Latest news with #ChrisButera
Yahoo
21 hours ago
- Yahoo
Microsoft, CISA warn of cyberattacks targeting on-premises SharePoint servers
This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity Dive newsletter. Microsoft on Saturday warned that hackers are exploiting a critical vulnerability in SharePoint, dubbed ToolShell, to launch attacks against on-premises customers. The vulnerability, tracked as CVE-2025-53770, involves deserialization of untrusted data and is a variant of CVE-2025-49706. The Cybersecurity and Infrastructure Security Agency (CISA) on Sunday said the vulnerability can allow a malicious adversary to gain full access to SharePoint content, including file systems and internal configurations. 'CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action,' Chris Butera, acting executive assistant director for cybersecurity said in a statement. 'Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations.' The agency urged all organizations with on-premise Microsoft SharePoint servers to rapidly implement mitigations. Microsoft on Sunday released security updates for CVE-2025-53770 and a related flaw, CVE-2025-53771, and urged customers to immediately apply the patches. Hackers have already breached dozens of vulnerable systems in at least two attack waves, according to researchers at Eye Security, which first disclosed the flaw on Saturday and said they had scanned more than 8,000 SharePoint servers worldwide. Researchers from watchTowr said exploitation may have begun as early as July 16. The attacks have compromised at least two federal agencies in the U.S., as well as multiple European government agencies and a U.S. energy company, The Washington Post reported. The Multi-State Information Sharing and Analysis Center has already notified more than 150 actively targeted state and local government agencies, a spokesperson told Cybersecurity Dive. It said it had detected more than 1,100 vulnerable servers, including some belonging to K-12 school districts and universities. Google's Threat Intelligence Group has observed hackers installing Web shells and stealing cryptographic secrets from targeted servers, an executive said on LinkedIn. Shadowserver on Sunday said it was tracking 9,300 exposed IPs and was working with watchTowr and Eye Security to notify affected customers. Earlier this month, researchers at Code White GmbH demonstrated ToolShell using a combination of CVE-2025-49706 and CVE-2025-49704. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data


Time of India
a day ago
- Business
- Time of India
Explained: 10000-plus companies at risk and …, what makes the Microsoft SharePoint attack very dangerous right now
Microsoft is scrambling to contain a widespread cyberattack targeting SharePoint servers worldwide, with cybersecurity experts warning that over 10,000 companies could be at risk. Tired of too many ads? go ad free now The software giant confirmed that hackers are actively exploiting previously unknown security flaws in on-premises SharePoint servers used by government agencies, universities, and major corporations to share internal documents. The Cybersecurity and Infrastructure Security Agency ( CISA ) added the vulnerability to its Known Exploited Vulnerability catalog on Saturday, giving federal agencies just one day to apply patches once they become available. "These exploits are real, in-the-wild, and pose a serious threat," warned Palo Alto Networks, while Google's Threat Intelligence Group confirmed observing active exploitation attempts. Dutch cybersecurity firm Eye Security first detected the attacks on July 18th and reports that at least 85 SharePoint servers across 54 organizations have already been compromised. Among the victims are a California university, energy companies, federal health organizations, and government entities in Florida and New York. Microsoft Sharepoint's zero-day exploits leave tens and thousands of organisations vulnerable The attack leverages what's known as a "zero-day" vulnerability – a security flaw unknown to software makers until it's actively exploited by hackers. Cybersecurity researchers estimate that over 10,000 companies with SharePoint servers are potentially at risk, with the United States, Netherlands, United Kingdom, and Canada having the highest concentrations of vulnerable systems. "It's a dream for ransomware operators, and a lot of attackers are going to be working this weekend as well," said Silas Cutler, a researcher at Michigan-based Censys. Tired of too many ads? go ad free now The vulnerability allows hackers to access file systems, steal sensitive configurations, and execute malicious code across networks without authentication. The attackers are using a technique called "ToolShell" that was originally demonstrated at the Pwn2Own security conference . They upload malicious files to steal critical server keys, then use these stolen credentials to create valid access tokens that bypass security measures entirely. Government agencies among primary targets in Microsoft Sharepoint attack Federal and state agencies appear to be prime targets in this campaign, with the FBI confirming it's "aware of the matter" and working with government and private sector partners to assess the threat. The Washington Post reported that the breach has affected multiple U.S. agencies, though specific details remain