SharePoint servers under attack through CVE-2019-0604

CVE-2019-0604, a critical vulnerability opening unpatched Microsoft SharePoint servers to attack, is being exploited by attackers to install a web shell.

CVE-2019-0604

The web shell allows them to achieve continuous access to the system and, potentially, to the internal network on which it resides. According to the Canadian Centre for Cyber Security, researchers have identified compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors.

About CVE-2019-0604

SharePoint is a web-based collaborative platform that integrates with Microsoft Office. SharePoint Server is installed on the IT infrastructure of organizations that seek greater control over SharePoint’s behavior or design.

“A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,” Microsoft explained in February 2019, when it first released patches for the flaw.

“Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected versions of SharePoint.”

The vulnerability was unearthed by security researcher Markus Wulftange. He reported it to Microsoft via Trend Micro’s Zero Day Initiative and released technical details and PoC exploit code in March, a day after Microsoft re-released the initial security update because the exploit still worked despite the initial patch.

Wulftange’s PoC was followed by other PoCs published made publicly available via GitHub and Pastebin. Also, Microsoft widened the list of affected software in late April, and it now looks like this:

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2010 Service Pack 2
  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Server 2010 Service Pack 2
  • Microsoft SharePoint Server 2013 Service Pack 1
  • Microsoft SharePoint Server 2019.

The attacks

The Canadian Centre for Cyber Security released an alert about ongoing attacks exploiting CVE-2019-0604 to deliver the China Chopper web shell on April 23 and advised administrators to implement all the patches made available by Microsoft.

“If a SharePoint instance serves strictly as an on-premises solution, ensure that the server has no exposure to the Internet,” the organization noted.

The Saudi Cyber Security Centre and AT&T Alien Labs have also seen and are warning about attacks involving the exploitation of the flaw to deliver the same web shell / backdoor.

“It’s likely multiple attackers are now using the exploit. One user on Twitter has reported that they have seen exploitation from the IP address 194.36.189[.]177 – which we have also seen acting as a command and control server for malware linked to FIN7,” AT&T Alien Labs researcher Chris Doman noted.

It is expected, as time goes by, that less tech-skilled criminals will get their hands on the exploits that now seem to be wielded by those who have managed to repurpose the PoC exploits and make them work. So, if your organization is running a SharePoint server on premises and you haven’t yet secured it, now is high time to do it.

UPDATE (MAY 29, 2019, 3:42 a.m. PT):

Palo Alto Networks’ Unit 42 says APT 27 (also known as Emissary Panda) leveraged CVE-2019-0604 to load the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East.