Threat actors are actively exploiting unpatched Microsoft SharePoint servers to deploy ransomware and custom backdoors across enterprise networks. Multiple attack campaigns targeting known SharePoint vulnerabilities have been observed in the wild, with attackers leveraging these entry points to establish persistent access, exfiltrate sensitive data, and deploy file-encrypting malware. Organizations running SharePoint on-premises installations face immediate risk and must prioritize patching and security hardening measures.
Introduction
Microsoft SharePoint servers have become prime targets for sophisticated cybercriminals seeking high-value enterprise access. Recent threat intelligence indicates multiple active campaigns exploiting unpatched SharePoint installations to compromise corporate networks at scale.
These attacks represent a convergence of opportunistic vulnerability exploitation and targeted ransomware operations. Attackers are chaining together known SharePoint vulnerabilities to achieve remote code execution, then deploying custom backdoors that provide persistent access for subsequent ransomware deployment.
The attacks underscore a critical security gap: many organizations fail to apply security patches to their SharePoint infrastructure in a timely manner, leaving a significant attack surface exposed to determined adversaries.
Background & Context
SharePoint has long been a cornerstone of enterprise collaboration, with millions of organizations worldwide relying on it for document management, intranet portals, and workflow automation. However, its ubiquity and deep integration with Active Directory and other critical systems make it an attractive target for attackers.
Over the past 24 months, Microsoft has disclosed multiple critical vulnerabilities affecting SharePoint Server, including remote code execution flaws that allow unauthenticated attackers to execute arbitrary code on vulnerable systems. CVE-2023-29357 and CVE-2023-24955 have been particularly targeted in recent campaigns.
The current wave of attacks appears to be coordinated by multiple threat actor groups, some with suspected ties to ransomware-as-a-service (RaaS) operations. These groups scan the internet for exposed SharePoint servers, probe for vulnerabilities, and exploit unpatched systems within hours of discovery.
What distinguishes these campaigns from previous opportunistic attacks is the sophistication of the post-exploitation tradecraft. Rather than immediately deploying ransomware, attackers establish multiple persistence mechanisms, conduct extensive reconnaissance, and exfiltrate data before initiating encryption operations.
Technical Breakdown
The attack chain typically follows a multi-stage progression that maximizes adversary control while minimizing detection risk.
Initial Access:
Attackers exploit publicly disclosed SharePoint vulnerabilities, most commonly authentication bypass and remote code execution flaws. The most frequently exploited vulnerabilities allow attackers to bypass authentication mechanisms and execute arbitrary code within the SharePoint application pool context.
# Example detection of suspicious SharePoint process execution
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'} |
Where-Object {$_.Properties[0].Value -match 'w3wp.exe.*SharePoint'}Persistence Establishment:
Following initial compromise, attackers deploy custom web shells disguised as legitimate ASPX files within SharePoint directories. These web shells provide covert command-and-control channels that blend with normal SharePoint traffic.
# Common web shell locations in SharePoint
C:\Program Files\Common Files\microsoft shared\Web Server Extensions\
/_layouts/
/_catalogs/
/_vti_bin/Privilege Escalation:
Attackers leverage SharePoint’s inherent permissions to execute commands as the SharePoint service account, which typically has elevated privileges. They enumerate domain credentials stored in SharePoint configuration databases and connection strings.
Lateral Movement:
Using harvested credentials and SharePoint’s trusted position within the domain, attackers move laterally to domain controllers, file servers, and backup systems. Custom backdoors facilitate this movement while maintaining multiple access vectors.
Ransomware Deployment:
Once attackers have mapped the network, exfiltrated sensitive data, and established multiple footholds, they deploy ransomware payloads through scheduled tasks, Group Policy Objects, or remote PowerShell sessions.
Impact & Risk Assessment
The impact of successful SharePoint exploitation extends far beyond a single compromised server:
Business Disruption:
SharePoint downtime cripples collaboration capabilities, halting business processes that depend on document management and workflow automation. Recovery timelines frequently exceed two weeks for encrypted environments.
Data Breach Exposure:
SharePoint servers commonly store sensitive business documents, financial records, intellectual property, and personally identifiable information. Exfiltration of this data creates significant regulatory compliance and reputational risks.
Ransomware Encryption:
Organizations face average ransom demands ranging from $500,000 to $5 million, with no guarantee of successful decryption. Many victims pay ransoms only to discover their data remains corrupted.
Regulatory Consequences:
Data breaches involving SharePoint systems containing regulated data trigger mandatory reporting requirements under GDPR, HIPAA, and other frameworks. Penalties can reach millions of dollars.
Supply Chain Risk:
Compromised SharePoint portals used for vendor collaboration can become pivot points for supply chain attacks, extending the threat beyond the initial victim organization.
Organizations in healthcare, finance, legal services, and government sectors face particularly acute risks due to the sensitivity of data typically stored in their SharePoint environments.
Vendor Response
Microsoft has released security patches addressing the vulnerabilities most commonly exploited in these attack campaigns. The company has issued multiple security advisories urging organizations to apply updates immediately.
