*

Hack exploits previously unknown flaw in SharePoint

software

*

Thousands of entities potentially now vulnerable to attack

*

Hack likely work of one threat actor or group, researcher

says

*

Unclear who is behind attacks

LONDON, July 21 (Reuters) - A global attack on Microsoft ( MSFT )

server software used by thousands of government

agencies and businesses to share documents within organisations

is likely the work of a single actor, a cybersecurity researcher

said on Monday.

Microsoft ( MSFT ) on Saturday issued an alert about "active attacks" on

SharePoint servers used within organisations. It said that

SharePoint Online in Microsoft ( MSFT ) 365, which is in the cloud, was

not hit by the exploit, also known as a "zero day" because it

was previously unknown to cybersecurity researchers.

"Based on the consistency of the tradecraft seen across

observed attacks, the campaign launched on Friday appears to be

a single actor. However, it's possible that this will quickly

change," Rafe Pilling, Director of Threat Intelligence at

Sophos, a British cybersecurity firm.

That tradecraft included the sending of the same digital

payload to multiple targets, Pilling added.

Microsoft ( MSFT ) said it had "provided security updates and

encourages customers to install them," a company spokesperson

said in an emailed statement.

It was not clear who was behind the ongoing hack. The FBI

said on Sunday it was aware of the attacks and was working

closely with its federal and private-sector partners, but

offered no other details. Britain's National Cyber Security

Centre did not immediately respond to a request for comment.

The Washington Post said unidentified actors in the past few

days had exploited a flaw to launch an attack that targeted U.S.

and international agencies and businesses.

According to data from Shodan, a search engine that helps to

identify internet-linked equipment, over 8,000 servers online

could theoretically have already been compromised by hackers.

Those servers include major industrial firms, banks,

auditors, healthcare companies, and several U.S. state-level and

international government entities.

"The SharePoint incident appears to have created a broad

level of compromise across a range of servers globally," said

Daniel Card of British cybersecurity consultancy, PwnDefend.

"Taking an assumed breach approach is wise, and it's also

important to understand that just applying the patch isn't all

that is required here."