At the end of 2020, a ransomware gang known as Hello/WickrMe began exploiting a now two-year-old bug affecting Microsoft SharePoint. Several exploits for the vulnerability CVE-2019-0604 are publicly available and can be used to gain a foothold on SharePoint servers. In this case, the ransomware gang could potentially gain access through already implanted webshells or drop one of their own. Regardless, the webshell will only be a mechanism to execute a CobaltStrike Beacon to move laterally and then deploy the ransomware across the environment. What is unknown at this moment is how the ransomware gang is finding devices. In his article, Cimpanu notes that with the rise of initial access brokerage, the need for scanning the IPv4 range may be unnecessary.
SharePoint is now one of many in a long list of easily exploited on-premise services used in the enterprise. If one’s organization utilizes an on-prem instance of SharePoint, understanding the risks of that decision should be considered and a reliable patching process should be implemented. It is always prudent and cost-effective to prepare rather than react to a crisis, especially when downtime for non-critical devices like SharePoint is considered. Developing a continuous monitoring program or hiring a third-party security service provider is another wise precaution that can prevent a domain takeover. Centralized logging is the most critical asset to have because when an attack comes, it’s imperative to be able to tell the story of what happened – without that information, incident responders won’t know how many other computers in the enterprise have been compromised and won’t be able to completely evict the threat actors.