Critical Microsoft SharePoint Zero-Day Under Active Exploitation: Google Threat Experts Warn Immediate Action Required
Unlike typical vulnerabilities addressed via a routine patch, this zero-day poses a more complex challenge. Organisations running on-premises SharePoint instances exposed to the internet are at immediate risk, according to Charles Carmakal, CTO of Mandiant Consulting (Google Cloud). In guidance shared via LinkedIn, Carmakal stressed that applying mitigations immediately is critical, and organizations should assume potential compromise has already occurred.
'This isn't an 'apply the patch and you're done' situation,' Carmakal advised. He emphasised a multi-step response; implement available mitigations now, patch as soon as Microsoft releases an update, investigate for signs of compromise, and remediate accordingly.
Microsoft has yet to release an official patch but is expected to issue an emergency out-of-cycle update in response to the active exploitation. Notably, Microsoft 365's SharePoint Online is not impacted.
The Google Threat Intelligence team has identified ongoing attacks where cybercriminals gain persistent, unauthenticated access, enabling long-term intrusion capabilities on victim networks. Organizations are urged to move quickly to mitigate potential damage.
The situation highlights the increasing importance of real-time intelligence sharing between cloud providers and software vendors, as attackers increasingly target widely deployed enterprise platforms with zero-day exploits.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
NZ Herald
a day ago
- NZ Herald
Trump targets ‘woke AI' with new federal contract rules
Experts on the technology say the answer to both questions is murky. Some lawyers say the prospect of the Trump Administration shaping what AI chatbots can and can't say raises First Amendment issues. Experts warn the order raises First Amendment issues and question the feasibility of bias-free AI. Photo / Getty Images 'These are words that seem great – 'free of ideological bias,'' said Rumman Chowdhury, executive director of the non-profit Humane Intelligence and former head of machine learning ethics at Twitter. 'But it's impossible to do in practice.' The concern that popular AI tools exhibit a liberal skew took hold on the right in 2023, when examples circulated on social media of OpenAI's ChatGPT endorsing affirmative action and transgender rights or refusing to compose a poem praising Trump. It gained steam last year when Google's Gemini image generator was found to be injecting ethnic diversity into inappropriate contexts – such as portraying black, Asian and Native American people in response to requests for images of Vikings, Nazis or America's 'Founding Fathers'. Google apologised and reprogrammed the tool, saying the outputs were an inadvertent by-product of its effort to ensure that the product appealed to a range of users around the world. ChatGPT and other AI tools can indeed exhibit a liberal bias in certain situations, said Fabio Motoki, a lecturer at the University of East Anglia. In a study published last month, he and his co-authors found that OpenAI's GPT-4 responded to political questionnaires by evincing views that aligned closely with those of the average Democrat. But assessing a chatbot's political leanings 'is not straightforward', he added. On certain topics, such as the need for US military supremacy, OpenAI's tools tend to produce writing and images that align more closely with Republican views. And other research, including an analysis by the Washington Post, has found that AI image generators often reinforce ethnic, religious and gender stereotypes. AI models exhibit all kinds of biases, experts say. It's part of how they work. Chatbots and image generators draw on vast quantities of data ingested from across the internet to predict the most likely or appropriate response to a user's query. So they might respond to one prompt by spouting misogynist tropes gleaned from an unsavoury anonymous forum – then respond to a different prompt by regurgitating DEI policies scraped from corporate hiring policies. Trump's AI plan: Federal contracts for bias-free models only. Photo / 123RF Training an AI model to avoid such biases is notoriously tricky, Motoki said. You could try to do it by limiting the training data, paying humans to rate its answers for neutrality, or writing explicit instructions into its code. All three approaches come with limitations and have been known to backfire by making the model's responses less useful or accurate. 'It's very, very difficult to steer these models to do what we want,' he said. Google's Gemini blooper was one example. Another came this year, when Elon Musk's xAI instructed its Grok chatbot to prioritise 'truth-seeking' over political correctness – leading it to spout racist and anti-Semitic conspiracy theories and at one point even refer to itself as 'mecha-Hitler'. The Google Gemini app, an AI-based, multimodal chatbot developed by Google. Photo / Getty Images Political neutrality, for an AI model, is simply 'not a thing', Chowdhury said. 