If you’ve opted for Microsoft SharePoint web development then you need to prepare yourself to prevent high-risk Phish and Ransomware attacks. SharePoint servers are being targeted by high-risk, legitimate-appearing, brand-named phish messages and attacked by a notorious ransomware group exploiting an old bug.
Researchers at Cofense discovered that a phishing campaign disguising itself in a SharePoint theme and bypassing security email gateways (SEGs). On Tuesday 27th April 2021, the firm stated this as an example of why it’s not always practical to share documents using the very popular and widely used collaboration tool, Microsoft SharePoint.
Phishing Through Legitimate-looking SharePoint Document
Office 365 users are being targeted by the Phish with a legitimate-looking SharePoint document that asks users to urgently sign the document. The phishing campaign emerged in a spot that should be secured by Microsoft’s own secure email gateways. However, this is not happening for the first time the SEG gets affected. In December, spear phishers tricked the tech giant Microsoft.com itself to victimize 200 million Microsoft Office 365 users. They slipped past SEG controls because of the failure of Microsoft in enforcing domain-based message authentication, reporting, and conformance (DMARC). It is an email authentication rule that prevents exact domain spoofing (SPF/DKIM).
Is There a Need to ‘Response Urgently…’?
The spelling and grammar used in the phishing message are not as badly spelled as you find in phishing campaigns of syntactically unusual giveaways. It may be presumed that any SharePoint message that requests users to “response urgently” is not sent from a native English speaker.
It’s because the message creates urgency for the users to take action. Cofense noticed that other red flags reveals that the user’s name is not deceptive in the opening message. This indicates that it is a massive phish campaign targeting many users using SharePoint services.
Emails Ask Users to Enter Credentials to View ‘Pending File’
When recipients of the phishing email hover over the external link, they find a hide no reference to Microsoft. When they click on the hyperlink, they are redirected to the landing page which shows the SharePoint logo and the ‘Pending file’ notification forth a hazy background and a request that asks the recipient to log in to see the document.
According to Cofense, that “could suffice for threat actors to extract & harvest users’ personal data.” When the login credentials are entered, the phishing campaign takes the victim to a tricked, unconnected document, “which might be enough to trick the user into thinking this is a legitimate transaction,” Cofense perceives.
Threat Activity Report
IBM in its X-Force Threat Activity Report addressed the phish as a “high-risk threat’ and recommended users of SharePoint Services to
- Keep antivirus software and related files up to date.
- Look for prevailing signs of the indicated incidents of compromise (IoCs) in your ecosystem.
- Block and/or set up detection for all URLs and IP-based IoCs.
- Make sure that applications and operating systems are running at the latest released patch level.
- Be cautious about emails with attachments and links
The Phishing Campaign Sends Fake Material to Lure Users
The phishing campaign basically circulates fake material that looks legitimate to tempt users to click on the link and get access to the victim’s credentials. This is just like another attack against Microsoft SharePoint servers which have joined a variety of network devices such as Microsoft Exchange email servers, Pulse Secure gateways, and SonicWall gateways that are being exploited by ransomware gangs to gain access to enterprise networks.
Ransomware Gangs Exploit Vulnerability CVE-2019-0604
Ransomware is the second part of the double-SharePoint attack. This new variant was first seen in January by Pondurance. Analysts are giving it two names, either Hello as some examples use .hello extension or WickrMe because the group is using the Wickr encrypted instant messaging service to prey on victims for ransom.
The ransomware attackers are exploiting a Microsoft Share Point 2019 vulnerability (CVE-2019-0604) to make their way into their targeted users’ networks. Then, by using Cobalt Strike, they are targeting domain controllers and launching ransomware attacks.
Unpatched Servers Are More Vulnerable
The high-severity CVE-2019-0604 leads to remote code execution. Microsoft team patched the issue in March 2019. However, there are persistent attacks that are trying to compromise unpatched servers later.
So, if you’re involved in SharePoint web development, then you must ensure that your server is patched from time to time.
The Use of Cobalt Strike to Create a Backdoor
After the web shell installation, a cyber-attacker uses Cobalt Strike. This is a commercially available penetration-testing system that attackers use to create a ‘backdoor’ that allows them to run an automated Power Shell script that downloads and installs the final payload, the Hello or Wickr ransomware.
It was revealed on Wednesday by Jeff Costlow, CISO of ExtraHop, that the ransomware attacks against the Microsoft SharePoint 2019 vulnerability affecting SharePoint servers are the most dangerous ones in the double attack. In that what happens is they deploy remote control software and then give direct access to the infrastructure to the attackers to frolic freely.
Share Point Server is the Common Thread
Costlow commented that “The common thread is the Share Point server.” Therefore, those who are using SharePoint services need to make sure that they are patching any cases of SharePoint to prevent the installation of malware or ransomware. This will fix the phishing problem.
Attackers can easily create legitimate-looking sites. A rethink is necessary to see how sharing is done. A positive stance needs to be taken by Security teams to help SharePoint users run their daily businesses safely.
There are several ways to warn users against potential attacks. For instance, they can set up each SharePoint server to use a familiar image or background for users to make sure that they only enter login credentials on legitimate sites.
2 Different SharePoint Jabs
On Wednesday morning, Cofense said that there is no apparent connection between the Microsoft Sharepoint phishing campaign that was exposed by its team of analysts and the Hello/Wickr ransomware gang’s constant exploitation of SharePoint server susceptibilities.
Nevertheless, an expert noticed that there’s a certain consistency in the pattern that these cyber-attacks follow: First, there’s news about vulnerability, then it is eventually held by attackers searching for the victims of unpatched servers.
Nation-State Players Target the Users Who Have Not patched
Avihai Ben-Yossef, CTO and Co-Founder of Cymulate commented on Wednesday that they have witnessed this lot of times. He observed, “In the last year, we see a repetitious pattern in such attacks. A zero-day is taken advantage of by a nation-state actor.” In this case, the victim company is Microsoft declares the vulnerability and eventually patches it.
Later on, the nation-state actors seize on and learn about the vulnerability and subsequently attacks users who have not patched yet. And then, comes the notorious ransomware attackers who socialize and exploit it on Dark Net sites and use it to launch their attacks.
Attackers Exploit the Identified Vulnerability
The launch of the double Microsoft SharePoint attack is happening because the nation-state actors exploited it first as a zero-day and then later on as an identified vulnerability. Then it was exploited by ransomware players.
He further explained, “The idea is to know what kind of problems you have and where. If you do not know, you can’t protect yourself. Organizations must develop a better response capability to track these announcements and threat intelligence and patch quicker.”
Considering the severity of Phish and Ransomware attacks, enterprises must be backed by a professional SharePoint web development company as the SharePoint experts can keep their applications safe and secure by keeping everything up-to-date. Also, they will follow the best security practices and keep these attacks at a bay.