Since June of 2019, unidentified cyber actors have leveraged a known SharePoint vulnerability, CVE-2019-0604, to exploit notable US entities. Following widespread scanning for CVE-2019-0604 in May, June, and October 2019, respectively, cyber actors compromised the network of two identified US municipalities using CVE-2019-0604. Malicious activities included exfiltration of user information, escalation of administrative privileges, and the dropping of webshells for remote/backdoor persistent access. Due to the sophistication of the compromise and Tactics, Techniques, and Procedures (TTPs) utilized, it is believed that unidentified nation-state actors are involved in the compromise; however, it remains unknown whether these are isolated incidents or if they were conducted by the same cyber actors.
Threat: SharePoint Server Vulnerability (CVE-2019-0604)
An unpatched SharePoint server was recently utilized to gain access to a US municipality’s network, steal the Active Directory (AD) database compromise administrative credentials, and drop webshells for remote/backdoor access to the compromised servers.
Four aspx webshells, all of which appeared to be variants of commonly available or open-source webshells, were uploaded to the compromised SharePoint server and used to facilitate additional access. The cyber actors uploaded a variety of publicly-available and open-source credential harvesting tools, such as Mimikatz, PowerSploit framework and PSEXEC to the C:\ProgramData\ directory. The actors named most of the tools with single-letter filenames (e.g., k.exe and h.bat) before deploying them to other systems on the network.
The compromised SharePoint server was then used as a pivot point on the network, allowing unauthorized access via compromised local administrator credentials. At least five machines on the municipality’s network contained evidence of similarly named executables staged in the C:\ProgramData\ directory. Over 50 hosts on the network showed evidence of Mimikatz execution. There is also evidence that the actors used the kerberoasting technique to target Kerberos service tickets. The actors were able to successfully gain access to several domain administrator accounts.
The general recommendation to mitigate this exploit is applying applicable security patches to Sharepoint. The critical remote code execution vulnerabilities in SharePoint (CVE-2019-0594 and CVE-2019-0604) and Windows DHCP Servers (CVE-2019-0626) are troubling, as the successful exploitation of any of these flaws could allow attackers to run arbitrary code and take control of the server. Patches for these vulnerabilities were released, and departments using these systems should refer to the following information:
- https://support.microsoft.com/en-us/help/4462155/description-of-the-security-update-for-sharepoint-enterprise-server
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604
- https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0626