Image: ZDNet

Nation-state hackers breached the networks of two US municipalities last year, the FBI said in a security alert sent to private industry partners last week.

The hacks took place after attackers used the CVE-2019-0604 vulnerability in Microsoft SharePoint servers to breach the two municipalities' networks.

The FBI says that once attackers got a foothold on these networks, "malicious activities included exfiltration of user information, escalation of administrative privileges, and the dropping of webshells for remote/backdoor persistent access."

"Due to the sophistication of the compromise and Tactics, Techniques, and Procedures (TTPs) utilized, the FBI believes unidentified nation-state actors are involved in the compromise," the agency said in its security alert.

The FBI could not say if both intrusions were carried out by the same group. The agency also did not name the two hacked municipalities; however, it reported the two breaches in greater detail, listing the attackers' steps in each incident.

Municipality #1:

An unpatched SharePoint server was utilized to gain access to a US municipality's network, steal the Active Directory (AD) database, compromise administrative credentials, and drop webshells for remote/backdoor access to the compromised servers.

Four aspxwebshells, all of which appeared to be variants of commonly available or open-source webshells, were uploaded to the compromised SharePoint server and used to facilitate additional access. The cyber actors uploaded a variety of publicly-available and open-source credential harvesting tools, such as Mimikatz, PowerSploit framework and PSEXEC to the C:\ProgramData\directory. The actors named most of the tools with single-letter filenames (e.g., k.exe and h.bat) before deploying them to other systems on the network.

The SharePoint server was used as a pivot point on the network, allowing unauthorized access via compromised local administrator credentials. At least five machines on the municipality's network contained evidence of similarly named executables staged in the C:\ProgramData\directory. Over 50 hosts on the network showed evidence of Mimikatz execution. There is also evidence that the actors used the kerberoasting technique to target Kerberos service tickets. The actors were able to successfully gain access to several domain administrator accounts.

The intrusion appears to have been detected while the actors were still in the reconnaissance phase of the intrusion, so their actual objectives on target could not be determined.

Municipality #2:

In October 2019, a second US municipality's network was targeted by unauthorized users. Intrusion activity was detected when Command and Control (C2) communications were discovered from the DMZ network segment.

The website was missing patches, leading to the compromise. The cyber actors utilized existing network monitoring infrastructure, as well as third-party services, to move laterally within the DMZ. The activity was detected when the malicious actors gained access to two other hosts in the DMZ segment -a SQL server and a Microsoft Exchange server acting as an SMPT forwarder. These servers are part of the AD domain, and activities indicative of the AD service targeting were detected.

Chinese nation-state hackers have previously exploited this bug

The attacks on US municipalities are not isolated cases, nor are they the first attacks where the CVE-2019-0604 SharePoint vulnerability has been used.

Throughout 2019, this particular SharePoint vulnerability was one of the most exploited security flaws, by both financially-motivated cybercriminals, but also nation-state-sponsored cyber-espionage groups.

The first attacks detected in the wild were discovered by Canadian Centre for Cyber Security in late April, when the agency sent out a security alert on the matter. The Saudi National Cyber Security Center (NCSC) confirmed a similar wave of attacks a week later, in early May.

Both cybersecurity agencies reported seeing attackers take over SharePoint servers to plant a version of the China Chopper web shell, a type of malware installed on servers that allows hackers to control hacked (SharePoint) servers.

Neither agency named the perpetrators of these attacks, but US cyber-security firm Palo Alto Networks linked the two reports to APT27 (Emissary Panda), a hacking group with ties to the Chinese government.

It is unclear if the same Chinese hacking group was also behind the attacks on the two US municipalities. ZDNet could not confirm any links between the FBI report and past APT27 activity and indicators of compromise.

The SharePoint bug got lost in a busy 2019

Throughout the year, attacks using this bug only intensified, as various hacking groups began realizing this a vulnerability that was both easy to exploit, there were plenty of companies that had failed to patch, and attacks usually yielded access to lots of high-value corporate targets.

In the security alert it sent out last week, the FBI reported seeing spikes in scanning activity targeting the CVE-2019-0604 SharePoint vulnerability in May, June, and October 2019, which only confirms what ZDNet learned from sources about an increase in the number of SharePoint attacks as 2019 progressed.

Scans and attacks using this vulnerability were aided by the presence of a large number of technical write-ups explaning the bug [1, 2, 3], along with an excess of demo exploit code made freely available by security researchers that attackers could choose from and customize to their needs [1, 2, 3, 4, 5].

But in 2019, a year when we had vulnerabilities like BlueKeep, DejaBlue, and the numerous VPN security flaws, the SharePoint bug went under the radar, despite some pretty intense scanning activity, and even confirmed attacks carried out by nation-state hacking groups.

Prior to last week's FBI security alert, there was no any other similar security notification sent out by other major cyber-security agencies -- such as DHS CISA or the UK NCSC.

In hindsight, attacks are expected to continue, as there are still a large number of unpatched SharePoints servers online, despite the patch nearing its one-year anniversary next month.

One of the reason so many servers remain unpatched is because Microsoft fumbled the patching process. It took the company three patches to completely fix this issue, with fixes delivered in February, March, and April.

Some companies might have installed the February patch, thinking they are safe, but not knowing there was a more complete patch made available in April.

As several cyber-security experts have pointed out on Twitter, this vulnerability is pretty bad, and organizations should look into verifying they installed al three patches.

Patching SharePoint vulnerability CVE-2019-0604 is really important people. Get to it pronto! https://t.co/gDFt7vff3h — Rob Joyce (@RGB_Lights) December 10, 2019

I would urge all organisations with SharePoint to urgently patch CVE-2019-0604, from February 2019. It’s still widely exposed online, and the vulnerable is a 100% reliable pre-auth remote code execution. — Kevin Beaumont (@GossiTheDog) January 5, 2020

The sense of urgency in addressing this should be easy to understand.

The bug is a so-called pre-auth RCE (pre-authentication remote code execution). Pre-auth RCEs are extremely attractive to attackers as they are easy to automate and exploit.

Second of all, SharePoint is a very popular product, with Microsoft boasting with more than 200,000 installs across the globe, making this a huge attack surface, most of which are high-value government organizations and big corporations.