Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Active exploitation of a dangerous flaw in Microsoft SharePoint instances continues, with researchers now observing an unknown hacking group taking advantage of the vulnerability.
Microsoft’s very bad, no good SharePoint troubles continues, with security researchers at Palo Alto Networks’ Unit 42 now observing an unattributed ransomware actor deploying its malware against its victims via vulnerable SharePoint instances.
The vulnerabilities, known collectively as ToolShell, date back to May, and hackers linked to the People’s Republic of China had already been observed engaging in espionage and ransomware activity against SharePoint targets.
Microsoft had observed two Chinese nation-state hackers, which it attributes to Linen Typhoon and Violet Typhoon, taking advantage of the ToolShell vulnerabilities, but now it looks like purely profit-minded criminals are getting in on the action.
“Unit 42 is tracking high-impact, ongoing threat activity targeting self-hosted Microsoft SharePoint servers,” Unit 42 said in a 29 July update to its ToolShell activity analysis.
“While SaaS environments remain unaffected, self-hosted SharePoint deployments – particularly within government, schools, healthcare (including hospitals) and large enterprise companies – are at immediate risk.”
A couple of days later, Unit 42 provided more detailed information regarding the ransomware activity.
“An investigation into ToolShell exploitation revealed the deployment of 4L4MD4R ransomware, a variant of the open-source Mauri870 ransomware,” Unit 42 said on 31 July.
Unit 42 observed this new activity on 27 July, when the unidentified threat actor attempted to use a PowerShell command to disable security monitoring.
“Analysis of the 4L4MD4R payload revealed that it is UPX-packed and written in GoLang,” Unit 42 said.
“Upon execution, the sample decrypts an AES-encrypted payload in memory, allocates memory to load the decrypted PE file, and creates a new thread to execute it.”
The ransomware encrypts files and drops two files onto the desktop. One, titled DECRYPTION_INSTRUCTIONS.html, is the ransom note, while the second, ENCRYPTED_LIST.html, is a list of all the files encrypted during the attack. The ransom note lays out the steps the victim needs to take to unencrypt their data.
“Your files have been encrypted by 4L4MD4R. This includes documents, photos, videos, databases, etc,” the note said.
“Do not try to decrypt or repair the files. You will not be able to recover them. Any attempt to decrypt the files will result in permanent data loss.”
The hackers demand a ransom of .005 bitcoin, or roughly US$500, but the hacker notes “there are other ways to pay” if that victim can’t afford the ransom.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