classified for security reasons. CISA's Acting Executive Assistant Director for Cybersecurity Chris Butera emphasized the urgency: "Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations. CISA encourages all organizations with on-premise Microsoft SharePoint servers to take immediate recommended action." Organizations can detect if they've been compromised by checking for suspicious files named " on their servers or unusual network activity from specific IP addresses that security firms have identified as attack sources. Microsoft releases emergency updates Microsoft has released emergency security updates for SharePoint 2019 and Subscription Edition servers, with a patch for SharePoint 2016 expected soon. The company recommends that organizations unable to immediately apply updates should disconnect their SharePoint servers from the internet until patches can be installed. For additional protection, Microsoft advises enabling its Antimalware Scan Interface (AMSI) feature and deploying Windows Defender Antivirus on all SharePoint servers. Organizations should also rotate their server security keys after applying patches to prevent further unauthorized access. This incident adds to Microsoft's recent cybersecurity challenges, including Chinese hacker attacks earlier this year and criticism from the White House's Cyber Safety Review Board, which called the company's security culture "inadequate" following previous breaches.
Yahoo
a day ago
- Business
- Yahoo
Microsoft SharePoint under 'active exploitation,' Homeland Security's CISA says
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has posted an alert saying it is aware of "active exploitation" of a new vulnerability to Microsoft SharePoint "enabling unauthorized access to on-premise SharePoint servers." The exploitation activity "provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network," the post stated. "The FBI is aware of the matter, and we are working closely with our federal government and private sector partners," the bureau said in a statement. According to a Microsoft customer guidance blog post issued Saturday, "Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update." "These vulnerabilities apply to on-premises SharePoint Servers only," the post added and "SharePoint Online in Microsoft 365 is not impacted." A company spokesperson said the company has been "coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners around the world throughout our response." "While the scope and impact continue to be assessed," CISA Acting Executive Assistant Director for Cybersecurity Chris Butera said in a statement, "the new common vulnerabilities and exposure (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers." CISA was "made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action," the statement said. "Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations." Eye Security, a cybersecurity firm, says it "identified active large-scale exploitation" of the new vulnerability "being used in the wild" on SharePoint servers across the world and discovered "dozens of systems actively compromised," according to a blog post on the firm's website. The breaches "probably" began on the evening of July 18. According to a post by Palo Alto Networks Unit 42, a threat research and security consulting firm, "These flaws allow unauthenticated attackers to access restricted functionality." Solve the daily Crossword

a day ago
- Business
Microsoft SharePoint under 'active exploitation,' Homeland Security's CISA says
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has posted an alert saying it is aware of "active exploitation" of a new vulnerability to Microsoft SharePoint "enabling unauthorized access to on-premise SharePoint servers." The exploitation activity "provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network," the post stated. "The FBI is aware of the matter, and we are working closely with our federal government and private sector partners," the bureau said in a statement. According to a Microsoft customer guidance blog post issued Saturday, "Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update." "These vulnerabilities apply to on-premises SharePoint Servers only," the post added and "SharePoint Online in Microsoft 365 is not impacted." A company spokesperson said the company has been "coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners around the world throughout our response." "While the scope and impact continue to be assessed," CISA Acting Executive Assistant Director for Cybersecurity Chris Butera said in a statement, "the new common vulnerabilities and exposure (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers." CISA was "made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action," the statement said. "Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations." Eye Security, a cybersecurity firm, says it "identified active large-scale exploitation" of the new vulnerability "being used in the wild" on SharePoint servers across the world and discovered "dozens of systems actively compromised," according to a blog post on the firm's website. The breaches "probably" began on the evening of July 18. According to a post by Palo Alto Networks Unit 42, a threat research and security consulting firm, "These flaws allow unauthenticated attackers to access restricted functionality."