“This exploitation activity, publicly reported as ‘ToolShell,’ provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network,” CISA said, adding that the scope and impact of the new remote code execution (RCE) attack is being assessed.

Customers are advised to apply system updates immediately to ensure protection. Security updates for SharePoint 2016 users are not yet released.

Microsoft posted a list of ways that customers can mitigate the attacks. They include installing the latest security updates, using supported versions of on-premises SharePoint Server, making sure the Antimalware Scan Interface is turned on and configured correctly in combination with an antivirus solution, deploying services like Microsoft Defender for Endpoint protection, and rotating SharePoint Server ASP.NET machine keys.

If AMSI cannot be deployed immediately, the agency suggested companies disconnect all affected products from the internet and reconnect only after the threat is mitigated.

Companies should update intrusion prevention systems and web-application firewall rules to block exploit patterns and anomalous behavior, and implement comprehensive logging to identify exploitation activity.

Lastly, CISA advised to audit and minimize layout and administrator privileges.

If a malicious actor has gained access or the company detects anomalous activity in its servers, such incidents should be reported to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870.

Recently, with the increased proliferation of cloud platforms and related technologies, there has been a corresponding uptick in sophisticated threat activity targeting identity and authentication systems built on cloud infrastructure.

To counter these threats, CISA has called for an increase in private-public partnerships to safeguard cloud infrastructure.