Nation-state hackers violated the network of two US municipalities last year, the FBI said in a security warning sent to private sector partners last week.
The hacks occurred after attackers used the vulnerability CVE-2019-0604 in Microsoft SharePoint servers to break the networks of the two municipalities.
The FBI says that as soon as attackers got a foothold on these networks, “malicious activities included exfiltration of user information, escalation of administrator rights, and the disappearance of webshells for permanent remote access / back door.”
“Due to the refinement of the compromise and the tactics, techniques and procedures (TTPs) used, the FBI believes that unidentified national actors are involved in the compromise,” the agency said in its security warning.
The FBI could not say whether both intruders were conducted by the same group. The agency also did not mention the two hacked municipalities; however, it reported the two offenses in more detail, with an overview of the steps of the attackers in each incident.
Municipality # 1:
An unpaired SharePoint server was used to access a US municipality’s network, steal the Active Directory (AD) database, compromise administrative credentials, and remove webshells for external / backdoor access to the compromised servers .
Four aspx web shells, all of which appeared to be variants of commonly available or open source web shells, were uploaded to the compromised SharePoint server and used to facilitate additional access. The cyber actors have uploaded various publicly accessible and open-source data reference tools, such as Mimikatz, PowerSploit framework and PSEXEC to the C: ProgramData folder. The actors mentioned most utilities with one-letter file names (for example, k.exe and h.bat) before they were implemented on other systems on the network.
The SharePoint server was used as a pivot point in the network, allowing unauthorized access through compromised local administrator credentials. At least five machines on the municipality’s network contain proof of executable names with similar names that were executed in the C: ProgramData folder. More than 50 hosts on the network showed instructions for implementing Mimikatz. There are also indications that the actors have used the curb taxation technique to focus on Kerberos service tickets. The actors could successfully gain access to various domain administrator accounts.
The burglary seems to have been detected while the actors were still in the reconnaissance phase of the burglary, so that their real goals could not be determined on the goal.
Municipality # 2:
In October 2019, the network of a second American municipality was the target of unauthorized users. Intrusion activity was detected when Command and Control (C2) communication was discovered from the DMZ network segment.
The website lacked patches, which led to the compromise. The cyberactors used existing network monitoring infrastructure, as well as third-party services, to move sideways within the DMZ. The activity was detected when the malicious actors were given access to two other hosts in the DMZ segment – a SQL server and a Microsoft Exchange server that acted as an SMPT forwarder. These servers are part of the AD domain and activities indicative of the AD service targeting were detected.
Chinese national hackers have previously exploited this bug
The attacks on US municipalities are not isolated, nor are they the first attacks using the CVE-2019-0604 SharePoint vulnerability.
During 2019, this specific SharePoint vulnerability was one of the most exploited security flaws, both by financially motivated cyber criminals and by the state-sponsored cyber espionage groups.
The first attacks discovered in the wild were discovered by the Canadian Center for Cyber Security at the end of April, when the agency issued a security warning about this. The Saudi National Cyber Security Center (NCSC) confirmed a similar wave of attacks a week later, in early May.
Both cyber security agencies reported that attackers took over SharePoint servers to install a version of the China Chopper webshell, a type of malware installed on servers that allows hackers to control hacked (SharePoint) servers.
Neither institution mentioned the perpetrators of these attacks, but the American cyber security company Palo Alto Networks linked the two reports to APT27 (Emissary Panda), a hacking group that has links with the Chinese government.
It is unclear whether the same Chinese hack group was also behind the attacks on the two American municipalities. ZDNet was unable to confirm links between the FBI report and previous APT27 activities and indicators of a compromise.
The SharePoint bug was lost in a busy 2019
Throughout the year, attacks with this bug only increased, as various hacking groups began to realize that this was a vulnerability that was easy to exploit, there were many companies that had not patched, and attacks usually provided access to many high-quality company targets .
In the security warning it sent last week, the FBI reported peaks in scan activity targeting the CVE-2019-0604 SharePoint vulnerability in May, June, and October 2019, which only confirms what ZDNet learned from sources about an increase in the number of SharePoint attacks as 2019 progressed.
Scans and attacks using this vulnerability were helped by the presence of a large number of technical descriptions investigating the bug (1, 2, 3), along with an abundance of demo exploit code freely made available by security investigators from which attackers could choose and adapt to their needs (1, 2, 3, 4, 5).
But in 2019, a year in which we had vulnerabilities such as BlueKeep, DejaBlue and many VPN security errors, the SharePoint bug went under the radar, despite quite intense scanning activity, and even confirmed attacks carried out by hacking groups from the national states.
Prior to last week’s FBI security warning, no other similar security notice had been sent by other major cyber security authorities – such as DHS CISA or the British NCSC.
In retrospect, attacks are expected to continue, as a large number of unpaired SharePoints servers are still online, despite the patch that is approaching its one-year anniversary next month.
One of the reasons that so many servers are not patched is because Microsoft has made the patching process awkward. It took the company three patches to fully resolve this issue, with solutions delivered in February, March, and April.
Some companies may have installed the February patch, thinking they are safe, but not knowing that a more complete patch was available in April.
As several cyber security experts have noted on Twitter, this vulnerability is pretty serious and organizations need to see if they have already installed three patches.
I would urge all organizations with SharePoint to urgently patch CVE-2019-0604 from February 2019. It is still online on a large scale and the vulnerable is a 100% reliable external implementation of external code.
– Kevin Beaumont (@GossiTheDog) January 5, 2020
The sense of urgency to address this must be easy to understand.
The bug is a so-called pre-auth RCE (implementation of pre-authentication remote code). Pre-authorization RCEs are very attractive for attackers because they are easy to automate and exploit.
Secondly, SharePoint is a very popular product, with Microsoft with more than 200,000 installations around the world, making it a huge area of attack, most of which are high-quality government organizations and large companies.