Pro Russian Attackers Scanning for Sharepoint Servers to Exploit CVE-2023-29357, (Tue, Nov 28th)

This post was originally published on this site

In June, Microsoft released a patch for %%cve:2023-29357%%, a critical privilege escalation vulnerability for Sharepoint. An exploit for this vulnerability was released in late September [1]. Combined with %%cve:2023-24955%%, a remote code execution vulnerability that was patched in May. The first vulnerability bypasses authentication to enable code execution via the second vulnerability.

Earlier today, I noticed the URL for CVE-2023-2023-29357 show up in our "first seen URL" list. This list notes URLs collected by our honeypots that reached certain thresholds for the first time. Our honeypots saw the first exploit attempts on September 30th, but at the time, they did not reach the threshold yet to be considered significant.

The attacks originate almost exclusively from %%ip:212.113.106.100%%, an IP address that ironically resolved to "rooted-pizzas.aeza.network'. The web server running on this server displays a homepage that indicates that it was compromised and defaced by a pro-Russian group

Russian Original English Translation
russian defacement banner english translation of defaced web page

The URL being scanned is /_api/web/siteusers. This URL is usually intended to retrieve user information from Sharepoint servers. The exploit will use it to retrieve a list of admin users and then spoof the administrator's identity, taking advantage of the vulnerability.

According to Aeza.net's geolocation feed, the server is located in Vienna and runs Ubuntu according to the server's banner. It is unlikely that the same Sharepoint vulnerability was used to exploit the server.

[1] https://github.com/Chocapikk/CVE-2023-29357


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.