Critical SharePoint zero-day flaw exploited, urgent actions urged
Security researchers and technology companies have raised urgent concerns about the sophistication and reach of the campaign, which has been dubbed "ToolShell" and enables remote code execution (RCE), system compromise, and persistent backdoor access - even in environments protected by measures such as multi-factor authentication (MFA).
According to Adrian Culley, Senior Sales Engineer at SafeBreach, the situation is particularly serious because the attacks exploiting this vulnerability commenced before any security patches were made available, placing it in the most dangerous category of threats to enterprise infrastructure. "This CVE represents a critical security incident: it was exploited as a zero-day vulnerability in active attacks against production systems before any patches were available - the most severe type of threat organisations face," Culley stated.
Further complicating the response, there is currently no single remediation patch for the vulnerability. Microsoft has taken the unusual and cautionary step of advising organisations to assume their systems may already be compromised, and to immediately conduct comprehensive investigations to verify the integrity of their environments. This approach is rarely adopted in public advisory language, and reinforces the gravity of the incident.
SharePoint Server 2016 installations face unique challenges due to the absence of technical fixes at present. Organisations running these environments are being told to lean on breach and attack simulation, alongside current security controls, to gauge their exposure. Culley recommended, "Proactive defence requires targeted hardening measures and resilience improvements to prevent falling victim to this sophisticated attack vector."
Analysis from Mandiant Consulting, part of Google Cloud, indicates that this exploit is being used by multiple threat actors, including groups linked to China.
Charles Carmakal, CTO at Mandiant Consulting, stressed the breadth of the threat landscape: "We assess that at least one of the actors responsible for this early exploitation is a China-nexus threat actor. It's critical to understand that multiple actors are now actively exploiting this vulnerability."
Carmakal warned that further threat actors are expected to join as awareness and knowledge of the exploit spreads, increasing the urgency for defensive actions.
Google's Threat Intelligence Group has observed attackers leveraging CVE-2025-53770 to install webshells and exfiltrate sensitive cryptographic secrets from compromised servers. This enables unauthenticated, long-term access to targeted systems, putting confidential data and business operations at risk.
In its emergency guidance, Microsoft clarified that this vulnerability currently affects only on-premises versions of SharePoint Server. Organisations using SharePoint Online as part of Microsoft 365 are not impacted. For those running on-premises servers exposed to the internet, immediate action is advised. Experts recommend implementing Microsoft's mitigation advice, closely monitoring systems for signs of compromise, and preparing to deploy an emergency patch as soon as it becomes available.
Carmakal summed up the reality facing organisations: "This isn't an 'apply the patch and you're done' situation. Organisations need to implement mitigations right away (and the patch when available), assume compromise, investigate whether the system was compromised prior to the patch/mitigation, and take remediation actions."
Given the current lack of a comprehensive patch, vigilance in monitoring, rapid application of mitigations, and thorough investigative processes will be mandatory in defending against the expanding wave of exploitation. Security professionals emphasise that building resilience and continually reviewing security postures are critical as the situation evolves and more actors target the vulnerability.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
9 hours ago
- Techday NZ
Microsoft launches Sentinel data lake to cut storage costs
Microsoft has unveiled an expansion of its security information and event management solution, Microsoft Sentinel, introducing a new security data lake designed to address both the cost and capability challenges faced by cybersecurity teams. The newly-launched Sentinel data lake aims to reduce costs associated with security data retention, claiming storage fees at less than 10% of those found with traditional analytics log storage options. According to Microsoft, this move is intended to help security teams retain all relevant data affordably, making incident detection and response faster and more accurate. Data challenges Security operations teams have long contended with the challenge of managing increasing volumes of data while controlling costs. Microsoft stated, "You can't protect what you can't see. Security operations teams have long been faced with the challenge of managing massive, fast-growing datasets, and the cost of scaling traditional data management tools to handle these data volumes has become unsustainable. We're evolving our industry-leading Security Incidents and Event Management solution (SIEM), Microsoft Sentinel, to include a modern, cost-effective data lake. By unifying all your security data, Microsoft Sentinel data lake, now in public preview, accelerates agentic AI adoption and drives unparalleled visibility, empowering teams to detect and respond faster. With Sentinel data lake, you're no longer forced to choose between retaining critical data and staying within budget." The new architecture is said to bring together security data from both Microsoft and third-party sources using over 350 native connectors. It is positioned as a foundation for artificial intelligence-powered detection, allowing security teams to hunt for threats over extended time frames and perform detailed forensic analysis without compromising on data retention due to cost constraints. Microsoft further said, "Breaking down data silos for better security... Siloed data means missed cyberthreats, delayed investigations, and underutilized tools." The aim is to unify data and enable better threat visibility and collaboration within security teams. Threat intelligence integration In addition to the data lake, Microsoft has also announced the integration of Microsoft Defender Threat Intelligence (MDTI) into both Sentinel and Defender XDR at no additional cost. This integration is pitched as an effort to provide security teams with access to a substantial repository of frontline threat intelligence, which processes signals from what Microsoft says are 84 trillion