[German]A brief note to administrators of SharePoint servers. A vulnerability CVE-2019-0604 is now being exploited 'in the wild' to attack unpatched SharePoint systems. Microsoft has released security updates in February 2019.
Advertising
SharePoint is under attack
I already stumbled across a tweet by Kevin Beaumont (@GossiTheDog) on Saturday, who made the topic public.
CVE-2019-0604 is being exploited in the wild It's a web based remote code execution vuln without need for authentication, plus Microsoft had to reissue the patch later as the first one didn't fix the vulnerability – so lots of places are exposed. https://t.co/qBDxwyJWi4
— Kevin Beaumont ♀️ (@GossiTheDog) 10. Mai 2019
Woody Leonhard mentioned it here and here is also a mention. According to a report by security researchers at AT&T Alien Labs, threat actors are currently trying to exploit the Microsoft Sharepoint vulnerability CVE-2019-0604 during attacks in the wild. The Security Affairs website writes here:
AlienLabs has seen a number of reports related to the active exploitation of the CVE-2019-0604 vulnerability in Microsoft Sharepoint.
The security researchers at AT&T Alien Labs reported on attacks against organizations in Saudi Arabia and Canada. A report based on evidence from the Saudi Cyber Security Centre suggests that threat actors are primarily targeting organizations within the Kingdom. The Canadian Cyber Security Centre reported (see) similar attacks aimed at providing the China Chopper Web Shell to ensure persistence in target networks. The security company writes in a short report:
"AlienLabs has identified malware (https://pastebin.com/bUFPhucz) that is likely an earlier version of the second-stage malware deployed in the Saudi Intrusions. This malware sample was shared by a target in China."
The malware supports multiple commands, including downloading and uploading files and running commands from the web address http[ :// ]$SERVER/Temporary_Listen_Addresses/SMSSERVICE.
Advertising
Vulnerability CVE-2019 in SharePoint
The vulnerability has been described here from the Zero Point Initiative. Microsoft has addresses vulnerability CVE-2019 in SharePoint in February 2019.
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected versions of SharePoint.
The security update addresses the vulnerability by correcting how SharePoint checks the source markup of application packages.
It is a remote execution vulnerability that can be exploited by attackers to execute malicious code in the context of SharePoint applications. Updates for the various SharePoint products have been available on this website since February 2019.
