Installing the updates is only the beginning of the recovery process, since the infections allow attackers to make off with authentication credentials that give wide access to a variety of sensitive resources inside a compromised network. More about those additional steps later in this article.
On Saturday, researchers from security firm Eye Security reported finding “dozens of systems actively compromised during two waves of attack, on 18th of July around 18:00 UTC and 19th of July around 07:30 UTC.” The systems, scattered across the globe, had been hacked using the exploited vulnerability and then infected with a webshell-based backdoor called ToolShell. Eye Security researchers said that the backdoor was able to gain access to the most sensitive parts of a SharePoint Server and from there extract tokens that allowed them to execute code that let the attackers to expand their reach inside networks.
“This wasn’t your typical webshell,” Eye Security researchers wrote. “There were no interactive commands, reverse shells, or command-and-control logic. Instead, the page invoked internal .NET methods to read the SharePoint server’s MachineKey configuration, including the ValidationKey. These keys are essential for generating valid __VIEWSTATE payloads, and gaining access to them effectively turns any authenticated SharePoint request into a remote code execution opportunity.”
The remote code execution is made possible by using the exploit to target the way SharePoint translates data structures and object states into formats that can be stored or transmitted and then reconstructed later, a process known as serialization. A SharePoint vulnerability Microsoft fixed in 2021 had made it possible to abuse parsing logic to inject objects into pages. This occurred because SharePoint ran ASP.NET ViewState objects using the ValidationKey signing key, which is stored in the machine’s configuration. This could enable attackers to cause SharePoint to deserialize arbitrary objects and execute embedded commands. Those exploits, however, were limited by the requirement to generate a valid signature, which in turn required access to the server’s secret ValidationKey.
