It’s been a busy weekend for Microsoft. Some of the company’s customers spent the last couple of days experiencing zero-day attacks that reportedly targeted businesses and some government organizations. Microsoft has already released a fix for the vulnerability, which affects SharePoint Server. Microsoft 365, which was the target of a massive cyberattack a few months ago, doesn’t appear to be affected.
Microsoft announced the attack Saturday, saying it was aware of “active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update.” A zero-day attack exploits an undisclosed weakness. Microsoft addressed a related vulnerability in its July 8th Patch Tuesday update, but hackers made use of this variant.
The good news is that SharePoint Online for Microsoft 365 isn’t affected by this vulnerability. Unfortunately, many companies are finding that their on-site SharePoint servers have been attacked. Security writer and former Washington Post reporter Brian Krebs noted that successful attacks result in a backdoor known as ToolShell being put on the system.
Credit: Microsoft
According to the Cybersecurity and Infrastructure Security Agency (CISA), the hackers use a variation of an existing vulnerability. With ToolShell onboard, SharePoint Servers are capable of executing malicious code over the network, giving hackers access to important information, including file systems.
Microsoft has already released fixes for SharePoint Server Subscription Edition and SharePoint Server 2019, but it hasn’t published a fix for SharePoint Server 2016 as of Monday afternoon.
The software giant also has instructions for improving your SharePoint Server defenses, including double-checking the Antimalware Scan Interface (AMSI), deploying Microsoft Defender, and rotating SharePoint Server ASP.NET machine keys. Chances are, your AMSI is already enabled, thanks to a patch from back in 2023, but this is a critical feature to check. According to Microsoft, if you can’t enable AMSI, you should disconnect the server until you can get the appropriate update.
Reporting by Reuters indicates that more than 100 organizations fell victim to the attack in the US, Britain, and Germany. It’s possible that the hackers are sponsored by the government of another country; many of the victim organizations are government agencies, according to early reports. As damaging as the attack already is, it’s possible that other hackers could pile on, making it imperative that organizations download and install the security updates provided by Microsoft. As Reuters notes, thousands of servers could fall victim to the attack.