Hackers are currently exploiting new zero-day vulnerabilities found in Microsoft’s SharePoint server software, which is notably used by various US government agencies, including those related to national security.
This vulnerability impacts on-premises versions of SharePoint, enabling attackers to breach systems, extract data, and potentially manipulate associated services. While the cloud version remains unaffected, the on-premises variant is prevalent among numerous US institutions, universities, and private firms, highlighting broader risks beyond just internal systems.
SharePoint Zero-Day: Key Exploit Insights
The exploit was first detected on July 18 by Eye Security, a cybersecurity firm. Researchers have identified it as stemming from an unknown vulnerability chain that gives attackers complete access to susceptible SharePoint servers sans credential requirements. The flaw facilitates the theft of machine keys tied to authentication tokens, which means attackers can impersonate legitimate users or services, even post-patch or reboot.
Eye Security notes that the exploits seem rooted in two vulnerabilities demonstrated at the PWN2Own security conference earlier this year. These were initially shared as proof-of-concept ideas but have now been weaponized to target actual organizations, forming an exploit chain dubbed the “tool shell.”
SharePoint Vulnerability and Microsoft Services
Accessing a compromised SharePoint server allows hackers entry into connected Microsoft services, such as Outlook, Teams, and OneDrive, thereby endangering a vast array of corporate data. Moreover, this access can facilitate prolonged intrusion, as attackers can pilfer encryption material related to authentication tokens. The US Cybersecurity and Infrastructure Security Agency (CISA) is urging businesses to take action, recommending they check for any signs of breach and isolate vulnerable servers from internet access.
Early reports indicated around 100 incidents, but researchers now believe that over 400 SharePoint servers have been compromised globally. It’s worth noting that this figure refers to servers rather than organizations specifically. The number of impacted groups is climbing, with notable targets including the National Nuclear Security Administration (NNSA). Microsoft has acknowledged that it is under attack but has not confirmed any successful breaches.
Other targeted entities involve the Department of Education, the Florida Department of Revenue, and the Rhode Island General Assembly.
Microsoft’s Response and Patches
Microsoft has acknowledged the situation and confirmed its awareness of “active attacks” exploiting this vulnerability. The company published patches for SharePoint Server 2016, SharePoint Server 2019, and SharePoint Subscription Edition, with all supported on-premises version patches made available as of July 21.
Addressing SharePoint Security Risks
For organizations using an on-premises SharePoint server, swift action is necessary to mitigate risks and reduce potential harm:
- Disconnect vulnerable servers: To avoid further exploitation, take any unprotected SharePoint servers offline immediately.
- Install updates promptly: Apply Microsoft’s emergency patches to SharePoint Server versions without delay.
- Rotate authentication keys: Change all machine keys tied to authentication tokens, as these may be compromised.
- Check for unauthorized access: Investigate any unusual login patterns or token misuse within your network.
- Enable security logging: Activate detailed logging and monitoring to help detect suspicious activities in the future.
- Review connected services: Audit access to Outlook, Teams, and OneDrive for signs of suspicious behavior tied to the SharePoint breach.
- Subscribe to threat alerts: Register for advisories from CISA and Microsoft to stay informed about patches and future exploit warnings.
- Consider cloud migration: If feasible, transition to SharePoint Online which has enhanced security and automatic updates.
- Strengthen password protocols: Encourage the use of strong, unique passwords, and enable two-factor authentication to enhance security.
This SharePoint zero-day incident highlights how swiftly research can escalate into real-world vulnerabilities. What started as theoretical proof of concept has now infiltrated hundreds of live systems, affecting significant government organizations. The alarming aspect isn’t just the access gained—it’s that attackers can remain undetected even after patches are applied.
Should there be stricter regulations for safe software usage in government? Share your thoughts.
