Your SharePoint System Under Direct Attack

The Critical Threat Explained

Attackers are exploiting these SharePoint vulnerabilities to:

• Upload Malicious Files: They can remotely upload harmful files onto your SharePoint server.
• Steal Sensitive Data: These files allow them to extract critical “secrets” (like cryptographic keys) from your SharePoint instance.
• Gain Full Control: Using the stolen information, attackers can then achieve unauthenticated remote control over your SharePoint server. This means they can compromise your data, disrupt operations, or use your server as a launchpad for further attacks, all without needing your login credentials.

These attacks have already been observed across diverse sectors, including finance, education, energy, and healthcare.

Urgent Actions Required: Protect Your SharePoint Now

Organisations with on-premise SharePoint deployments (SharePoint Subscription Edition, Server 2019, Server 2016) must act immediately:

• Apply Latest Security Updates: This is critical. Immediately apply all available Microsoft security updates for your SharePoint Server versions. (Note: A patch for Server 2016 is pending, so rigorous monitoring is even more vital for these versions.).
• Rotate Machine Keys: After patching, immediately rotate your SharePoint Server ASP.NET machine keys. This crucial step prevents attackers who may have already stolen these keys from maintaining access even after your systems are patched.
• Monitor for Unauthorised Files: Actively check your SharePoint’s /layouts/ directory for any unexpected or malicious .aspx files (like spinstall0.aspx). Remove any found immediately.
• Audit Configuration Changes: Regularly inspect your SharePoint configuration files for any suspicious or unauthorised modifications.
• Review Server Logs: Look for unusual access patterns, especially those involving the ToolPane.aspx endpoint or suspicious __VIEWSTATE activity in your server logs. This could indicate an ongoing attack attempt.
• Disconnect (If Necessary): If immediate patching and key rotation are not possible, consider temporarily disconnecting public-facing SharePoint servers from the internet to prevent compromise.
• Implement Layered Security: Ensure you have robust firewalls, intrusion prevention systems, and endpoint detection and response tools for additional layers of defence.

Conclusion: Act Fast to Secure Your Data

The active exploitation of these SharePoint vulnerabilities highlights the speed and persistence of modern cyber threats. Your organisation’s data, operations, and reputation are at risk. Proactive patching, immediate key rotation, and vigilant monitoring are not optional; they are immediate necessities. Don’t let your SharePoint become an easy target.