Hackers are exploiting a remote code execution vulnerability in Microsoft SharePoint to conduct reconnaissance on the networks of target organizations, a Saudi government cybersecurity agency said Thursday.
In activity that private-sector researchers are also tracking, the unnamed hackers are gathering information on Microsoft Exchange and SQL servers in a sign “the attack is still in its first stages,” Saudi Arabia’s National Cybersecurity Authority (NCA) said in an advisory. The alert did not offer further information on the victims.
The attacks are an example of how a file-sharing service can be abused to gather valuable information on a target. The vulnerability applies to older versions of SharePoint, an application organizations use to share and store documents. With a foothold on a network, the attackers have deployed a web shell script that can be used to manipulate data on a server, according to the NCA.
The Saudi agency “observed a spike in scanning activities on this specific vulnerability,” indicating “quick adoption from multiple threat actors” keen on exploiting the remote network access, said the advisory, which details a new custom backdoor used by attackers.
“The attackers in the Saudi case are reasonably capable,” said Chris Doman, a security researcher at AT&T Alien Labs who has tracked the intrusions. “The malware waits for encrypted commands from an attacker — rather than noisily reaching out to an attacker’s command and control server.”
The advisory follows an alert last month from the Canadian government’s Centre for Cyber Security saying the SharePoint vulnerability likely had been used to breach organizations in the academic, manufacturing, utility, “heavy industry,” and tech sectors. The advisory did not say where the victim organizations were located.
Microsoft has issued a patch for the flaw, but that is only as good as its application by vulnerable organizations. The NCA said multiple organizations had been infected by the exploit in the last two weeks.
Despite the reports of infections in multiple sectors, the SharePoint vulnerability isn’t being as widely exploited as other server-side flaws like the one in Oracle WebLogic, Doman told CyberScoop. AT&T Alien Labs has analyzed an earlier version of the malware used in breaching Saudi organizations.
“The naming of the domains in the Saudi intrusions seem to indicate some particular targeting,” Doman said. He pointed to the fact that the attackers had impersonated a Saudi government website promoting the Kingdom’s strategic policies.
The hackers “haven’t left any obvious indicators of their location in the malware or servers,” Doman said.