Sharepoint Vulnerability Exploits, Interlock Ransomware
Threat Content Highlights
Threat Profiles
- “Trending & Emerging Threats” weekly update: SharePoint Vulnerability Exploits
- We first released an object around this campaign early last week, then updated it with an additional 18 Technique and 10 Group & Software relationships as additional intelligence was published during the week.
- A range of actors, including multiple with links to China, are using distinct tools to carry out post-compromise data collection and exfiltration after compromising vulnerable on-premises SharePoint servers.
Threat Objects
- Interlock Ransomware: New Group featuring 30+ Technique & Software relationships, mainly derived from CISA’s latest advisory focused on this ransomware operation.
- Interlock is especially notable as they have been observed using drive-by downloads and “ClickFix” social engineering – initial access methods that are relatively rare in the ransomware landscape (see T1189 and T1204.004 respectively, which are both related to the Interlock Group object).