A sophisticated cyberattack has exploited a zero-day vulnerability in Microsoft SharePoint servers, affecting over 400 organizations worldwide, with a notable impact in African countries such as South Africa and Mauritius. The attack targets on-premise SharePoint installations, using previously unknown security flaws to infiltrate critical systems in government, education, and private sectors.
The breach was first identified by Eye Security, a Dutch cybersecurity firm, last week. Unlike typical vulnerabilities that affect cloud-hosted SharePoint, this zero-day specifically compromises servers managed on-site, which many institutions use for greater control and security.
The attack uses unauthorized code execution within SharePoint’s document collaboration features, allowing persistent network access. Business Insider Africa analysts observed the malware’s advanced behavior, noting its ability to operate undetected while extracting sensitive data.
In South Africa, affected sectors include a major car manufacturer, several universities, local government bodies, and the National Treasury, where malware was found on the Infrastructure Reporting Model site.
The zero-day exploits a remote code execution flaw in the server’s authentication process, bypassing standard security measures. The malware uses a multi-stage payload delivery system, beginning with reconnaissance scans on vulnerable SharePoint versions, followed by exploiting the authentication bypass to deploy malicious web shells.
Microsoft has confirmed the vulnerability impacts only on-premise installations, with cloud-hosted SharePoint Online services remaining protected by Microsoft’s security infrastructure.
