Microsoft SharePoint vulnerability allows hackers to sift through servers, Saudi authorities warn

The attacks are an example of how a file-sharing service can be abused to gather valuable information on a target.
Riyadh, Saudi Arabia
Riyadh, Saudi Arabia at night. The country's National Cybersecurity Authority has warned of a new destructive malware variant (CC0 Creative Commons).

Hackers are exploiting a remote code execution vulnerability in Microsoft SharePoint to conduct reconnaissance on the networks of target organizations, a Saudi government cybersecurity agency said Thursday.

In activity that private-sector researchers are also tracking, the unnamed hackers are gathering information on Microsoft Exchange and SQL servers in a sign “the attack is still in its first stages,” Saudi Arabia’s National Cybersecurity Authority (NCA) said in an advisory. The alert did not offer further information on the victims.

The attacks are an example of how a file-sharing service can be abused to gather valuable information on a target. The vulnerability applies to older versions of SharePoint, an application organizations use to share and store documents. With a foothold on a network, the attackers have deployed a web shell script that can be used to manipulate data on a server, according to the NCA.

The Saudi agency “observed a spike in scanning activities on this specific vulnerability,” indicating “quick adoption from multiple threat actors” keen on exploiting the remote network access, said the advisory, which details a new custom backdoor used by attackers.


“The attackers in the Saudi case are reasonably capable,” said Chris Doman, a security researcher at AT&T Alien Labs who has tracked the intrusions. “The malware waits for encrypted commands from an attacker — rather than noisily reaching out to an attacker’s command and control server.”

The advisory follows an alert last month from the Canadian government’s Centre for Cyber Security saying the SharePoint vulnerability likely had been used to breach organizations in the academic, manufacturing, utility, “heavy industry,” and tech sectors. The advisory did not say where the victim organizations were located.

Microsoft has issued a patch for the flaw, but that is only as good as its application by vulnerable organizations. The NCA said multiple organizations had been infected by the exploit in the last two weeks.

Despite the reports of infections in multiple sectors, the SharePoint vulnerability isn’t being as widely exploited as other server-side flaws like the one in Oracle WebLogic, Doman told CyberScoop. AT&T Alien Labs has analyzed an earlier version of the malware used in breaching Saudi organizations.

“The naming of the domains in the Saudi intrusions seem to indicate some particular targeting,” Doman said. He pointed to the fact that the attackers had impersonated a Saudi government website promoting the Kingdom’s strategic policies.


The hackers “haven’t left any obvious indicators of their location in the malware or servers,” Doman said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts