Pecohub Microsoft issued an alert about “active attacks” targeting its server software and urged customers to install new security updates that have been released.
Microsoft’s Security Response Center said in a blog post over the weekend that the attacks target on-premise SharePoint server customers and exploit vulnerabilities that were partially addressed by a July security update.
Cloud-based SharePoint Online in Microsoft 365 isn’t affected, it said.
Organizations typically use Microsoft SharePoint to create intranet websites, store and organize information, and facilitate file-sharing among workers.
The U.S. Cybersecurity and Infrastructure Security Agency on Sunday said it is aware of active exploitation of the vulnerability, which it said allowed hackers to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.
“These exploits are real, in-the-wild, and pose a serious threat,” cybersecurity company Palo Alto Networks said. “We are observing active global exploitation of critical Microsoft SharePoint [vulnerabilities],” it wrote in a post on X.
Microsoft has since released security updates that “fully protect customers” using SharePoint Subscription Edition and SharePoint 2019 against the risks, it said on X, adding that it is working on updates for SharePoint 2016.
“We’ve been coordinating closely with CISA, DOD Cyber Defense Command and key cybersecurity partners globally throughout our response,” a Microsoft spokesperson said.
Microsoft also said that if customers can’t enable the recommended protection against malware, they should disconnect their servers from the internet until a security update is available.
Charles Carmakal, chief technology officer of Mandiant, a cybersecurity company acquired by Google Cloud in 2022, described the issue as a zero-day vulnerability and said Microsoft’s guidance is “uniquely urgent and drastic.”
“This threat campaign is active and evolving….This isn’t an ‘apply the patch and you’re done’ situation,” he said in a LinkedIn post. Companies need to assume that they have been compromised and investigate accordingly, he said.
