Serious Sharepoint gap: Already 100 organizations compromised over the weekend
The elimination of the Sharepoint security vulnerability is underway and meanwhile it is being analyzed who exploited it. The number of victims is increasing.
(Image: JeanLucIchard/Shutterstock.com)
Even before Microsoft has released the first patches for the serious "ToolShell" vulnerability in self-hosted versions of Sharepoint, the installations of around 100 organizations have been compromised. This was reported by the news agency Reuters, citing the security company Eye Security, which made the vulnerability public and analyzed the attacks on it. Meanwhile, the Washington Post, citing Google's security department Mandiant, adds that at least one of the actors responsible for the first wave of attacks has been traced back to China. According to one of these initial analyses, most of the compromised installations were located in the USA and Germany.
The existence of the critical vulnerability in the on-premise versions of Sharepoint was made public by Microsoft at the weekend. Even then, the US company stated that it was aware of attacks on the vulnerable servers, but there was initially no patch. Microsoft merely stated that users should protect themselves with "Microsoft Defender Antivirus". The first updates were later made available for two SharePoint versions, but their installation alone is not enough to provide protection. Microsoft expressly points out that the ASP.Net "machine keys" must always be rotated after the update, which involves an IIS restart.
Videos by heise
While Microsoft, those responsible for Sharepoint installations and the IT security industry continue to work on securing the vulnerability, the search is on for those who have exploited it. TechCrunch quotes an IT security expert who has observed that the first attacks were directed against a comparatively small number of targets. Now that the vulnerability has become known, many more are likely to be involved in the attempted attacks. There was repeated talk of around 9000 to 10,000 vulnerable Sharepoint instances before the patches became available. The first victims included a large energy company and several government institutions in Europe, the Washington Post quotes findings from Eye Security.
(mho)
