Urgent Security Alert: Chinese Hackers Exploiting Critical SharePoint Flaw
Microsoft has issued a stark warning about a China-based state-sponsored threat actor actively exploiting a critical vulnerability in Microsoft SharePoint Server. This campaign allows attackers to gain full administrative control over unpatched systems, posing a significant threat to organizations globally.
The attacks leverage a privilege escalation vulnerability, tracked as CVE-2023-29357, which has a CVSS score of 9.8 out of 10, marking it as critical. The flaw allows a remote, unauthenticated attacker to gain administrator privileges on a vulnerable SharePoint server. Crucially, these attacks require no user interaction and can be executed without any stolen credentials, making them exceptionally dangerous and difficult to detect before a compromise occurs.
How the Attack Unfolds
Security researchers have observed a specific attack chain being used by this threat actor. The process typically involves two key steps:
- Gaining Initial Admin Access: The attackers first exploit CVE-2023-29357. This vulnerability allows them to spoof their identity and trick the SharePoint server into granting them administrator-level access.
- Executing Malicious Code: Once they have admin privileges, the attackers chain this access with a separate code injection vulnerability (CVE-2023-24955) to achieve remote code execution (RCE). This allows them to run arbitrary commands on the server.
After successfully compromising a server, the primary goal of the attackers appears to be espionage and data theft. They typically deploy a custom webshell—a malicious script that provides them with persistent remote access to the server. This webshell allows them to exfiltrate sensitive documents, execute further commands, and move laterally across the victim’s network.
Who is at Risk?
While any organization using an unpatched version of SharePoint Server is at risk, this campaign appears to specifically target government agencies and organizations in the telecommunications and technology sectors across North America, Europe, and the Middle East. The focus on these targets is consistent with the strategic objectives of state-sponsored espionage groups.
Actionable Steps to Protect Your Organization
Given the severity of this threat, immediate action is required to secure your SharePoint environment. Waiting to be targeted is not a viable strategy. Follow these critical security recommendations now.
1. Patch Immediately
This is the single most important step. Microsoft released patches for CVE-2023-29357 in its May 2023 Patch Tuesday updates. If you have not applied these security updates, your SharePoint servers are highly vulnerable. Prioritize the deployment of these patches across all on-premises SharePoint Server 2019, 2016, and Subscription Edition environments.
2. Hunt for Indicators of Compromise (IoCs)
Even if you have patched, it is crucial to investigate whether your systems were compromised before the update was applied. Security teams should proactively hunt for signs of a breach:
- Check for Webshells: Scrutinize SharePoint server directories for unusual or recently modified ASPX, ASHX, or ASMX files, particularly in publicly accessible web directories. Attackers often use common names like
error.aspxorservice.aspxto blend in. - Review Server Logs: Analyze IIS logs for suspicious GET or POST requests to unexpected pages. Look for requests from unfamiliar IP addresses attempting to access administrative endpoints.
- Monitor Network Traffic: Watch for unusual outbound connections from your SharePoint servers, especially to IP addresses located in regions where your organization does not operate. Data exfiltration often involves large, unexpected data transfers.
- Examine Running Processes: Look for unfamiliar processes or command-line executions running under the SharePoint service account (
w3wp.exe), as this is a common sign of a webshell being used.
3. Harden Your SharePoint Security Posture
Beyond patching, implement layered security controls to make a compromise more difficult for attackers:
- Limit External Access: If possible, do not expose your SharePoint server’s administrative interface directly to the internet. Place it behind a VPN or a firewall with strict access control lists (ACLs).
- Enforce Least Privilege: Regularly review user accounts and permissions. Ensure that only a minimum number of users have administrative rights.
- Implement Network Segmentation: Isolate your SharePoint servers from other critical parts of your network. This can prevent attackers from moving laterally if a server is compromised.
The ongoing exploitation of this SharePoint vulnerability serves as a critical reminder that proactive security is non-negotiable. State-sponsored actors are methodical and persistent, and unpatched systems are an open invitation for a major security incident. Organizations must act decisively to patch their systems and verify their integrity to defend against these advanced threats.
Source: https://securityaffairs.com/180267/apt/microsoft-linked-attacks-on-sharepoint-flaws-to-china-nexus-actors.html
