Microsoft SharePoint servers have now joined the list of network devices being abused as an entry vector into corporate networks by ransomware gangs.SharePoint now joins a list that also includes Citrix gateways, F5 BIG-IP load balancers, Microsoft Exchange email servers, and Pulse Secure, Fortinet, and Palo Alto Network VPNs.
The group is tracked by security vendors under the codenames of Hello or the WickrMe ransomware because of its use of Wickr encrypted instant messaging accounts as a way for victims to reach out and negotiate the ransom fee.
Typical Hello/WickrMe attacks usually involve the use of a publicly known exploit for CVE-2019-0604, a well-known vulnerability in Microsoft’s SharePoint team collaboration servers.
The bug allows attackers to take control over the SharePoint server to drop a web shell, which they later use to install a Cobalt Strike beacon as a way to run automated PowerShell scripts that eventually download and install the final payload the Hello ransomware.
The inclusion of the SharePoint bug in Microsoft’s blog came after both cybercrime operators and state-sponsored espionage groups targeted SharePoint systems with exploits for the CVE-2019-0604 bug since at least May 2019, when exploits for the bug were posted online. SharePoint server owners don’t have any more excuses to avoid patching their systems, if they haven’t done so already.