An exploit affecting SharePoint servers was utilized by hackers across the world in mid-July, prompting Microsoft to issue guidance on how to avoid the danger.
The exploit is a remote-code execution attack that uses internal flaws in the system that are “typically specific to a product’s authentication logic rather than memory corruption, so failed attempts rarely cause crashes or instability,” Ben McCarthy, Immersive lead cybersecurity engineer, told IT Brew in an email.
“In the case of SharePoint, if compromised, the rest of the domain can quickly fall,” McCarthy added. “This not only because of high privileges and user traffic, but also because IT teams still store passwords, keys, and secrets on them, trusting the permission model for security.”
Detective work. MDR firm Eye Security uncovered the exploit, writing in a post on July 19 it “discovered dozens of systems actively compromised during two waves of attack, on 18th of July around 18:00 UTC and 19th of July around 07:30 UTC.”
The attacks targeted US government servers, as well as energy companies and universities. Attacks were seen in North America, the EU, South Africa, and Australia, Eye Security Co-Founder Vaisha Bernard told Bloomberg. The Washington Post found that China was also a target.
“My gut feeling says it’s one group,” Bernard said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
SharePoint operates both on the cloud and on-prem; it’s the latter version of the software that’s under attack. CISA Acting Executive Assistant Director for Cybersecurity Chris Butera, in an emailed comment via spokesperson Jared Auchey, told IT Brew that the vulnerability opens the door to malicious usage by threat actors inside the system.
“Publicly reported as ‘ToolShell,’ the exploitation provides unauthorized access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network,” Butera said.
To the source. In a comment provided to IT Brew, Microsoft spokesperson Brian Gluckman of WE Communications said that the company’s blog post should answer most questions about the exploit.
“Microsoft has provided security updates and encourages customers to install them,” Gluckman said. “We’ve been coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners around the world throughout our response.”
Microsoft’s guidance for addressing the problem includes applying security updates (linked by software product in the post) as well as configuring integration of Antimalware Scan Interface (AMSI) into SharePoint systems. If that’s not possible, the company added, then “consider disconnecting your server from the internet until a security update is available.”