'It's not real.' For example, she said, if you ask a chatbot for its views on gun control, it could equivocate by echoing both Republican and Democratic talking points, or it might try to find the middle ground between the two. But the average AI user in Texas might see that answer as exhibiting a liberal bias, while a New Yorker might find it overly conservative. And to a user in Malaysia or France, where strict gun control laws are taken for granted, the same answer would seem radical. How the Trump Administration will decide which AI tools qualify as neutral is a key question, said Samir Jain, vice-president of policy at the non-profit Centre for Democracy and Technology. The executive order itself is not neutral, he said, because it rules out certain left-leaning viewpoints but not right-leaning viewpoints. The order lists 'critical race theory, transgenderism, unconscious bias, intersectionality, and systemic racism' as concepts that should not be incorporated into AI models. 'I suspect they would say anything providing information about transgender care would be 'woke,'' Jain said. 'But that's inherently a point of view.' Imposing that point of view on AI tools produced by private companies could run the risk of a First Amendment challenge, he said, depending on how it's implemented. 'The Government can't force particular types of speech or try to censor particular viewpoints, as a general matter,' Jain said. However, the Administration does have some latitude to set standards for the products it purchases, provided its speech restrictions are related to the purposes for which it's using them. Some analysts and advocates said they believe Trump's executive order is less heavy-handed than they had feared. Neil Chilson, head of AI policy at the right-leaning non-profit Abundance Institute, said the prospect of an overly prescriptive order on 'woke AI' was the one element that had worried him in advance of Trump's AI plan, which he generally supported. After reading the order, he said that those concerns were 'overblown' and he believes the order 'will be straightforward to comply with'. Mackenzie Arnold, director of US policy at the Institute for Law and AI, a nonpartisan think-tank, said he was glad to see the order makes allowances for the technical difficulty of programming AI tools to be neutral and offers a path for companies to comply by disclosing their AI models' instructions. 'While I don't like the styling of the EO on 'preventing woke AI' in government, the actual text is pretty reasonable,' he said, adding that the big question is how the Administration will enforce it. 'If it focuses its efforts on these sensible disclosures, it'll turn out okay,' he said. 'If it veers into ideological pressure, that would be a big misstep and bad precedent.'
Techday NZ
2 days ago
- Techday NZ
Microsoft SharePoint zero-day flaw prompts urgent global response
Organisations around the world are racing to mitigate the impact of a critical zero-day vulnerability in Microsoft's SharePoint server software, which has already been implicated in a series of significant security breaches and is being actively exploited by threat actors, including alleged Chinese nation-state groups. The flaw, catalogued as CVE-2025-53770, was revealed last week after several cyber security researchers, including Microsoft and Google's Threat Intelligence Group, published emergency advisories. Microsoft has clarified that the vulnerability affects only on-premises versions of SharePoint. SharePoint Online, the cloud-based variant included in Microsoft 365, is not impacted by this zero-day flaw. The urgency of the threat became clear after Eye Security researchers published findings that highlighted "active, large-scale exploitation" of the flaw, which they related to a set of vulnerabilities coined "ToolShell." Attackers who successfully exploit CVE-2025-53770 can access sensitive MachineKey configuration details on vulnerable servers, including the validationKey and decryptionKey. These critical parameters can then be used to craft specially designed requests that enable unauthenticated remote code execution, effectively giving attackers full control over the targeted servers. Late breaking fixes for SharePoint Server 2019 and SharePoint Subscription Edition have been made available, with a patch for SharePoint Server 2016 expected to follow. Organisations are being urged to conduct incident response investigations, apply available patches, and closely review Microsoft's temporary mitigation instructions to limit exposure. In recent reports, the scope and impact of the exploit have become clearer. More than 100 servers across at least 60 global organisations, including critical infrastructure such as the US National Nuclear Security Administration, have reportedly been breached via the vulnerability. Cyber security analysts have attributed the campaign to Chinese state-linked groups, among them Linen Typhoon, Violet Typhoon, and Storm-2603. These groups are said to have used stolen credentials to establish persistent access, potentially enabling ongoing espionage even after patches are applied. According to Charles Carmakal, CTO of Mandiant Consulting at Google Cloud, attackers are using the vulnerability to install webshells - malicious scripts that provide ongoing unauthorised