At the end of 2020, a ransomware gang known as Hello/WickrMe began exploiting a now two-year-old bug affecting Microsoft SharePoint. Several exploits for the vulnerability CVE-2019-0604 are publicly available and can be used to gain a foothold on SharePoint servers. In this case, the ransomware gang could potentially gain access through already implanted webshells or drop one of their own. Regardless, the webshell will only be a mechanism to execute a CobaltStrike Beacon to move laterally and then deploy the ransomware across the environment. What is unknown at this moment is how the ransomware gang is finding devices. In his article, Cimpanu notes that with the rise of initial access brokerage, the need for scanning the IPv4 range may be unnecessary.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is