Chinese Hackers Exploit Old SharePoint Flaw to Deploy “ToolShell” Malware
Microsoft SharePoint is a powerful collaboration tool used by countless organizations worldwide, but its popularity also makes it a prime target for cyberattacks. A sophisticated, China-based threat actor has been identified actively exploiting a well-known SharePoint vulnerability to deploy a custom web shell, dubbed “ToolShell,” to compromise servers and steal sensitive data.
This campaign highlights a critical security lesson: failing to patch known vulnerabilities leaves your organization dangerously exposed. The primary entry point for these attacks is CVE-2019-0604, a remote code execution vulnerability in Microsoft SharePoint that was patched years ago. Despite a patch being available, many servers remain unpatched, providing an open door for attackers.
What is the “ToolShell” Web Shell?
Once attackers exploit the CVE-2019-0604 vulnerability, they gain the ability to run commands on the target server. Their weapon of choice is ToolShell, a custom-written piece of malware designed specifically for post-exploitation activities.
Unlike generic web shells, ToolShell is a more refined and discreet implant. It acts as a malicious backdoor, allowing the attackers to maintain persistent access to the compromised SharePoint server. Written in C# and compiled on the fly, it is designed to be stealthy and evade basic detection methods.
Key capabilities of the ToolShell malware include:
- File Management: Attackers can upload, download, delete, and modify files on the server.
- Command Execution: The malware can execute arbitrary system commands, giving attackers full control.
- Data Exfiltration: Its primary purpose is to locate and steal valuable documents, credentials, and other sensitive information.
How the SharePoint Attack Unfolds
The attack chain is methodical and effective, following a clear pattern from initial access to data theft.
- Initial Compromise: The threat actor scans the internet for public-facing SharePoint servers that are vulnerable to CVE-2019-0604. Once a target is found, they exploit the flaw to gain an initial foothold.
- Web Shell Deployment: After gaining access, the attacker uploads the ToolShell implant. The malware is often disguised with a common name to blend in with legitimate system files, making it harder to spot during a manual review.
- Command and Control (C2): The ToolShell malware communicates with an attacker-controlled server. This allows the threat actor to issue commands remotely and receive stolen data from the compromised SharePoint environment.
- Post-Exploitation Activity: With full control, the attackers begin their true mission. They use the server as a launchpad to move laterally across the network, escalate privileges, and, most importantly, exfiltrate sensitive corporate data.
How to Protect Your SharePoint Environment
Protecting your SharePoint servers from this and similar attacks requires a proactive and multi-layered security strategy. Relying on a single line of defense is not enough.
Here are critical security measures every organization using SharePoint should implement immediately:
- Patch Your Systems Immediately: The single most important step is to ensure your SharePoint servers are fully patched, especially for vulnerability CVE-2019-0604. If you have not applied security updates from April 2019 or later, you are likely vulnerable.
- Conduct Regular Security Audits: Actively hunt for indicators of compromise (IOCs). Look for suspicious files in web-accessible directories, unexpected processes spawned by the SharePoint application pool (
w3wp.exe), and unusual outbound network traffic. - Implement Network Segmentation: Isolate your SharePoint server from other critical parts of your network. This can prevent an attacker from moving laterally if the server is compromised. Public-facing servers should not have direct, unfettered access to internal databases or domain controllers.
- Use a Web Application Firewall (WAF): A properly configured WAF can help detect and block the initial exploitation attempts, preventing attackers from ever gaining access to your server.
- Enforce the Principle of Least Privilege: Ensure the service accounts used by SharePoint have only the absolute minimum permissions required to function. Overly permissive accounts make it easier for attackers to escalate privileges and access sensitive data.
- Deploy Endpoint Detection and Response (EDR): EDR solutions provide deep visibility into server activity and can detect malicious behavior, such as abnormal process execution or file modification, that might otherwise go unnoticed.
The continued exploitation of a years-old vulnerability is a stark reminder that cybercriminals thrive on unpatched systems. By prioritizing patch management and adopting a robust, defense-in-depth security posture, organizations can effectively shut the door on these persistent threats and safeguard their critical data.
Source: https://www.bleepingcomputer.com/news/security/microsoft-sharepoint-toolshell-attacks-linked-to-chinese-hackers/
