks

Unlike cloud-hosted instances managed by Microsoft Azure, these self-hosted servers often lack automated patching mechanisms, making them prime targets for remote code execution (RCE) and privilege escalation exploits.

The campaign’s scope spans multiple sectors, including government agencies, multinational corporations, and educational institutions, highlighting the risks associated with legacy on-premise deployments in an era of increasingly sophisticated advanced persistent threats (APTs).

In technical terms, the exploits appear to chain multiple vulnerabilities, potentially including CVE equivalents not yet publicly disclosed, enabling attackers to bypass authentication controls and deploy custom payloads.

Eye Security’s analysis indicates that the initial intrusion vector involves unauthenticated access to SharePoint’s web interfaces, followed by lateral movement within internal networks.

This has resulted in widespread infections, with the United States reporting the highest concentration of breaches, followed by notable incidents in Mauritius, Jordan, South Africa, and the Netherlands.

The malware variants detected exhibit characteristics of fileless execution, residing in memory to evade traditional antivirus signatures, and incorporating anti-forensic techniques to obscure command-and-control (C2) communications with external servers.

Broader Exploitation

South Africa’s National Treasury has confirmed a malware infection within its Infrastructure Reporting Model (IRM) website, a SharePoint-based platform used for financial data collaboration and reporting.

The intrusion was detected through routine endpoint detection and response (EDR) monitoring, revealing anomalous behaviors indicative of a successful exploit chain.

Despite the compromise, Treasury officials stated that no operational disruptions occurred, attributing this to rapid isolation of the affected system and collaboration with Microsoft for forensic analysis and remediation.

The incident underscores the vulnerabilities inherent in on-premise SharePoint configurations, where organizations prioritize data sovereignty and custom security layers but often fall behind on patch management for zero-day threats.

Eye Security, withholding specific victim identities for privacy reasons, disclosed that South African targets include a prominent automotive manufacturing entity, a major university, several local government bodies, and a federal agency, alongside two additional unnamed organizations.

According to the report, these breaches were shared with South Africa’s Computer Security Incident Response Team (CSIRT) to facilitate coordinated threat hunting and mitigation efforts.

The attacks exploit SharePoint’s collaborative features, such as document libraries and workflow automation, to propagate malware laterally, potentially leading to data breaches involving sensitive intellectual property, financial records, and personal information.

In the automotive sector, for instance, compromised systems could expose supply chain data, while educational institutions risk leaks of student records and research databases.

The broader implications of this campaign extend to Africa’s digital infrastructure, where reliance on Microsoft ecosystems for enterprise content management amplifies exposure.

Microsoft has clarified that only on-premise SharePoint servers are affected, advising immediate application of security updates and implementation of network segmentation to mitigate risks.

As investigations continue, cybersecurity experts warn of evolving tactics, including the use of obfuscated PowerShell scripts and living-off-the-land binaries (LOLBins) to maintain persistence.

With the attack surface expanding, organizations are urged to adopt zero-trust architectures and continuous vulnerability scanning to counter such zero-day threats effectively.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!


Source link