September 22, 2023

Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs.SharePoint now joins a list that also includes Citrix gateways, F5 BIG-IP load balancers, Microsoft Exchange email servers, and Pulse Secure, Fortinet, and Palo Alto Network VPNs.

The group is tracked by security vendors under the codenames of Hello or the WickrMe ransomware because of its use of Wickr encrypted instant messaging accounts as a way for victims to reach out and negotiate the ransom fee.

Typical Hello/WickrMe attacks usually involve the use of a publicly known exploit for CVE-2019-0604, a well-known vulnerability in Microsoft’s SharePoint team collaboration servers.

The bug allows attackers to take control over the SharePoint server to drop a web shell, which they later use to install a Cobalt Strike beacon as a way to run automated PowerShell scripts that eventually download and install the final payload the Hello ransomware.

The inclusion of the SharePoint bug in Microsoft’s blog came after both cybercrime operators and state-sponsored espionage groups targeted SharePoint systems with exploits for the CVE-2019-0604 bug since at least May 2019, when exploits for the bug were posted online. SharePoint server owners don’t have any more excuses to avoid patching their systems, if they haven’t done so already.

Tags:

Leave a Reply

You may have missed

SandMan APT Group in action against Telcos

September 22, 2023

Gold Melody IAB Unsunging for Several Years

September 22, 2023

Apple fixes trio of Zeroday Exploits

September 22, 2023

T-Mobile and Data Breach tightly coupled

September 21, 2023

Cisco Acquires Splunk in a blockbuster deal

September 21, 2023

Atlassian BitBucket and Confluence Vulnerabilities

September 21, 2023
%d bloggers like this: