AL2021_14 Microsoft Office SharePoint Targeted with High Risk Phishing, Ransomware Attack (3rd May 2021)

Description

Cofense Phishing Defense Center (PDC) has discovered a phishing campaign on 28th April 2021 that targets Office 365 users, where Microsoft office SharePoint theme are successfully bypassing security email gateways (SEG) and attackers are using an old Microsoft SharePoint 2019 vulnerability (CVE-2019-0604) to force their way into victim’s networks.

Summary

The vulnerability is exploitable due to a targeted Office 365 email sent to users with a legitimate looking SharePoint document that claims to urgently require an email signature with a link included for persons to click. Once the recipient clicks on the link, a landing page appears which display’s Microsoft SharePoint logo and “pending file” notification Infront a blurry background and a request for the victim to log in to view the document. If the credentials are handed over, the campaign redirects the user to a spoofed, unrelated document, which might be sufficient to trick the user into thinking it’s a legitimate transaction. 

Another attack against the SharePoint Servers which includes some additional networking devices, such as Microsoft Exchange email server, SonicWALL gateways and Pulse Secure gateways are being used by ransomware gangs to force open enterprise networks. It’s a fairly new variant, first seen in January by Pondurance which goes by two names “hello” and “WickrMe”, since the Wickr encryption method is used on instant messaging services in attempt to hostage victims for ransom. The attackers are using a Microsoft SharePoint 2019 vulnerability (CVE-2019-0604) to force their way into victim’s networks, along with the help of Cobalt Strike is used to pivot to the domain controller’s and launch ransomware attacks.

Product Affected:

  • Microsoft office 365 SharePoint software

SOLUTIONS:

  • Ensure anti-virus software & associated files are up to date.
  • Search for existing signs of the indicated incidents of compromise (IoCs) in your environment
  • Consider blocking and/or setting up detection for all URL & IP based IoCs
  • Keep applications & operating systems running at the current released patch level
  • Exercise caution with attachment & links in emails

For further information on this vulnerability kindly follow the below URL:

https://cofense.com/blog/sharing-documents-sharepoint/

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

References

  • Microsoft Office SharePoint Targeted With High-Risk Phish, Ransomware Attacks (28th April 2021) Retrieved from threatpost

         https://threatpost.com/sharepoint-phish-ransomware-attacks/165671/

  • Microsoft Office Share Point Target – High-Risk Phish & Ransomware Attacks! (28th April 2021) Retrieved from PSBE Cyber News Group

         https://www.cybernewsgroup.co.uk/microsoft-office-sharepoint-target-high-risk-phish-ransomware-attacks/