The Cybersecurity and Infrastructure Security Agency published a malware analysis report on files related to Microsoft SharePoint vulnerabilities and encouraged organizations to use the indicators of compromise and detection signatures to identify malware.
Background: On July 19, Microsoft published a blog post addressing active attacks against on-premises SharePoint servers that exploit a spoofing vulnerability. The chain, publicly reported as “ToolShell,” enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.
More: CISA last week updated its alert on vulnerabilities with Microsoft SharePoint servers to reflect newly released information as threat actor tactics, techniques, and procedures continue to evolve.
Microsoft Recommendations: Microsoft recommends customers use supported versions of on-premises SharePoint servers with the latest security updates and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments.
ICBA Resources: Additional cybersecurity resources for community bankers are available on ICBA’s Cyber and Data Security Center.