The FBI has issued a flash alert to private industry partners, warning that nation-state hackers have breached two unnamed US municipalities within the last year, using a Microsoft SharePoint vulnerability, CVE-2019-0604.
“Malicious activities included exfiltration of user information, escalation of administrative privileges, and the dropping of webshells for remote/backdoor persistent access” an FBI alert said, adding that the compromised servers were used to steal Active Directive database compromise administrative credentials, and drop webshells for remote/backdoor access to the compromised servers.
“Four aspx webshells, all of which appeared to be variants of commonly available or open-source webshells, were uploaded to the compromised SharePoint server and used to facilitate additional access. The cyber actors uploaded a variety of publicly-available and open-source credential harvesting tools, such as Mimikatz, PowerSploit framework and PSEXEC to the C:\ProgramData\ directory,” it said.
“The actors named most of the tools with single-letter filenames (e.g., k.exe and h.bat) before deploying them to other systems on the network.”
The warning follows nearly 1,000 ransomware attacks in 2019 on public sector US bodies, including federal and state entities.
In a threat report published this week, security firm Radware found that attacks attributed to state-actors rose 42 percent last year.
Anna Convery-Pelletier, Radware’s CMO noted: “Nation-state intrusions are among the most difficult to thwart… as they have significant resources, knowledge of potential zero-day exploits, and the patience to plan and execute operations.”
FBI Nation State Cyber Warning
Both of the attacks outlined by the FBI used a vulnerability in Microsoft SharePoint servers. CVE-2019-0604 is a remote code execution vulnerability that occurred within Microsoft SharePoint when the application failed to check the source markup of application package.
In their security alert Microsoft noted that “an attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.”
The exploit has since been patched.
Hackers used this SharePoint vulnerability to breach the two municipalities and were able to exfiltrate user information and escalate privileges. The attack also included the dropping of webshells for remote/backdoor persistent access.
In its alert sent out to firms and institutions, such as UCLA, the FBI states that: “Due to the sophistication of the compromise and Tactics, Techniques, and Procedures (TTPs) utilized, it is believed that unidentified nation-state actors are involved in the compromise; however, it remains unknown whether these are isolated incidents or if they were conducted by the same cyber actors.”
The work undertaken by cybersecurity professionals is getting more difficult as firms adapt to new methods and infrastructure practices that involve an influx of previously unused technology, such as multi-cloud environments and microservices.
Radware’s Convery-Pelletier notes that: “Security professionals feel as though the battlefield is shifting under their feet. Companies are increasingly adding and relying upon new paradigms, like microservices, public and hybrid clouds, and IoT, which means the infrastructure is harder to monitor for attacks.”
In a recent survey commissioned by Radware 22 percent of responders didn’t know if they were attacked and 38 percent were unable to tell if a botnet had hit their network.
The World Economic Forum’s fifteenth Global Risks Report out this week, meanwhile, found that 76.1 of the people it surveyed said they expected the risk of attack against critical national infrastructure to rise in 2020.
Unfortunately the rate of detection and prosecution appears to be practically non-existent in the US as the report notes that: “Organized cybercrime entities are joining forces, and their likelihood of detection and prosecution is estimated to be as low as 0.05 percent in the United States.”