On January 13, 2021, our security analysts discovered a brand new ransomware variant — .hello ransomware or WickrMe Ransomware. The actor uses a Microsoft SharePoint 2019 vulnerability (CVE-2019-0604) to enter the victims’ network. From there, the threat actor leverages Cobalt Strike to pivot to the domain controller and launch ransomware attacks.
As we know, Cobalt Strike is a legitimate threat emulation tool popular among penetration testers and red teams. However, the framework has leaked and been distributed more broadly often being abused by bad actors.
This cyber attack seems to be the same vulnerability used against the United Nations back in July 2019. As reported by Dark Reading, the same Microsoft SharePoint vulnerability CVE-2019-0604 was used to gain access to the victim’s environment. The cyber attack resulted in 400GB of data being downloaded by the threat actor.
“A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.
The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.”
As we all know, protecting your domain controller is a critical component to foundational security hygiene. Brush up on the best ways to protect your organization in our whitepaper: The Domain Controller…An Achilles Heel