daily data points, and is supported by over 10,000 security specialists. The company stated, "To further help defenders get the most out of their data, we're democratizing threat intelligence by converging Microsoft Defender Threat Intelligence (MDTI) capabilities into Defender XDR and Sentinel at no additional cost; this means that security teams will no longer need to buy a separate SKU to access these powerful features." These changes will be rolled out over time, with all Microsoft first-party threat reports, including intelligence profiles and indicators of compromise (IoCs), expected to become available through Defender XDR. The plan is also to incorporate IoCs into Sentinel's case management, allowing customers to share threat intelligence across teams inside their organisations, with further features scheduled to follow. Industry support "Microsoft's vision for Sentinel data lake reflects what matters most in cybersecurity: clarity, scale, and real-world impact. With more than 1,200 Sentinel deployments worldwide, BlueVoyant has seen the need firsthand. Large scale data challenges are now the norm. Sentinel data lake marks a natural evolution of the SIEM and SOAR model, one that critically supports modern analytics, data science, and flexible ingestion strategy. It is a critical step forward for customers looking to modernize their security operations." - Milan Patel, Chief Revenue Officer at BlueVoyant Industry partners have responded to Microsoft's expanded offering and its intent to simplify data management while providing a robust foundation for AI-driven security operations. "For cyber teams, the massive proliferation of data can misdirect focus or delay responses to genuine [cyber]threats. Microsoft Sentinel data lake can be a valuable tool for data centralization and visibility and for historical analysis across large volumes of datasets. Together with Microsoft, Accenture can help our clients leverage the data lake to extend the power of Microsoft Sentinel to supercharge attack detection and proactive remediation." - Rex Thexton, Chief Technology Officer, Accenture Security Microsoft's approach aims to aid organisations in moving between real-time analytics and historical analysis from a single portal. The solution is designed to support custom machine learning workflows, analytics, and integration with tools familiar to security teams, all based on open data formats. "The [cyber]attack surface is expanding with every application and AI application deployed across hybrid cloud environments, and AI-powered attacks are evolving just as fast. What many organizations still lack isn't just better tools - it's real-time visibility of their IT estate, their configurations and business context. To understand their full exposure, organizations need the right asset intelligence and a shared industry effort. The new Microsoft Sentinel data lake represents a valuable step in that direction; IBM is committed to working across the ecosystem to help solve that challenge." - Srini Tummalapenta, IBM Distinguished Engineer, Chief Technology Officer for IBM Consulting Cybersecurity Services AI readiness measures Microsoft stated that centralising data enriches its AI models, such as Security Copilot, giving them full context to detect sophisticated patterns of cyberattack, correlate signals over extended time spans, and produce high-fidelity alerts. The company explained, "Centralizing your data in a threat intel-enriched data lake eliminates silos and ensures AI models like Security Copilot have the full context they need to detect subtle cyberattack patterns, correlate signals across time and space, and surface high-fidelity alerts. This creates the foundation for the future of agentic defense where AI doesn't just assist, it acts." Microsoft Sentinel data lake is now in public preview and available for customer onboarding as part of the company's continuing development of an integrated security operations platform.
Techday NZ
11 hours ago
- Techday NZ
Kiwi children face cyberbullying as more turn to AI support
New research has highlighted the prevalence of cyberbullying and the increasing reliance of children in New Zealand on artificial intelligence for emotional support. The 2025 Norton Cyber Safety Insights Report: Connected Kids provides a detailed view of the challenges facing parents of school-aged children as they manage risks associated with digital engagement. The report is based on an online study of 1,001 adults across New Zealand and has found that 13% of parents say their children have been victims of cyberbullying, while 23% disclose that their children are turning to AI companions for support. Generational shift The study identified a notable shift in the age at which children are receiving their first mobile phones. Adults reported, on average, being 24 when they first owned a mobile. However, this figure drops to an average age of 12 for the current generation of children. The data reveals that Generation Z acquired their first phone at 14, Millennials at 16, Generation X at 26 and Baby Boomers at 41. The decreasing age at which children become digitally connected reflects the growing role of technology in everyday life and highlights challenges for parents, many of whom had a different experience growing up. "Childhood today is radically different, and online activities blend into real life shockingly fast. Parents now play a frontline role in keeping their families safe as digital life starts earlier and earlier," said Mark Gorrie, Norton Managing Director APAC and father of two. Gorrie continued, "Our study reveals that on average, Kiwi adults today were 24 years old when they got their first mobile phone. But the generational gap is striking. Gen Z got theirs at just 14, Millennials at 16, Gen X at 26, and Boomers at 41. Children of parents in this study are getting their first mobile even earlier, with an average age of 12. With devices landing in kids' hands younger than ever, parents need both more support and a greater commitment to navigating the realities of raising digitally connected kids." Cyberbullying patterns The study outlines how cyberbullying is perpetrated and experienced. Of the parents surveyed who reported cases of cyberbullying, 41% indicated the perpetrator was a classmate or peer. Visual-led social media platforms are frequently cited in these incidents, with Snapchat and Instagram at the forefront (both at 33%), followed by Facebook (30%) and TikTok (28%). Bullying is not confined to social media alone, with 26% of parents indicating that their children were bullied via text messages. Almost half of parents (46%) stated they were aware that