Microsoft SharePoint Servers For The First Time Targeted By Ransomware Gang

Microsoft SharePoint Servers For The First Time Targeted By Ransomware Gang

SharePoint is now among products targeted by ransomware gangs that include Microsoft Exchange email servers, Citrix gateways, F5 BIG-IP load balancers, and VPNs by Pulse Secure, Fortinet, and Palo Alto Network.

SharePoint servers are fending off attacks by Hello (WickrMe), a new ransomware operation that was first detected at the end of 2020. It is unknown if it is Hello/WickrMe ransomware hacking SharePoint servers, or its operators are just renting access to systems already hacked by so-called “initial access brokers.” 

Security teams track it under different codenames. For example, some called it WickrMe because its operators use Wickr encrypted instant messaging accounts to reach out and negotiate the ransom fee with victims.

Most of the attacks involve using a publicly known exploit for the CVE-2019-0604 bug in Microsoft’s SharePoint team collaboration servers. By exploiting the bug, attackers can take control over the SharePoint server to drop a series of payloads that eventually download and install the Hello/Wickr ransomware.

It was the security firm Pondurance that first detected Hello/WickrMe attacks targeting SharePoint as an entry vector into a company’s network in January. But in a report published this week, Trend Micro said the attacks were still ongoing. The researchers note that this is the first time that a ransomware gang targeted SharePoint servers. 

But this was predicted back in April 2020, when Microsoft urged administrators to patch a number of vulnerabilities, among them CVE-2019-0604, saying they might be targeted by ransomware groups in the future.

Now that Microsoft’s prediction came true, SharePoint server owners who haven’t patched their servers already shouldn’t wait any longer.

However, Troy Mursch, chief research officer and co-founder of Bad Packets, a threat intelligence firm, said to The Record that there hasn’t been any significant increase in SharePoint internet scans from hackers. But it may simply mean that the Hello/WickrMe gang is using web shells that already had been planted on SharePoint servers.


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.