Urgent Security Alert: Ransomware Gangs Targeting Unpatched SharePoint Servers
A critical vulnerability in Microsoft SharePoint Server is being actively exploited by multiple ransomware groups, creating a significant and immediate threat to organizations that have not yet applied security updates. This is not a theoretical risk; these attacks are happening now, leading to full-scale network compromise and ransomware deployment.
Understanding the threat is the first step toward effective defense. Attackers are leveraging a known privilege escalation flaw to gain initial access to vulnerable servers. Once inside, they can execute code remotely, take control of the entire server, and spread laterally across your network.
How the Attack Unfolds
The attack chain is sophisticated and effective, often involving the combination of multiple vulnerabilities to achieve its goal. Here’s a breakdown of how cybercriminals are turning a SharePoint flaw into a full-blown ransomware incident:
- Exploiting the Vulnerability: The primary entry point is CVE-2023-29357, a critical privilege escalation vulnerability. This flaw allows an attacker to bypass authentication and gain administrator-level privileges on the SharePoint server.
- Remote Code Execution: Once they have admin access, attackers often chain this exploit with a second vulnerability, such as CVE-2023-24955. This allows them to execute malicious code remotely, giving them a powerful foothold within your environment.
- Deploying a Backdoor: After gaining control, the attackers plant a “web shell.” This is a malicious script that acts as a persistent backdoor, allowing them to maintain access even if the initial vulnerability is patched later.
- Network Compromise and Ransomware: With persistent access, the threat actors perform network reconnaissance, steal sensitive data, and ultimately deploy their ransomware payload. This final step encrypts your critical files, disrupts operations, and is followed by a ransom demand.
It’s crucial to understand that simply having a SharePoint server exposed to the internet makes you a target. Attackers are systematically scanning for unpatched systems and launching automated attacks.
Who Is at Risk?
This threat specifically impacts organizations running on-premises versions of Microsoft SharePoint Server. If your company uses SharePoint Enterprise Server 2019 or SharePoint Server 2016, you must take immediate action.
Organizations using SharePoint Online (as part of the Microsoft 365 suite) are not directly affected by this on-premises vulnerability, as Microsoft manages the security and patching for its cloud services.
Immediate Steps to Secure Your SharePoint Servers
Protecting your organization from this campaign requires swift and decisive action. Waiting to be targeted is not a viable strategy. Follow these essential security measures immediately:
- Patch Your Servers Now: The single most important step is to apply the security updates released by Microsoft that address these vulnerabilities. Prioritize this above all else. If you have not patched yet, you should assume your system may already be compromised.
- Hunt for Signs of Compromise: Your security team must proactively search for indicators of compromise (IOCs). This includes reviewing SharePoint server logs for suspicious activity, scanning for unknown files or web shells in SharePoint directories, and monitoring for unusual network traffic originating from your servers.
- Implement Strong Access Controls: Enforce the principle of least privilege. Ensure that user and service accounts only have the permissions absolutely necessary to perform their functions. Multi-factor authentication (MFA) should be mandatory for all user accounts, especially those with administrative access.
- Enhance Network Monitoring: Increase your vigilance over network traffic. Look for unusual outbound connections from your SharePoint servers, as this could indicate data exfiltration or communication with a command-and-control server.
- Review and Test Your Backup Plan: A robust and tested backup and recovery plan is your last line of defense against ransomware. Ensure you have recent, immutable backups that are stored offline and are segregated from the main network. Regularly test your ability to restore from these backups to ensure they are viable in an emergency.
The threat of ransomware continues to evolve, and this targeted campaign against SharePoint servers is a stark reminder that foundational security hygiene, like timely patching, is non-negotiable. By taking these proactive steps, you can significantly reduce your risk and fortify your defenses against a costly and disruptive attack.
Source: https://www.bleepingcomputer.com/news/security/ransomware-gangs-join-attacks-targeting-microsoft-sharepoint-servers/
