National Treasury of South Africa

A sophisticated cyberattack exploiting a zero-day vulnerability in Microsoft SharePoint servers compromised the National Treasury of South Africa. The attack targeted on-premise SharePoint installations, allowing threat actors to infiltrate critical infrastructure and exfiltrate sensitive data. The malware campaign, detected by Dutch cybersecurity firm Eye Security, leveraged unauthorized code execution to establish persistent access. The breach affected the Infrastructure Reporting Model website, posing significant risks to financial and governmental operations. The attack's multi-stage payload delivery system and ability to remain undetected highlight its advanced nature, impacting multiple sectors including government entities.

Source: https://cybersecuritynews.com/microsoft-sharepoint-server-0-day-hack/

TPRM report: https://www.rankiteo.com/company/national-treasury-of-south-africa

"id": "nat212080925",
"linkid": "national-treasury-of-south-africa",
"type": "Cyber Attack",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Automotive',
                        'location': 'South Africa',
                        'name': 'Major automotive manufacturer',
                        'type': 'Private Corporation'},
                       {'industry': 'Education',
                        'location': 'South Africa',
                        'name': 'Several universities',
                        'type': 'Educational Institution'},
                       {'industry': 'Government',
                        'location': 'South Africa',
                        'name': 'Local government entities',
                        'type': 'Government Agency'},
                       {'industry': 'Government',
                        'location': 'South Africa',
                        'name': 'National Treasury',
                        'type': 'Government Agency'}],
 'attack_vector': 'Exploitation of zero-day vulnerability in Microsoft '
                  'SharePoint servers',
 'data_breach': {'data_exfiltration': 'Yes',
                 'type_of_data_compromised': 'Sensitive data'},
 'description': 'A sophisticated cyberattack exploiting a zero-day '
                'vulnerability in Microsoft SharePoint servers has compromised '
                'over 400 entities globally, with significant impact across '
                'African nations including South Africa and Mauritius. The '
                'attack specifically targets on-premise SharePoint '
                'installations, exploiting previously unknown security flaws '
                'that allowed threat actors to infiltrate critical '
                'infrastructure systems belonging to government agencies, '
                'educational institutions, and private corporations.',
 'impact': {'data_compromised': 'Sensitive data',
            'systems_affected': 'On-premise SharePoint servers'},
 'initial_access_broker': {'entry_point': 'Unauthorized code execution '
                                          'capabilities within SharePoint’s '
                                          'document collaboration framework'},
 'post_incident_analysis': {'root_causes': 'Exploitation of zero-day '
                                           'vulnerability in SharePoint’s '
                                           'authentication mechanism'},
 'references': [{'source': 'Business Insider Africa'},
                {'source': 'Eye Security'}],
 'response': {'third_party_assistance': 'Dutch cybersecurity firm Eye '
                                        'Security'},
 'title': 'Sophisticated Cyberattack Exploiting Zero-Day Vulnerability in '
          'Microsoft SharePoint Servers',
 'type': 'Cyberattack',
 'vulnerability_exploited': 'Remote code execution vulnerability in '
                            'SharePoint’s authentication mechanism'}