Ransomware Attack Exploits Sharepoint Without Compromising Endpoints


June 12, 2023

World map

Researchers have observed successful ransomware attacks abusing Microsoft 365’s Sharepoint Online by way of a compromised Microsoft Global SaaS admin account.

“Once in, the attacker created a new Active Directory (AD) user called Omega with elevated privileges, including Global Administrator, SharePoint Administrator, Exchange Administrator, and Teams Administrator; and site collection administrator capabilities to multiple Sharepoint sites and collections. The attacker also removed existing administrators (more than 200) in a 2-hour period,” Security Week reports.

“We expect this trend to grow,” the researchers told SecurityWeek. “The attacker invested the time to build automation for this attack, which implies a desire to use this capability in the future. We also suspect it will grow because there are few companies with a strong SaaS security program, whereas many companies are well invested in endpoint security products.”

Takeaway: Ransomware operators are constantly improving their TTPs and are increasingly using automation in the exploitation of known vulnerabilities and other avenues to infection, and the huge increase in the volume of attacks observed in early 2023 is evidence of this latest trend. The reported abuse of Sharepoint Online in these operations is concerning.

These are multi-staged attacks, where the threat actors are designed to infiltrate as much of the victim network as possible to exfiltrate sensitive data for extortion. This ingress and lateral movement on the targeted network usually takes a good amount of time, so automating these aspects of the attack sequence allows threat actors to compromise more targets faster. Some of these automated techniques and attack tooling are extremely difficult to detect and are more typical of APT-type operations.

March of 2023 was the most prolific month so far for the sheer volume of ransomware attacks observed, with research indicating there were 459 successful attacks, up 91% from February volume and up 62% year-over-year. Threat actors are getting better at taking advantage of unpatched vulnerabilities and misconfigurations by automating aspects of their attack progressions. Automation means ransomware operators can simply hit more victims faster.

For example, hundreds of organizations have been hit by the Cl0p ransomware gang this year as they continue to exploit a known vulnerability in the GoAnywhere software. We are also seeing signs of automation in attacks exploiting a similar vulnerability in IBM Aspera Faspex. ‍In early April, researchers published an analysis of a new semi-autonomous ransomware strain dubbed Rorschach, noted for its automation, fast encryption speed, and stealthy DLL side-loading for security evasion and persistence.

Later in April, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang also developed two new custom data exfiltration tools.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.