Microsoft SharePoint Bug Exploited in the Wild

guest · May 10, 2019

Microsoft SharePoint Bug Exploited in the Wild
A number of reports show CVE-2019-0604 is under active attack, Alien Labs researchers say
May 10, 2019
https://www.darkreading.com/endpoint/microsoft-sharepoint-bug-exploited-in-the-wild/d/d-id/1334683

CVE-2019-0604 is a remote code execution vulnerability that exists when SharePoint fails to verify the source markup of an application package.
If successful, an attacker could exploit the bug and run arbitrary code in the context of the SharePoint application pool and SharePoint server farm account. Microsoft has issued a patch.

The Saudi Arabia National Cyber Security Center reports evidence that shows several organizations have been affected by hackers using the web shell for network access. Another report, from the Canadian Cyber Security Centre, describes similar China Chopper activity.

It seems multiple attackers are now using the exploit, Alien Labs reports. Researchers found malware they say is likely an earlier version of the second-stage malware used in the Saudi attacks; the malware sample was reportedly shared by another target in China.
Click to expand...

AT&T Alien Labs: Sharepoint vulnerability exploited in the wild

guest · Feb 6, 2020

SharePoint Bug Proves Popular Weapon for Nation-State Attacks
February 4, 2020
https://www.darkreading.com/cloud/s...eapon-for-nation-state-attacks/d/d-id/1336967

Researchers have detected multiple instances of cyberattackers using SharePoint vulnerability CVE-2019-0604 to target government organizations in the Middle East. These mark the latest cases of adversaries exploiting the flaw, which was recently used to breach the United Nations.
CVE-2019-0604 exists when SharePoint fails to check the source markup of an application package.

New findings from Palo Alto Networks' Unit 42 suggest the vulnerability is still popular among attackers. In September 2019, researchers detected unknown threat actors exploiting the flaw to install several web shells on the website of a Middle East government organization. One of these was AntSword, a web shell freely available on GitHub that resembles China Chopper.
Attackers used these web shells to move laterally across the network to access other systems, explains cyber threat intelligence analyst Robert Falcone in a blog post on the findings.

In April 2019, researchers saw the Emissary Panda threat group exploiting this flaw to install web shells [...]
"The exploitation of this vulnerability is not unique to Emissary Panda, as multiple threat groups are using this vulnerability to exploit SharePoint servers to gain initial access to targeted networks," Falcone writes.
Click to expand...

CVE-2019-0604 appeared in a recent attack against the United Nations during which intruders compromised servers at UN offices in Geneva and Vienna. Attackers accessed Active Directories, likely compromising human resources and network data.

"Once the actors are in after successfully exploiting the vulnerability, they can do whatever they want within the constraints of the compromised network," says Falcone of the vulnerability's popularity, noting that a security tool might block or stop an attacker's actions.
Click to expand...

Palo Alto Networks - Unit42: Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations

guest · Feb 18, 2020

CVE-2019-0604 SharePoint Remote code execution (RCE) vulnerability
February 18, 2020
https://securityaffairs.co/wordpress/98043/hacking/sharepoint-rce.html

A few days ago I saw a post from Alienvault which says attackers are still exploiting SharePoint vulnerability to attack Middle East government organization. Having said that I found Income Tax Department India and MIT Sloan was also vulnerable to CVE-2019-0604 a remote code execution vulnerability which exists in Microsoft SharePoint. A malicious actor could exploit this vulnerability by simply sending a specially crafted SharePoint application package.

I found this vulnerability during my free time while I was browsing to ZoomEye to find such component. The application (incometaxindia.gov.in) was found to be vulnerable as it was using SharePoint as a technology to host its service
Aside, MIT Sloan School of Management was also found to be vulnerable with CVE-2019-0604.
Click to expand...

Responsible Disclosure:
CERT-In (IncomeTaxIndia)
This was sent to CERT-In on Feb 12, 2020, got initial response by them on Feb 13, 2020. Post that the vulnerability was patch silently.
For MIT:
This was sent to MIT security team on Feb 13, 2020, got initial response by them on Feb 14, 2020. Post that the vulnerability was patch silently on Feb 15, 2020.
Click to expand...

Log in or Sign up

Microsoft SharePoint Bug Exploited in the Wild

guest Guest

guest Guest

guest Guest

Log in or Sign up

Microsoft SharePoint Bug Exploited in the Wild

guest Guest

guest Guest

guest Guest

Useful Searches