The attackers who took down Albanian government systems via ransomware and wiper malware earlier this year had already had access for fourteen months. They had gained this access through a vulnerability in Microsoft Sharepoint (CVE-2019-0604) for which Microsoft had released a security update on February 12, 2019. However, this patch was not installed. This is according to the US authorities and Microsoft, which hold actors operating from Iran responsible for the attack.
In recent months, several systems of the Albanian government have been the target of attacks, including the government portal where Albanians can request official documents and make appointments with the consulate. Earlier this month, the Albanian police information management system, which contains information about people entering and leaving the country, was hit.
In the attacks, files were encrypted and permanently deleted via wiper malware. According to the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA), the attackers had access to Albanian government systems since last year. Microsoft has also announced this. According to the US government services, the attackers entered via an unpatched SharePoint server. Subsequently, webshells were used to maintain access to the server, and RDP, SMB and FTP to move laterally through the government network.
The attackers then also managed to compromise an Exchange Server and search various mailboxes. Eventually, the ransomware and wiper malware was deployed, leaving systems unusable. To prevent such attacks, the CISA advises, among other things, to install available security updates and to check one’s own environment on webshells, since attackers often use these programs to maintain access to a compromised server. It is also recommended to monitor Exchange Servers for large amounts of data being downloaded.