their child was experiencing cyberbullying before the child disclosed it, though 28% admitted they have not discussed online safety with their children. This gap between awareness and action leaves children potentially vulnerable when risks escalate. Screen time and digital boundaries Parents continue to face difficulties enforcing screen time limits. Although 72% attempt to set boundaries, children can often circumvent parental controls. The study found 21% of parents said their child admitted to bypassing restrictions, whilst another 31% found out later their child had done so secretly. Online risks encountered by children extend beyond excessive usage. Parents reported incidents including staying up late on devices (31%), accessing restricted sites (10%), sharing personal information with strangers (10%), viewing explicit material (9%), and cyberbullying others (4%). AI as a companion The emergence of AI as a digital companion is identified as a new trend, with 23% of parents reporting their children use AI for emotional support. Some parents express concern about the impact of AI, with 34% stating it is not beneficial for their child's learning or creativity. Despite these concerns, only 41% of parents have discussed AI-related risks, such as deepfakes and misinformation, with their children. "As AI-powered tools and AI companions become more common, parents face a bigger task than they may realise. Our study shows that around one in three Kiwi parents (30%) already take the right approach by regularly checking their child's devices – reviewing app usage, settings, and installed apps. It's a habit more Kiwi families should adopt to help guide children safely in the digital world." says Gorrie. Parental guidance and recommendations The report points to the importance of proactive engagement by parents in their children's digital lives. It recommends that parents begin conversations about online safety early, use parental control tools thoughtfully, teach children to recognise warning signs, model responsible technology use, and remain involved by regularly discussing online activity and trends. The findings underscore a need for ongoing education, support, and awareness for parents to help children navigate the complexities of the digital world safely as access to technology and AI becomes increasingly prevalent at younger ages.
Techday NZ
11 hours ago
- Techday NZ
SharePoint zero-day flaw exploited as over 9,000 servers at risk
Cybersecurity experts have raised fresh alarms following reports of active exploitation targeting Microsoft SharePoint servers worldwide. The scale and sophistication of the attacks, which began to surface in detailed research at the end of last week, are causing concern among organisations that rely on the popular collaboration platform for critical information infrastructure. The vulnerability at the centre of the incident, now assigned as CVE-2025-53770, affects a wide cross-section of SharePoint Server deployments. Research from Eye Security first brought attention to what it described as "active, large-scale exploitation," driven by a zero-day weakness identified within a pair of vulnerabilities collectively known as ToolShell. Successful exploitation allows attackers to extract the MachineKey configuration details from vulnerable servers - exposing both the validationKey and decryptionKey, which are crucial to securing authentication tokens and encrypted data. This critical information, once in criminal hands, can be weaponised. As Satnam Narang, Senior Staff Research Engineer at Tenable, explained, "Attackers were able to exploit the flaw, now identified as CVE-2025-53770, to steal MachineKey configuration details from vulnerable SharePoint Servers. These details can be used by attackers to create specially crafted requests that could be used to gain unauthenticated remote code execution." Narang noted that the consequences for affected organisations may be severe, with broad implications for data integrity and security across industry sectors. Indicators of compromise are already being circulated among security teams. Organisations are being urged to check for evidence of unauthorised access, with one telltale sign being the sudden creation of files named " on vulnerable servers, possibly under other extensions. The scope of exposure is significant, with estimates suggesting over 9,000 externally accessible SharePoint servers are potentially at risk. These systems are deployed globally by enterprises, government entities, and a range of other organisations relying on SharePoint for document management and collaboration. Patching efforts have commenced in earnest. Microsoft began distributing fixes late on 20 July, prioritising SharePoint Server 2019 and SharePoint Subscription Edition. A remedy for SharePoint Server 2016 remains pending but is expected imminently. Narang advised, "We strongly advise organisations to begin conducting incident response investigations to identify potential compromise; otherwise, apply the available patches and review the mitigation instructions provided by Microsoft." Andrew Obadiaru, Chief Information Security Officer at offensive security firm Cobalt, warned that the speed and depth of zero-day exploitation leaves little margin for delay or complacency. "Zero-day vulnerabilities in widely deployed platforms like SharePoint are a goldmine for attackers because they provide immediate, scalable access to high-value environments. "The challenge isn't just patching - it's that attackers typically implant persistence mechanisms within hours, ensuring long-term footholds. Defence strategies need to assume breach and validate controls through proactive testing, including red teaming and continuous pentesting, to uncover weaknesses before adversaries do. In today's threat landscape, reactive security alone is a losing game." Obadiaru's remarks echo growing industry consensus that traditional perimeter defences are proving insufficient in the face of increasingly sophisticated and rapid cyber threats. Security teams are being encouraged to revisit their incident response and detection protocols, embracing a proactive security posture and preparing for the possibility that attackers may already be inside their networks. For now, the advice from the security community is clear: immediate action is essential. Organisations are urged to initiate incident response processes, apply available patches without delay, and review configuration settings for any signs of compromise. Vigilance and proactive testing will be the defining factors in limiting the fallout from yet another high-profile zero-day targeting widely used enterprise software.
