Active Exploitation of Microsoft SharePoint Vulnerabilities: Threat Brief

Unit 42 has identified several vulnerabilities in Microsoft’s SharePoint product.
These vulnerabilities are being actively exploited to gain initial access.
Using this access, threat actors are stealing cryptographic material and have installed malicious web shells for persistence.
We have seen the same threat actors then use this access to pivot to other parts of the network.
If you have on-premises SharePoint, especially versions 2016 and 2019, you should assume you have been compromised and take immediate actions to patch.
CID-42812472, CID-42812471, CID-42812470, CID-42812473, and CID-42812474.
Apply all relevant patches now and as they become available.
Rotate all cryptographic material and reset associated credentials.
Engage a professional incident response company to conduct a thorough compromise assessment, hunt for established backdoors and ensure the threat is fully eradicated from your environment.
Palo Alto Networks customers are protected in the following ways:
Cortex XDR agents 8.7 with content version 1870-19884 (or 1880-19902) prevents the exploitation.
Cortex XDR users can use the provided queries.

Fast Feed