SharePoint security gap: How companies can reduce the risk in future

Who is affected and what are the risks?

The important thing is: Only self-operated SharePoint servers are affected. The cloud version SharePoint Online in Microsoft 365 has been spared. However, the impact is serious:

• Hackers have already exploited the vulnerability and penetrated the servers of "dozens" of companies and government agencies.
• According to the Washington Post, two US federal agencies have also been attacked.
• Experts from Eye Security warn that attackers can steal data and passwords. Even more worrying is the possibility of tapping into digital keys that allow them to regain access to the systems even after the gap has been closed.
• The IT security company Crowdstrike describes the gap as a "significant vulnerability".
• Even before the first patches were released, around 100 organizations had already been compromised. Most of these compromised installations were located in the USA and Germany. Early victims included a major energy company and several government organizations in Europe.
• It was estimated that 9,000 to 10,000 vulnerable SharePoint instances existed before the patches became available.

SharePoint attack: Microsoft's advice‍

Microsoft has urgently recommended that security updates be installed immediately to close the gap. If this is not possible, the company advises disconnecting the affected servers from the internet. It is important to note that the ASP.Net "machine keys" must be rotated after the update, which requires the IIS (Internet Information Services) to be restarted.

The US Federal Bureau of Investigation (FBI) has begun an investigation and is working closely with various agencies and companies. The Department of Defense's Cyber Command is also involved in the coordination with Microsoft. The American IT security authority CISA has called on affected government agencies and companies to act quickly.

Reduce risk: experts advise diversification

Initial analyses, including those by Google's Mandiant, indicate that at least one of the attackers could originate from China. Canadian and Australian authorities have also launched investigations.

These incidents are not new: as early as 2023, suspected Chinese hackers gained access to emails from US authorities via a Microsoft vulnerability. IT security experts have therefore been warning for years that authorities should reduce their dependence on individual providers and diversify their software, as Microsoft's market penetration makes it a popular target for attackers.

Being completely tied to hyperscalers such as Google, Microsoft or Amazon can be convenient, but it also harbors risks.
‍

In Europe in particular, however, there are secure alternatives in certain areas such as encrypted communication (e.g. Threema) or data exchange (e.g. SecureCloud). Superior solutions for enterprise file sync & share impress with their convenience and user-friendliness when exchanging data as well as the highest data protection standards.

‍

SecureCloud underpins its claim to maximum possible data protection with data centers and company headquarters in Germany, ISO 27001 certification and BSI C5 testing.