Zscaler’s Role in Securing On-Premise Solutions Against Zero-Day Exploits Like the Recent SharePoint Exploit

By Deepen Desai, Chief Security Officer, Zscaler, & Andrew Brown, CEO, Sand Hill East, and Zscaler Board Director

Zscaler has widely been deployed for Cloud Security capabilities, however it is equally important to deploy Zscaler’s Zero Trust solutions to protect on-premise capabilities and solutions (such as Sharepoint). Zscaler can raise the alarm way before the attack, use decoys to deceive attackers and ensure critical-to-business legacy solutions are protected. Remember hackers like to go after older infrastructure, there are often more vulnerabilities and exploits documented, so protecting these assets that your business depends on is essential and minimizes down-time…

Vulnerabilities like the recently disclosed flaw in Microsoft SharePoint serve as stark reminders of the critical importance of proactive cybersecurity measures. This zero-day exploit, currently targeting on-premises SharePoint servers, highlights the risks associated with legacy on-premise systems.

Zscaler saw evidence of compromise attempts on its clients several days ahead of Microsoft’s disclosure, and is well positioned to secure clients using vulnerable versions of the software. 

Background

As detailed in the Zscaler blog, this vulnerability is a zero-day exploit affecting on-premise versions of Microsoft SharePoint Server 2016, 2019, and Subscription Edition. It enables attackers to gain unauthorized access, compromise file systems, and bypass future patching measures, posing a significant risk. According to Microsoft, this bug is being actively exploited by three discrete state-sponsored threat actors, with over 400 organizations being affected to date, in sectors including government agencies, healthcare providers, and financial services.

The nature of the vulnerability allows attackers to infiltrate systems undetected, move laterally within environments to other systems, and compromise critical assets such as Teams, OneDrive, and associated files. Applying the security patch does not guarantee removal of threat actors that have already established network access. 

Zscaler’s Role in Protecting On-Premise Systems

Through solutions like Zscaler Deception and Zscaler Private Access (ZPA), we secure organizations’ on-premises applications, including legacy deployments of SharePoint. Our approach combines robust early-warning capabilities, proactive threat interception, and mechanisms to thwart lateral movement within compromised environments.

As the first signs of exploitation surfaced on July 17th–days before CISA issued an advisory–Zscaler Deception was already intercepting malicious activity targeting SharePoint servers. By deploying perimeter-facing decoys that mimic SharePoint environments, we identified exploitation attempts and provided early threat signals to affected organizations. This cutting-edge capability allows us to protect enterprises before damage escalates, intervening during the earliest stages with precision before damage occurs.

These attacks, and many other attacks such as ransomware, rely on lateral movement within a network after the initial compromise. Attackers access additional systems, escalate privileges, and eventually compromise high-value assets. Zscaler Private Access stops this activity by isolating compromised users, blocking unauthorized access to internal SharePoint environments, and preventing attackers from pivoting within the network.

The Zscaler Zero Trust Exchange prevents unauthorized access to private applications, whether they’re deployed in the cloud or on-premises. By moving vulnerable servers behind a Zero Trust architecture, organizations significantly reduce exposure to all manner of internet threats seeking to identify and exploit entry points.

Recommendations for Risk Mitigation

Organizations must act swiftly to protect their environments from active exploitation. Immediate measures include applying Microsoft’s patches, isolating vulnerable on-premise servers, and using endpoint detection tools to monitor malicious activity. These however are reactive steps and will not position your organization to get ahead of the next critical vulnerability. Proactive defense demands a security strategy that incorporates Zero Trust principles and advanced technologies like deception and segmentation.

For longer term protection, we recommend the following measures:

1. Patch Immediately: Apply Microsoft’s emergency fixes to affected SharePoint server versions without delay. Be aware this is not a panacea.
2. Adopt a Zero Trust architecture: Move vulnerable servers, including legacy systems, behind Zscaler’s Zero Trust Exchange to minimize exposure and reduce the risk of compromise.
3. Implement ZPA: Prevent lateral movement within the network by isolating compromised accounts or insiders attempting to maneuver across environments.
4. Deploy Zscaler Deception: Use decoys to detect exploitation attempts and gather critical threat intelligence and benefit from the collective intelligence of Zscaler’s community. These decoys provide visibility into real-time exploitation.
5. Enhance Monitoring: Continuously audit logs, monitor endpoints, and look for malicious indicators such as deserialization attempts and unusual file system activity.

A Time for Action

Cybersecurity is not solely about securing cloud-based environments as this issue once again reminds us; it’s about safeguarding every system, interaction, and interface an organization depends on. At Zscaler, our commitment to securing both cloud and on-premises systems ensures comprehensive protection against zero-day exploits and emerging threats.

Protecting on-premises private applications is essential. Let’s work together to ensure your SharePoint servers, sensitive assets, and operational environments remain resilient against the risks posed by zero-day and known vulnerabilities.

Attackers, aided by artificial intelligence, are moving faster than ever before, and their capabilities are accelerating. Traditional defenses simply do not cut it–proactive measures must become the cornerstone of enterprise security. The stakes are high, and the time to act is now.