𝗔𝗰𝘁𝗶𝘃𝗲 𝗘𝘅𝗽𝗹𝗼𝗶𝘁𝗮𝘁𝗶𝗼𝗻 𝗼𝗳 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗦𝗵𝗮𝗿𝗲𝗣𝗼𝗶𝗻𝘁 𝗭𝗲𝗿𝗼 𝗗𝗮𝘆 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝗶𝗲𝘀: 𝗚𝘂𝗶𝗱𝗮𝗻𝗰𝗲 𝗳𝗼𝗿 𝗘𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗲
A coordinated wave of targeted cyber intrusions has been identified exploiting newly discovered zero day vulnerabilities affecting on premises Microsoft SharePoint servers. The vulnerabilities allow unauthenticated remote code execution and can lead to full compromise of the affected environment if not promptly addressed.
These issues are currently being exploited in the wild. They affect multiple supported versions of SharePoint Server. While cloud-hosted SharePoint Online instances remain unaffected, on-premises deployments are exposed and require urgent administrative attention.
𝗡𝗮𝘁𝘂𝗿𝗲 𝗼𝗳 𝘁𝗵𝗲 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆
The exploit chain enables remote attackers to deploy malicious payloads through unpatched SharePoint web services. Once inside, the attackers can harvest cryptographic keys and establish persistence. This permits ongoing access even after routine patching, unless key material is properly rotated.
𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁’𝘀 𝗥𝗲𝘀𝗽𝗼𝗻𝘀e
Microsoft has issued out-of-band security updates to mitigate the vulnerabilities. These patches are available for the SharePoint Server Subscription Edition and SharePoint Server 2019. Updates for SharePoint Server 2016 are pending. Microsoft has also released technical guidance for defenders to identify indicators of compromise and secure exposed systems.
𝗥𝗲𝗰𝗼𝗺𝗺𝗲𝗻𝗱𝗮𝘁𝗶𝗼𝗻𝘀 𝗳𝗼𝗿 𝗘𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲 𝗜𝗧 𝗮𝗻𝗱 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗧𝗲𝗮𝗺𝘀
Organisations using on premises SharePoint must treat this situation as active and high risk.
The following steps are strongly advised:
- 𝗔𝗽𝗽𝗹𝘆 𝘁𝗵𝗲 𝗹𝗮𝘁𝗲𝘀𝘁 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗮𝘁𝗰𝗵𝗲𝘀
Install Microsoft’s out of band updates as a matter of urgency. Do not assume previous patch levels offer protection. - 𝗥𝗼𝘁𝗮𝘁𝗲 𝗰𝗿𝘆𝗽𝘁𝗼𝗴𝗿𝗮𝗽𝗵𝗶𝗰 𝗺𝗮𝗰𝗵𝗶𝗻𝗲 𝗸𝗲𝘆𝘀
If exploitation is suspected, rotate the ASP.NET machine keys used by SharePoint and restart all relevant services. This prevents re use of stolen keys for authentication bypass. - 𝗖𝗼𝗻𝗱𝘂𝗰𝘁 𝗳𝗼𝗿𝗲𝗻𝘀𝗶𝗰 𝗿𝗲𝘃𝗶𝗲𝘄 𝗮𝗻𝗱 𝘁𝗵𝗿𝗲𝗮𝘁 𝗵𝘂𝗻𝘁𝗶𝗻𝗴
Review server logs for signs of unauthorised file uploads or suspicious requests. Monitor for known malicious payloads and reverse shells. - 𝗟𝗶𝗺𝗶𝘁 𝗲𝘅𝘁𝗲𝗿𝗻𝗮𝗹 𝗲𝘅𝗽𝗼𝘀𝘂𝗿𝗲
Where possible, restrict SharePoint access to internal networks or VPN, and consider removing affected servers from public facing roles until fully secured. - 𝗘𝗻𝗮𝗯𝗹𝗲 𝗮𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝗲𝗻𝗱𝗽𝗼𝗶𝗻𝘁 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻
Use endpoint security products capable of scanning within SharePoint processes. Enabling Antimalware Scan Interface (AMSI) integration is particularly effective. - 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗲 𝗰𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗮𝘁𝗶𝗼𝗻𝘀 𝗽𝗼𝘀𝘁 𝗽𝗮𝘁𝗰𝗵
After remediation, ensure web.config files and key material have not been tampered with, and confirm no unauthorised service accounts or privileges have been created. - 𝗖𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗲 𝘄𝗶𝘁𝗵 𝗲𝘅𝗲𝗰𝘂𝘁𝗶𝘃𝗲 𝗹𝗲𝗮𝗱𝗲𝗿𝘀𝗵𝗶𝗽
Provide board level or senior leadership updates regarding exposure, mitigations in progress, and business impact. Transparency and rapid response are key to maintaining trust.
𝗙𝗶𝗻𝗮𝗹 𝗡𝗼𝘁𝗲
This incident highlights the ongoing risks of managing legacy or on premises infrastructure. Where possible, organisations are encouraged to evaluate migration paths to cloud platforms with modern security controls and managed update cycles.
Security teams should assume active exploitation is ongoing and respond with full incident management procedures, including potential engagement with external incident response partners.