access - and to exfiltrate cryptographic secrets from compromised servers. This presents a substantial risk to organisations, as it allows persistent, unauthenticated access by malicious actors. "If your organisation has on-premises Microsoft SharePoint exposed to the internet, you have an immediate action to take," Carmakal said. He stressed that mitigation steps must be implemented without delay, as well as the application of patches as they become available. "This isn't an 'apply the patch and you're done' situation. Organisations need to assume compromise, investigate for any evidence of prior intrusion, and take appropriate remediation actions." Satnam Narang, Senior Staff Research Engineer at Tenable, warned of the widespread consequences, stating: "The active exploitation of the SharePoint zero-day vulnerability over the weekend will have far-reaching consequences for those organisations that were affected. Attackers were able to exploit the flaw to steal MachineKey configuration details, which could be used to gain unauthenticated remote code execution." Narang added that early signs of compromise could include the presence of a file named although it might carry a different extension in some cases. Bob Huber, Chief Security Officer and President of Public Sector at Tenable, commented: "The recent breach of multiple governments' systems […] is yet another urgent reminder of the stakes we're facing. This isn't just about a single flaw, but how sophisticated actors exploit these openings for long-term gain." Huber noted that because Microsoft's identity stack is so deeply embedded in government and corporate environments, a breach in SharePoint can create "a massive single point of failure." He argued for a more proactive, preventative approach to cyber security, emphasising the need for exposure management platforms that provide unified oversight across complex infrastructures. For now, the coordinated response by vendors, security firms, and government agencies continues, as organisations track for signs of compromise and await further guidance on long-term remediation. The incident serves as a stark reminder of the intricate cyber threats faced by modern institutions, and the pressing need for rigorous, ongoing defence strategies against ever-evolving adversaries.
NZ Herald
2 days ago
- NZ Herald
Google's AI investments drive $28.2b profit amid legal battles
Ad revenue at YouTube continues to grow, along with the video platform's subscription services, Alphabet reported. YouTube's ad revenue and premium subscriptions are rising. Photo / Getty Images Alphabet's cloud computing business is on pace to bring in US$50b over the course of the year, according to the company. 'With this strong and growing demand for our cloud products and services, we are increasing our investment in capital expenditures in 2025 to approximately [US]$85 billion and are excited by the opportunity ahead,' Pichai said. Alphabet shares were essentially flat in after-market trades that followed the release of the earnings figures. Investors have been watching closely to see whether the tech giant may be pouring too much money into artificial intelligence and whether AI-generated summaries of search results will translate into fewer opportunities to serve up money-making ads. The internet giant is dabbling with ads in its new AI Mode for online search, a strategic move to fend off competition from ChatGPT while adapting its advertising business for an AI age. The integration of advertising has been a key question accompanying the rise of generative AI chatbots, which have largely avoided interrupting the user experience with marketing messages. However, advertising remains Google's financial bedrock. Google and its rivals are spending billions of dollars on data centres and more for AI, while the rise of DeepSeek, the lower-cost model from China, raises questions about how much needs to be spent. DeepSeek, one of Google's competitors, raises concerns over data centre spending. Photo / Getty Images Anti-trust battles Meanwhile, the online ad business that generates the cash Google invests in its future could be neutered due to a defeat in a US anti-trust case. During the US summer of 2024, Google was found guilty by a federal judge in Washington of illegal practices it used in order to establish and maintain its monopoly in online search. The Justice Department is now demanding remedies that could transform the digital landscape: Google's divestiture from its Chrome browser and a ban on entering exclusivity agreements with smartphone manufacturers to install the search engine by default. District Judge Amit Mehta is considering 'remedies' in a decision expected in the coming days or weeks. In another legal battle, a different US judge ruled this year that Google wielded monopoly power in the online ad technology market, another legal blow that could rattle the tech giant's revenue engine. District Court Judge Leonie Brinkema ruled that Google built an illegal monopoly over ad software and tools used by publishers. Combined, the courtroom defeats have the potential to split Google up and curb its influence. Google said it is appealing both rulings. – Agence France-Presse