Microsoft Threat Intelligence teams have published indicators of compromise (IOCs) and detection signatures for the custom backdoors observed in these attacks. These signatures are available through Microsoft Defender and Azure Sentinel.
The company recommends that organizations running SharePoint Server 2016, 2019, and SharePoint Server Subscription Edition prioritize the following security updates:
- June 2023 Cumulative Updates (addressing CVE-2023-29357)
- May 2023 Security Updates (addressing CVE-2023-24955)
- All subsequent monthly security rollups
Microsoft has also enhanced telemetry in recent SharePoint updates to detect anomalous authentication patterns and suspicious file operations that may indicate compromise.
However, applying these patches requires careful planning as SharePoint updates can affect custom solutions and require testing before production deployment—a reality that contributes to many organizations’ patch management delays.
Mitigations & Workarounds
Organizations should implement the following mitigations in priority order:
Immediate Actions:
- Apply all available SharePoint security updates, prioritizing patches for actively exploited vulnerabilities
- Audit all SharePoint farm accounts for suspicious activity
- Review and remove unnecessary SharePoint internet exposure
- Enable multi-factor authentication for all SharePoint administrative accounts
Network Segmentation:
Isolate SharePoint servers from direct internet access where possible. Implement reverse proxy solutions with web application firewall (WAF) capabilities to filter malicious requests.
# Restrict SharePoint access to specific IP ranges
New-NetFirewallRule -DisplayName "SharePoint_Restricted"
-Direction Inbound -LocalPort 443 -Protocol TCP
-Action Allow -RemoteAddress 10.0.0.0/8File Integrity Monitoring:
Implement continuous monitoring of SharePoint directories for unauthorized ASPX, ASHX, and ASMX files that could represent web shells.
Authentication Hardening:
Disable legacy authentication protocols and enforce modern authentication with conditional access policies. Implement privileged access workstations for SharePoint administration.
Detection & Monitoring
Detecting SharePoint compromise requires monitoring multiple data sources:
Log Analysis:
# Monitor SharePoint ULS logs for authentication anomalies
Get-SPLogEvent | Where-Object {$_.Category -eq "Authentication" -and $_.Level -eq "Unexpected"}Key Detection Indicators:
- Unusual authentication patterns outside business hours
- New ASPX files in system directories
- Unexpected PowerShell execution from w3wp.exe
- Abnormal network traffic volumes from SharePoint servers
- Changes to SharePoint service account group memberships
- Suspicious scheduled tasks created by SharePoint processes
SIEM Integration:
Forward SharePoint ULS logs, Windows Security logs, and IIS logs to a centralized SIEM platform. Configure alerting rules for:
- Failed authentication spikes
- Successful authentications from anomalous geolocations
- Process execution chains inconsistent with normal SharePoint operations
- Lateral movement patterns originating from SharePoint servers
EDR Deployment:
Ensure endpoint detection and response solutions are deployed and actively monitoring SharePoint servers. Configure behavioral detection rules specific to SharePoint exploitation techniques.
Best Practices
Patch Management:
Establish a regular SharePoint patching cadence with testing in non-production environments. Subscribe to Microsoft security advisories for advance notice of critical updates.
Principle of Least Privilege:
SharePoint service accounts should have only the minimum permissions required for operation. Avoid running SharePoint services under highly privileged domain accounts.
Backup Strategy:
Maintain offline, immutable backups of SharePoint databases and content. Test restoration procedures quarterly to ensure backup integrity.
Security Hardening:
Remove unused SharePoint features and services. Disable unnecessary protocols and authentication methods. Regularly audit SharePoint permissions and remove excessive access grants.
Incident Response Planning:
Develop and regularly test incident response procedures specific to SharePoint compromise scenarios. Maintain documented procedures for isolating compromised SharePoint farms.
Threat Intelligence Integration:
Subscribe to threat intelligence feeds providing IOCs related to SharePoint exploitation. Integrate these feeds into security monitoring platforms.
Key Takeaways
- Multiple threat actor groups are actively exploiting unpatched SharePoint servers to deploy ransomware and backdoors
- The attack chain progresses from initial exploitation through persistence establishment, lateral movement, and ransomware deployment
- Organizations face significant business disruption, data breach exposure, and regulatory consequences from successful attacks
- Immediate patching of all SharePoint security vulnerabilities is critical to reduce attack surface
- Comprehensive detection and monitoring capabilities are essential for identifying compromise indicators
- Defense-in-depth strategies combining patching, hardening, segmentation, and monitoring provide the strongest protection
References
- Microsoft Security Response Center: SharePoint Security Updates
- CISA Known Exploited Vulnerabilities Catalog
- Microsoft Threat Intelligence: SharePoint Exploitation Campaigns
- MITRE ATT&CK: T1190 (Exploit Public-Facing Application)
- Microsoft SharePoint Security Best Practices Documentation
- National Vulnerability Database: SharePoint CVE Entries
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/
