Emissary Panda Attacks Middle East Government Sharepoint Servers (May 28, 2019)
Unit 42 researchers, has observed an attack by Emissary Panda (APT27) targeting two Middle Eastern government organizations. The attack took place on April 1 and April 16, with the group exploiting a remote code execution vulnerability in Microsoft Sharepoint, CVE-2019-0604. This vulnerability allowed for the actors to remotely upload three webshells which included backdoors, vulnerability scanners and tools to steal credentials. Although Microsoft patched the vulnerability, attackers were able to quickly abuse it before the victims’ systems had been updated. Once Emissary Panda gained access through the Sharepoint vulnerability, they were able to exploit another vulnerability, CVE-2017-0144 (EternalBlue) to pivot to other systems. The affected governments have not been named.
Recommendation: Security updates should be applied as soon as possible, as actors will immediately begin looking for exploits that can give for the potential of an actor to take control of an affected system. Organizations should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities threat actors may exploit. Defense-in-Depth is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.