Corporation-wide vulnerability detected in SharePoint, potentially jeopardizing entire systems.
In a recent cybersecurity incident, threat actors exploited vulnerabilities in Microsoft SharePoint to gain unauthorised access to a network. The attackers compromised a Microsoft Exchange service account with domain administrator privileges, enabling them to move around the network undetected for two weeks.
The initial point of entry was a crafted POST request to the ToolPane.aspx endpoint, which tricked SharePoint into executing embedded PowerShell commands. This allowed the attackers to deploy a malicious web shell, spinstall0.aspx, onto the server.
Once deployed, the attackers used the web shell to extract critical cryptographic keys—ValidationKey and DecryptionKey—that SharePoint uses for user authentication and session protection. With these keys, threat actors could forge authentication tokens and execute remote code without needing to re-exploit the original vulnerability, enabling persistent, stealthy access and privilege escalation.
The attackers also employed various tactics to disrupt existing security tools and enable malicious lateral movement activities. One such tool was Horoung antivirus software, which was installed during the attack chain. However, it's important to note that while Horoung is a popular solution in China and available on the Microsoft store, there is no publicly confirmed connection between these SharePoint attacks and the use of this antivirus software to achieve disruption of security tools.
The attackers used the Horoung software to weaken the environment's overall security posture, as it allowed them to execute malicious payloads indistinguishable from normal traffic. They also added an exclusion for a malicious binary called msvrp.exe, used to establish command and control, to avoid detection by the antivirus software.
Additionally, the attackers used Mimikatz, a tool frequently used in ransomware attacks, to harvest credentials, clear event logs, and disable system logging. They also used Impacket, a collection of open-source network protocols, for lateral movement.
Despite the attackers' attempts to destroy third-party backups via multiple methods, they were ultimately unsuccessful. The incident was investigated by Rapid7's incident response team, who did not observe any attempts to encrypt data in the environment, which is the usual indicator of a ransomware attack. This leaves the exact nature of the attack undetermined.
In summary, threat actors exploited Microsoft SharePoint vulnerabilities through a sophisticated sequence involving web shell deployment and cryptographic key theft, granting them persistent access and enabling lateral movement. While disruption of existing security tools is a common tactic in advanced intrusions, there is no publicly confirmed connection between these SharePoint attacks and the use of Chinese antivirus software like Horoung to achieve this disruption.
- The cybersecurity industry is increasingly focused on strengthening defenses against attacks like the one described, as threat actors often exploit vulnerabilities in popular business applications, such as Microsoft SharePoint.
- With the rise of remote work and digital transformation, the finance sector, including wealth management and personal-finance industries, must prioritize cybersecurity investments to safeguard critical data and assets.
- In the face of sophisticated attacks on business networks, organizations need to reconsider their approach to business continuity and disaster recovery, ensuring contingency plans for data protection in cloud computing and banking-and-insurance environments.
- As technology continues to advance, cybersecurity remains a significant concern for businesses of all sizes, with data breaches potentially leading to significant financial losses and reputational damage.
- A stronger emphasis on cybersecurity education and awareness is needed to equip people, both personally and professionally, with the skills and knowledge to recognize and respond to threats, as even the most sophisticated technology can be compromised through human error.
