{"id":2081,"date":"2025-08-03T21:54:01","date_gmt":"2025-08-03T21:54:01","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/08\/03\/us-tops-hit-list-as-396-sharepoint-systems-compromised-globally\/"},"modified":"2025-08-03T21:54:01","modified_gmt":"2025-08-03T21:54:01","slug":"us-tops-hit-list-as-396-sharepoint-systems-compromised-globally","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/08\/03\/us-tops-hit-list-as-396-sharepoint-systems-compromised-globally\/","title":{"rendered":"US Tops Hit List as 396 SharePoint Systems Compromised Globally"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\">\n<div id=\"layout-f14e8892-da9a-4ca4-ae64-cdc6e1343c03\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A total of 396 compromised systems have been identified following the widespread exploitation of the Microsoft SharePoint zero-day vulnerability ToolShell (CVE-2025-53770\/53771).<\/p>\n<p>Eye Security, the Dutch company that discovered the global zero-day, analyzed 27,000 SharePoint servers between July 18 and 23 and confirmed the compromise affected at least 145 unique organizations across 41 countries.<\/p>\n<p>Many commentators have noted that long-term, the number of affected organizations is likely to grow.<\/p>\n<p>The US was the country with the most successfully attacked organizations, making up 31% of the total. Mauritius (8%), Germany (7%) and France (5%) were also among those affected.<\/p>\n<p>Eye Security told <em>Infosecurity <\/em>that\u00a0while it couldn\u2019t be certain, Mauritius could have been among the most targeted due to the strong presence of US government entities in the region.<\/p>\n<p>The firm also identified two organizations in Jordan that were affected. Eye Security noted these both experienced an \u201cunusually high volume of attacks.\u201d<\/p>\n<h2><strong>Government Organizations Most Targeted <\/strong><\/h2>\n<p>The government sector accounted for 30% of all confirmed infections. Reports have suggested that the US Nuclear Weapons Agency, Department of Homeland Security and\u00a0Department of Health and Human Services were among the victims, but no official confirmation has come from these agencies at the time of writing.<\/p>\n<p>Large organizations, especially government agencies, typically use on-premises Microsoft SharePoint in their technology stack. Using SharePoint on-premises allows organizations to have greater control over the information they store on these systems.<\/p>\n<p>\u201cFrom the data, it\u2019s clear this wasn\u2019t a random or opportunistic campaign. The attackers knew exactly what they were looking for,\u201d said Lodi Hensen, VP of Security Operations at Eye Security.<\/p>\n<p>The cybersecurity firm told <em>Infosecurity <\/em>it was clear the attackers didn\u2019t go after every vulnerable organization.<\/p>\n<p>\u201cInstead, they appeared to focus on those that were likely to be of particular strategic or intelligence value, suggesting a targeted and deliberate approach,\u201d the security firm said.<\/p>\n<p>The firm also said there was a strong suggestion that these organizations were targeted as part of intelligence-led operations.<\/p>\n<p>The education sector accounted for 13% of the attacks worldwide, followed by SaaS providers (9%), telecommunications firms (4%) and power grids (4%).<\/p>\n<h2><strong>Attacks Expected to Continue<\/strong><\/h2>\n<p>Eye Security expects continued abuse of the SharePoint flaw in the coming weeks, with ransomware and supply chain threats likely to follow.<\/p>\n<p>Microsoft attributed the initial attacks to China-linked actors including Linen Typhoon, Violet Typhoon and Storm-2603.<\/p>\n<p>However, more recent activity suggests that exploitation is not limited to state-backed groups.<\/p>\n<p>\u201cOnce a zero-day becomes public and technical details begin to circulate, other state and non-state actors tend to follow. That includes cybercriminal groups with very different motives, especially those focused on financial gain,\u201d said Hensen.<\/p>\n<p>Low skilled actors may now be able to take advantage of the vulnerability. Eye Security explained that the exploit has now been incorporated into open-source tools like Metasploit, making it trivial for even low-skilled attackers to exploit unpatched systems.<\/p>\n<p>Outside of the three threat actors identified by Microsoft, Eye Security has not attributed the attacks to other groups.<\/p>\n<p>However, the firm told <em>Infosecurity<\/em> that given the public availability of the exploit, it\u2019s very likely that additional threat actors are also taking advantage of this vulnerability.<\/p>\n<p>Eye Security directly notified its customers and partners about the threat on July 21 and is now urging all organizations using on-premises SharePoint to assume breach, verify patching and conduct thorough threat hunting.<\/p>\n<\/p><\/div>\n<figure id=\"layout-6ef25bc1-9a8c-495a-aae9-ab11cf104732\" data-layout-id=\"8\" data-edit-folder-name=\"embed\" data-index=\"1\"><\/figure>\n<p><em>Image credit:\u00a0jackpress \/ Shutterstock.com<\/em><\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A total of 396 compromised systems have been identified following the widespread exploitation of the Microsoft SharePoint zero-day vulnerability ToolShell (CVE-2025-53770\/53771). Eye Security, the Dutch company that discovered the global zero-day, analyzed 27,000 SharePoint servers between July 18 and 23 and confirmed the compromise affected at least 145 unique organizations across 41 countries. Many commentators<\/p>\n","protected":false},"author":2,"featured_media":2082,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2081","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2081-cb3c39bd-71f4-40b8-86b4-b0ca80f66a43.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2081-cb3c39bd-71f4-40b8-86b4-b0ca80f66a43-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2081-cb3c39bd-71f4-40b8-86b4-b0ca80f66a43.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2081-cb3c39bd-71f4-40b8-86b4-b0ca80f66a43.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2081-cb3c39bd-71f4-40b8-86b4-b0ca80f66a43.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2081-cb3c39bd-71f4-40b8-86b4-b0ca80f66a43.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2081-cb3c39bd-71f4-40b8-86b4-b0ca80f66a43.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2081-cb3c39bd-71f4-40b8-86b4-b0ca80f66a43.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2081-cb3c39bd-71f4-40b8-86b4-b0ca80f66a43.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2081-cb3c39bd-71f4-40b8-86b4-b0ca80f66a43.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2081-cb3c39bd-71f4-40b8-86b4-b0ca80f66a43-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2081","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2081"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2081\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2082"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2081"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}