Posted on May 11, 2019 at 12:59 PM
A number of hacking groups are looking to exploit a vulnerability in Microsoft’s SharePoint servers which would give them access to corporate and government networks. This comes from advisories from both the Canadian and Saudi Arabian cybersecurity agencies. The flaw the hackers are trying to exploit has been patched by Microsoft security updates in February, March, and April of this year and is known as CVE-2019-0604 in the Microsoft Security Update Guide.
The article was published on the 2nd of February and last updated on 25th of April and according to the article Microsoft says that any attacker who was able to exploit the vulnerability would be able to run code “in the context of the SharePoint application pool and the SharePoint server farm account”.
The user would be required to upload a specially made application package for SharePoint, but the patch changed the method by which “SharePoint checks the source markup of application packages”.
Attacks ongoing since April
Markus Wulftange, a security researcher who was the first to find the vulnerability, released demo code for the CVE-2019-0604 bug in March. Other examples of demo code soon quickly appeared on Github and Pastebin. The attacks, unsurprisingly, started soon after with the Canadian Centre for Cyber Security sending an alert last month followed by the Saudi Arabian National Cyber Security Centre sending a second alert this week.
The two Cyber Security agencies have witnessed servers on the SharePoint platform get taken over and have the China Chopper web shell installed. China Chopper is a malware that is specific to servers that allows malicious actors to issue various commands for the server to execute. The Canadian authorities mentioned the fact that security researchers with a lot of trust in the industry have managed to identify compromised systems. These systems belong to various academic, utility, manufacturing and technology sectors showing just how widespread the instructions are.
Saudi researchers did not mention whom the attackers had targetted but did helpfully give a post-intrusion analysis of a single victim’s network. This analysis showed how the PowerShell scripts were used to gain additional access allowing the malicious actors to gain a foothold in the network and begin their internal reconnaissance. The Saudi officials also mention that these attacks are aimed at Saudi organizations that had been ongoing for two weeks, making the timeline show that they started around the time the Canadian agency issued the alert.
Attacks not connected says AT&T researcher
A security researcher for AT&T’s Alien Vault Labs Chris Doman says that he finds it interesting that both security agencies reported the China Chopper installations at the start of the intrusions. He further went on to say that there is no evidence of a connection between the two. While both found the China Chopper shell, it is not an uncommon occurrence and that despite the name indicating otherwise, the malware was used by hackers from various different regions.
Another researcher pointed out on Twitter that the IP addresses that were found to be a part of the attack are known IP addresses from the FIN7 hacking collective who are well known for attacking financial institutions.
The IP in question was mentioned by Coman has having been attributed to FIN7 in the preceding months but that he has not seen any other malicious activity from it, which would mean that it is not an IP that is commonly abused like VPNs or free web servers? This would be a weak link at best according to Coman.
Patching or firewalling a must
Microsoft and the security industry have both come out and said that servers should be patched as soon as possible to eliminate threats from accessing the servers. If there is no way to update the servers, then they should be placed behind a firewall that will only be accessible from internal networks. While this would still put the servers at risk, it would mitigate information leak from within the organizations themselves as it would stop the attackers getting into the companies internal networks.