In July 2019, hackers gained access to dozens of computer servers in Vienna and Geneva belonging to the United Nations. In one of the largest-ever breaches of U.N. information, the hackers had what was estimated as tens of thousands of staff records, contracts, databases, and passwords at their fingertips. After technicians discovered the attack, they had to work through at least two weekends to isolate more than 40 compromised computers. Twenty computers had to be completely rebuilt.
The hackers accessed the U.N.’s servers by exploiting a vulnerability in Microsoft SharePoint, a collaborative file-sharing software that acts as an internal network for hundreds of thousands of clients, many of them multinational corporations, banks, insurance companies, and government agencies. Microsoft had issued a fix for the SharePoint vulnerability earlier in 2019, but it’s unlikely those updates had been installed on the U.N.’s servers.
Rest of World spoke to four experts who said that hundreds of thousands of SharePoint users around the world could still be exposed to similar hacks if they’ve failed to install the software updates. Earlier this year, Iranian state-backed actors likely used the same vulnerability to target Albanian government servers over a period of several months. After the hack’s discovery, Albania broke off diplomatic ties with Iran.
“It’s fascinating that here we are, three and a half years after the patches have been available, and it’s still being used in the wild actively by threat actors,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told Rest of World about the SharePoint vulnerability. Zero Day Initiative pays researchers to detect weaknesses in widely used software, including CVE-2019-0604, the flaw that hackers have been using for more than three years to gain access to critical systems around the world.
Launched in 2001, Microsoft SharePoint is used by all types of organizations to store and share documents and make them accessible to anyone inside the organization. By 2017, Microsoft reported that more than 250,000 organizations installed SharePoint. Childs says that the number of servers running the software is in the millions.
Childs, who previously worked at Microsoft, said hackers can use CVE-2019-0604 to remotely access any information an organization stores in SharePoint. Because it gives them “pretty much everything,” said Childs, “it’s the type of bug people really like to use when they’re threat actors.” CVE-2019-0604 has become a known access point abused by hacker groups and state-based threat actors to enter internal systems in order to collect sensitive information or plant ransomware.
Microsoft declined to answer specific questions from Rest of World about the number of SharePoint users who remain vulnerable to CVE-2019-0604. A company spokesperson simply replied, “To be fully protected from this vulnerability, Microsoft recommends that customers install all updates listed for their system.”
SharePoint’s widespread use by financial institutions, multinational companies, and government agencies has made it an appealing target for hackers all over the world. In 2019, the Canadian Center for Cyber Security and the Saudi National Cybersecurity Authority both reported attacks like the one against the U.N. The same year, notorious hacking group Emissary Panda, or APT27 — allegedly backed by the Chinese government — attacked SharePoint servers belonging to two governments in the Middle East by exploiting CVE-2019-0604, according to cybersecurity firm Palo Alto Networks. Also in 2019, Iranian state-backed actors used it to attack an unnamed Middle Eastern energy company. In 2020, unknown hackers struck two municipalities in the U.S., and the Australian government disclosed the SharePoint systems were used against multiple targets in the country. The Australian Cyber Security Centre described the attacks as “the most significant, coordinated cybertargeting against Australian institutions the Australian Government has ever observed.” In 2021, hacker gang Hello/WickrMe used it to launch several ransomware attacks.
Claire Tills, a senior research engineer at cybersecurity firm Tenable, told Rest of World, “Attackers favor flaws like this because they exist in products ubiquitous to enterprise environments and give them a foothold from which to launch post-exploitation activities.”
The SharePoint vulnerability has been so popular among hackers that the U.S. government’s Cybersecurity and Infrastructure Security Agency, or CISA, which is part of the Department of Homeland Security, included the SharePoint vulnerability in its list of the Top 10 Most Exploited Vulnerabilities between 2016 and 2019.
All of these attacks took place after Microsoft had already released patches for CVE-2019-0604 earlier in 2019. But in order to protect a system, all three patches — released in February, March, and April of 2019 — need to be installed. Cybersecurity experts speaking to Rest of World said that SharePoint users who installed the first and even the second update remain exposed if they haven’t realized they need to do the third. Ideally, a flaw like this would have been patched in one go, making life easier for users, who could simply apply one fix and move on. Instead, Microsoft fumbled the patching process, requiring three separate updates in as many months. And the patches themselves were flawed — within an hour after Microsoft released the first patch, the same researcher who discovered CVE-2019-0604 had already bypassed the patch. “We’ve got bad patches and unclear communication around them that are causing the industry to be slow adopting what are in a lot of ways really critical updates,” said Childs.
Kevin Beaumont, a cybersecurity expert who used to work at Microsoft, has been following the SharePoint vulnerability since 2019. At the time, Beaumont said this flaw had the potential to have a long-lasting impact. “I think this will be one of the biggest [vulnerabilities] in years. It would own a lot of enterprises. Like, a LOT,” he wrote on Twitter.
Beaumont’s prediction has come to be true. Even if organizations haven’t been hacked, those that have been using SharePoint since 2019 or before could be vulnerable if they haven’t installed all of the updates that have been released since then. For example, in 2020, Dhiraj Mishra, at the time a consultant at cybersecurity firm Cognosec, found that the Income Tax Department in India and the MIT Sloan School of Management were both exposed by the SharePoint vulnerability. After he reported his findings to the Indian Computer Emergency Response Team and MIT, the organizations patched it, Mishra wrote.
Beaumont told Rest of World that the problem is that organizations that use SharePoint have not patched it yet, in part because the patching process is not straightforward. “SharePoint patching is also notoriously complicated — it would be quicker to watch the extended versions of The Hobbit trilogy and The Lord of the Rings trilogy back to back than try to update the average large SharePoint farm,” Beaumont said in a chat.
That’s what makes SharePoint such an appealing target — and so difficult to patch: with so many companies and governments relying on the software as an internal network, it is often configured to run alongside other essential systems, making it complex and time-consuming to update. Nobody wants their laptop to stay in blue screen while waiting for an update — let alone the server network for an entire municipality or billion-dollar corporation.
Another complication, said Beaumont, is that Microsoft has since launched a cloud version of SharePoint, called SharePoint Online, which makes patching much easier — but not all users have migrated to the cloud. “If SharePoint Online didn’t exist, all customers would be screaming about patching by now, in my opinion. Instead, that research and development has gone to cloud,” Beaumont said.
Companies that rely on sales tend to focus on developing new products rather than fixes for systems they’ve already sold, according to Childs at Zero Day Initiative, which means developing patches is rarely at the top of the list. “The state of patching really has not progressed much in the last 15 years,” said Childs, adding that as many as 20% of vulnerabilities his organization pays researchers for are from failed patches. “It’s kind of astonishing.”