Urgent Security Alert: Patch Your SharePoint Servers Now to Block Active “ToolShell” Attacks
If your organization uses Microsoft SharePoint Server, this is a critical security announcement you cannot afford to ignore. Sophisticated threat actors are actively exploiting a pair of severe vulnerabilities to achieve full remote code execution (RCE) on unpatched servers. This attack chain allows an unauthenticated attacker to gain complete control over your SharePoint environment.
The urgency of this threat prompted the release of emergency, out-of-band security patches. Applying these updates immediately is the single most important action you can take to protect your data and infrastructure.
This isn’t a theoretical risk; these vulnerabilities are being actively used in the wild in targeted attacks. Let’s break down what’s happening and what you need to do right now.
How the SharePoint Attack Works: A Devastating Two-Part Chain
The current attacks rely on chaining two distinct vulnerabilities together. When combined, they provide a seamless path for an attacker to go from having zero access to gaining full administrator control and executing malicious code.
The Unlocked Door (CVE-2023-29357): This is a critical privilege escalation vulnerability. It allows a remote attacker to bypass authentication checks and gain administrator privileges on the SharePoint server without needing any credentials. Essentially, an attacker can simply impersonate an authenticated user, including an administrator, giving them the keys to the kingdom.
The Malicious Payload (CVE-2023-24955): Once the attacker has gained admin rights using the first vulnerability, they leverage this second flaw—a code injection vulnerability. This allows them to execute arbitrary code on the compromised server. This is the step where they deploy malware, establish persistent access, and begin their malicious activities.
The combination of these two flaws creates a worst-case scenario: an unauthenticated remote code execution exploit. Attackers can fully compromise a server without needing to trick a user or steal a password.
What is the “ToolShell” Webshell?
Security researchers have observed that once a server is compromised using this attack chain, the attackers often deploy a specific piece of malware known as “ToolShell.”
A webshell is a malicious script uploaded to a server that gives an attacker a persistent backdoor. The “ToolShell” implant allows threat actors to:
- Execute system commands on the server.
- Upload and download files.
- Steal sensitive data stored on SharePoint.
- Move laterally across your network to compromise other systems.
The use of such a tool indicates that these attacks are not random acts of vandalism. They are often associated with Advanced Persistent Threat (APT) groups, which are typically state-sponsored actors focused on espionage and long-term data theft.
Which SharePoint Versions Are at Risk?
This vulnerability affects on-premise installations of Microsoft SharePoint Server. If you are using any of the following versions, your servers are vulnerable and require immediate patching:
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Server 2016
- Microsoft SharePoint Server Subscription Edition
It is important to note that SharePoint Online is not affected by this vulnerability, as Microsoft manages the infrastructure and has already applied the necessary mitigations.
Your Immediate Action Plan: How to Secure Your Servers
Time is of the essence. Assume that your public-facing SharePoint servers are being actively scanned for these vulnerabilities. Follow these steps immediately to secure your environment.
Apply the Emergency Patches Now: This is your top priority. Microsoft released these updates outside of the normal “Patch Tuesday” cycle due to the extreme severity and active exploitation of these flaws. Do not wait for your next scheduled maintenance window.
Verify Successful Installation: After deploying the patches, verify that the update was installed correctly and that your SharePoint farm health is normal. A failed patch installation can leave you exposed.
Hunt for Signs of Compromise: Because this vulnerability has been exploited in the wild, you must check your servers for any Indicators of Compromise (IOCs). Look for:
- Suspicious Files: Scrutinize your server’s web directories for any unfamiliar
.aspxor other script files. The “ToolShell” webshell would likely be placed in a location accessible from the internet. - Unusual Network Traffic: Monitor for unexpected outbound connections from your SharePoint servers to unknown IP addresses.
- Anomalous Processes: Check for strange processes or services running on the server that you do not recognize.
- Review Logs: Examine SharePoint ULS logs, Windows Event Logs, and web server logs for any unusual activity, especially around the time the vulnerabilities were disclosed.
- Suspicious Files: Scrutinize your server’s web directories for any unfamiliar
Strengthen Your Security Posture: Use this incident as an opportunity to review and harden your server security. Ensure you are following best practices like the principle of least privilege, network segmentation, and robust monitoring to detect and respond to threats more effectively in the future.
In today’s threat landscape, proactive defense and rapid response are non-negotiable. The “ToolShell” attacks are a stark reminder that even trusted platforms like SharePoint can become targets. Taking decisive action now will prevent a minor incident from becoming a major security breach.
Source: https://securityaffairs.com/180197/hacking/microsoft-issues-emergency-patches-for-sharepoint-zero-days-exploited-in-toolshell-attacks.html
