Cloud-based SharePoint Online in Microsoft 365 is a different system and is not impacted, the U.S. Cyber Security and Infrastructure Defense Agency said.
Hackers are attacking on-premises Microsoft SharePoint server vulnerabilities, the U.S. Cyber Security and Infrastructure Defense Agency (CISA) announced in a July 20 report.
SharePoint Servers are used by organizations to create a private intranet service that builds websites, manages document sharing, and supports other collaborative efforts within the company.
“This exploitation activity, publicly reported as ‘ToolShell,’ provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network,” CISA said, adding that the scope and impact of the new remote code execution (RCE) attack is being assessed.
Microsoft acknowledged the issue a day earlier. In a July 19 guidance report, the company said the exploitation attempt applied to SharePoint servers only. Cloud-based SharePoint Online in Microsoft 365 is a different system and is not impacted.
The whole SharePoint suite is used by more than 200,000 organizations and 190 million people worldwide, according to the company.
The July security update only partially addresses existing vulnerabilities, Microsoft said. New security updates that fully protect customers using SharePoint Subscription Edition and SharePoint 2019 have been released.
Customers are advised to apply system updates immediately to ensure protection. Security updates for SharePoint 2016 users are not yet released.
Microsoft posted a list of ways that customers can mitigate the attacks. They include installing the latest security updates, using supported versions of on-premises SharePoint Server, making sure the Antimalware Scan Interface is turned on and configured correctly in combination with an antivirus solution, deploying services like Microsoft Defender for Endpoint protection, and rotating SharePoint Server ASP.NET machine keys.
More technical details for advanced hunting techniques and other mitigation efforts are on the Microsoft website.
CISA Recommendations
To reduce risks associated with the RCE exploitation attempt, CISA has several recommendations for organizations. It reiterated Microsoft’s guidance on activating Antimalware Scan Interface (AMSI) and MS Defender on all servers.
