
An already patched vulnerability in Microsoft’s SharePoint system is said to have compromised over 400 organizations, including several in South Africa and Mauritius.
Among the affected is South Africa’s National Treasury.
The treasury confirmed a few days ago that malware had been discovered on its Infrastructure Reporting Model website—an online platform used to monitor government spending on infrastructure projects.
Although no disruption to Treasury services was reported, their ICT department isolated affected servers and requested Microsoft’s assistance in addressing the breach.
Microsoft attributed the attacks to three Chinese state-linked hacking groups—Linen Typhoon, Violet Typhoon, and Storm-2603. These groups exploited known vulnerabilities in on-premise SharePoint servers to steal sensitive data, deploy persistent backdoors, and, in some cases, launch ransomware attacks.
Microsoft noted that the flaws primarily affect organizations hosting SharePoint servers on their own networks, rather than via Microsoft’s cloud services.
In response to the global exploit, the company released an emergency security patches and urged all customers to apply the updates, restart systems, and review security protocols immediately.
How South Africa Was Identified Among the Victims
Dutch cybersecurity firm Eye Security was the first to identify South African organisations, including the National Treasury, among those affected by the SharePoint vulnerabilities.
“We never name individual victims, but can share that in South Africa we’ve seen an organization in the car-manufacturing industry, a university, several local-government entities and a federal government entity,” Eye Security co-owner Vaisha Bernard said in a text message to Bloomberg.
It conducted a scan of more than 23,000 public-facing SharePoint environments using internal telemetry tools to identify exposed or compromised systems.
The firm also discovered two additional unnamed South African organisations compromised in the attack.
Following the identification, Eye Security notified South Africa’s Computer Security Incident Response Team (CSIRT) and provided relevant technical details to assist in mitigation efforts.
Aside Eye Security, Kaspersky’s Managed Detection and Response (MDR) team also detected a targeted cyber espionage attack against an African government IT system featuring the subject of Microsoft’s SharePoint vulnerability.
Mauritius is Also Affected
The information from Eye Security was that ” hackers breached over 400 government agencies, corporations and other groups around the world, with most of the victims in the US, followed by Mauritius, Jordan, South Africa and the Netherlands”.
This means the impact may be severe in the Island than in South Africa.
Whatever the case is, the situation seems under control as the Computer Emergency Response Team of Mauritius has issued an alert to warn organisations and provided guidance on how to mitigate the damage if their systems are compromised.