Skip to content
Share Point servers are being probed with high-risk, real looking, branded phish messages, & swooped on by a ransomware gang utilising an old bug.
This phishing campaign, discovered by researchers at Cofense, is using a Microsoft Office Share Point theme & successfully bypassing security email gateways (SEGs). In a post on Tues., the firm outlined that this is an example of why it is not always responsible to share documents via Microsoft’s hugely popular, widely used Share Point collaboration platform.
Legitimate Looking
The phish is targeting Office 365 users with a legitimate-looking Share Point document that claims to urgently need an email signature. The campaign cropped up in a spot that is supposed to be protected by Microsoft’s own SEG.
This isn’t the 1st time that the SEG sanctuary got polluted:: In Dec. spearphishers spoofed Microsoft.com itself to target 200m Office 365 users, successfully slipping past SEG controls due to Microsoft’s reported failure to enforce domain-based message authentication, reporting & conformance (DMARC): an email authentication protocol built specifically to stop exact domain spoofing (SPF/DKIM).
‘Response Urgently…?’
The spelling & grammar used in the ‘booby-trapped’ message are not the most badly spelled, syntactically weird giveaways you can find in these kinds of phishing campaigns. It may be assumed that any Share Point message that asks you to “response urgently” is not coming from a native English speaker.
The mere fact that the message presses urgency on its recipients should be a tip-off, of course: “Rush-rush” is a typical phishing ploy. Cofense notes that other red flags include the fact that the user’s name is not apparent in the opening message: an indication that it is a mass-distribution campaign intended to reach many targets.
Pending File
When recipients ‘hover’ over the hyperlink, they will see hide no reference to Microsoft. Those who click on the link will instead be moved over to the landing page, which display’s Microsoft’s Share Point logo & the “Pending file” notification in front of a blurry background & a request for the intended victim to log in to view the document.
That “could suffice for threat actors to extract & harvest users’ personal data,” Cofense states. If & when credentials are handed over, the campaign redirects the user to a spoofed, unrelated document, “which might be enough to trick the user into thinking this is a legitimate transaction,” Cofense observes.
Threat Activity Report
In its X-Force Threat Activity Report, IBM called the phish a ‘high-risk threat’ & gave these recommendations:
- Ensure anti-virus software & associated files are up to date.
- Search for existing signs of the indicated incidents of compromise (IoCs) in your environment.
- Consider blocking and/or setting up detection for all URL & IP based IoCs.
- Keep applications & operating systems running at the current released patch level.
- Exercise caution with attachments & links in emails.
Bogus Material
Though it is high risk, this phishing campaign is basically just another story of a malicious actor putting up bogus material that looks legitimate in order to lure users into clicking, in the hopes of obtaining credentials.
It’s yet another attack against Share Point servers, which have now joined the range of network devices – including much-troubled Microsoft Exchange email servers, SonicWall gateways & Pulse Secure gateways – that are being used by ransomware gangs to force open enterprise networks.
Ransomware Gang
Ransomware: the 2nd part of the double-Share Point attack:
It is a fairly new variant, 1st seen in Jan. by Pondurance. Analysts are calling it 2 names: Hello, because some examples use .hello as an extension; or WickrMe, since the group are using the Wickr encrypted instant messaging service to try to hostage victims for ransom.
The attackers are using a Microsoft Share Point 2019 vulnerability (CVE-2019-0604) to prise their way into victims’ networks. Then, they are using Cobalt Strike to pivot to the domain controller & launch ransomware attacks.
Unpatched Servers
CVE-2019-0604 is a high-severity CVE that can lead to remote code-execution. Microsoft patched the flaw in Mar. 2019, but nevertheless, there seems to be no end to attacks that have used it to penetrate unpatched servers afterwards.
An example: Microsoft warned in Oct. 2020 that Iranian nation-state players were using CVE-2019-0604 to exploit remotely unpatched servers & to then implant a web shell to gain persistent access & code execution.
Cobalt Strike
Following the web shell installation, an attacker deploys Cobalt Strike – a commercially available penetration-testing tool that they later use to install a ‘backdoor’ that lets them run automated Power Shell script, which eventually download & install the final payload: the Hello/Wickr ransomware.
Jeff Costlow, CISO of Extra Hop, revealed on Wed. that the ransomware attacks against the 2019 vulnerability affecting Share Point servers are the more insidious threat in the double attack, in that they install remote control software & thus allow direct access to the infrastructure where attackers can freely frolic.
Share Point Server
“The common thread is the Share Point server,” Costlow commented. “Anyone using Share Point needs to ensure that they are patching any instances of Share Point to avoid the malware/ransomware installations. Long term, no amount of patching will solve the phishing problem.
It is too easy for attackers to build sites that imitate legitimate sites. A rethink is needed as to how sharing is done. Security teams need to take a positive stance to help their users conduct daily business safely.
There are various tactics to help alert users to possible attacks, such as setting up each Share Point server to use a familiar background or image for users to ensure that they only input credentials on legitimate sites.”
2 Separate Share Point Jabs
Cofense explained on Wed. morning that there is no apparent connection between the Share Point phishing campaign that its analysts uncovered & the Wickr/Hello ransomware gang’s ongoing exploitation of Share Point server vulnerabilities.
However, 1 expert noted that there is a certain regularity in the pattern that these attacks follow: 1st the news about a vulnerability, then it gets seized on by attackers looking for the targets of unpatched servers.
Nation-State Actor
On Wed., Avihai Ben-Yossef, CTO & Co-Founder of Cymulate, commented that we have seen this happen over & over. “In the last year, we see a repetitious pattern in such attacks.
A zero-day is taken advantage of by a nation-state actor,” he observed. “The affected company – in this case, Microsoft – announces the vulnerability & subsequently patches it.
Then other nation-state actors learning about the vulnerability, subsequently launch attacks on those who have not patched. Finally, the criminal ransomware attackers come in, socialise the exploit on Dark Net sites and use it … to launch their own attacks.
Known Vulnerability
The double Share Point attack is because the nation state players used it 1st as a zero day (& then as a known vulnerability). Then ransomware players came & used it as well.
“The idea is to know what kind of problems you have & where,” he explained. “If you do not know, you can’t protect yourself. Organisations must develop a better response capability to track these announcements & threat intelligence & patch quicker.”
https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/
