The ongoing issues following recent software updates highlight a critical aspect of cybersecurity: infections can enable attackers to steal authentication credentials, granting extensive access to sensitive resources within a compromised network. While installing necessary updates is an initial step in recovery, further actions are imperative for complete remediation.
On July 18 and 19, researchers from Eye Security reported significant findings regarding ongoing cyberattacks that engaged multiple systems worldwide. These incidents, identified during two distinct waves of activity, drew on an exploited vulnerability that allowed hackers to introduce a webshell-based backdoor known as ToolShell. This backdoor facilitated unauthorized access to some of the most sensitive sections of SharePoint Servers, enabling the extraction of tokens that permitted attackers to execute further code and broaden their infiltration within affected networks.
Eye Security’s analysis underscores the atypical nature of the exploited backdoor, highlighting its lack of interactive commands and conventional command-and-control frameworks. Instead, the backdoor utilized internal .NET methods to read crucial MachineKey configurations of the SharePoint server, including validation keys. Such keys play an essential role in generating valid __VIEWSTATE payloads, which, when compromised, transform authenticated SharePoint requests into vectors for remote code execution.
The ability for remote code execution largely arises from how SharePoint handles the serialization of data structures and object states. A previously patched SharePoint vulnerability, disclosed by Microsoft in 2021, allowed for misuse of parsing logic resulting in object injection. This exploitation was made possible due to SharePoint utilizing ASP.NET ViewState objects with the signing key stored in the machine’s configuration. Attackers could leverage this to force SharePoint to deserialize arbitrary objects and execute embedded commands, albeit previously constrained by the necessity of a valid signature linked to the server’s sensitive ValidationKey.
The targets of these attacks appear to span across various regions, reflecting the global nature of modern cyber threats. The use of sophisticated tactics aligns with several techniques categorized within the MITRE ATT&CK framework. These likely include initial access, focused on exploiting known vulnerabilities, and persistence, enabled through the deployment of malicious backdoors. The attack also reveals potential avenues for privilege escalation, as attackers gained elevated access to critical systems post-infection.
In conclusion, as organizations enhance their cybersecurity measures, it remains crucial to recognize the depth of potential vulnerabilities. Regular updates and thorough security practices are not merely preventative but essential in minimizing the ramifications of targeted cyberattacks. Business leaders must remain vigilant, understanding the sophisticated tactics employed by adversaries and the ongoing evolution of threats in today’s digital landscape.
