Microsoft Patches Actively Exploited SharePoint RCE Flaws
Table of Contents
Security researchers have identified a concerning new attack vector targeting Microsoft sharepoint environments. Threat actors are actively exploiting a vulnerability that involves the creation and execution of a malicious file named spinstall0.aspx. This attack can lead to unauthorized access and potential compromise of sensitive data within your SharePoint infrastructure.
Understanding the Attack Vector
the core of this attack revolves around the placement of a malicious ASPX file, spinstall0.aspx, within the SharePoint application’s layout directory. Once this file is in place, attackers can leverage it to execute arbitrary code and gain a foothold within your network.
Key Indicators of Compromise
Microsoft has outlined specific indicators that can help you detect if your SharePoint surroundings has been targeted. Vigilance and proactive monitoring are crucial in identifying and mitigating this threat.
Suspicious File Creation: The presence of the spinstall0.aspx file in the SharePoint layout directory is a primary indicator. This file should not exist in a legitimate SharePoint installation.
IIS log Anomalies: Examining your Internet Information Services (IIS) logs can reveal suspicious activity. Look for POST requests targeting layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx.
HTTP Referer Clues: The HTTP referer associated with these suspicious requests is often layouts/SignOut.aspx. This redirection pattern can be a strong signal of malicious intent.
Detecting the spinstall0.aspx File
Microsoft has provided a valuable Microsoft 365 Defender query to help you identify if the spinstall0.aspx file has been created on your servers. This query is designed to scan your environment for this specific malicious artifact.
kql
DeviceFileEvents
| where FolderPath has "MICROS~1WEBSER~116TEMPLATELAYOUTS"
| where FileName =~ "spinstall0.aspx"
or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, filename, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
If this query returns any results, it means the spinstall0.aspx file has been detected on one of your devices.
What to Do If the File is Found
If the spinstall0.aspx file is found on your server, it’s a critical alert. This indicates a potential security breach.
Immediate Investigation: A thorough investigation of the compromised server is paramount. You need to understand how the file was placed there and what actions the attackers may have taken.
Network-Wide Scan: Extend your investigation to your entire network. It’s essential to determine if the threat actors have moved laterally or compromised other systems.
Containment and Remediation: Implement immediate containment measures to isolate the affected server and prevent further spread. Follow established incident response procedures for remediation.
Staying ahead of these evolving threats requires a proactive security posture. By understanding these attack vectors and utilizing the provided detection methods, you can better protect your valuable SharePoint data.