Microsoft SharePoint servers are under attack
Hacker groups are attacking Microsoft SharePoint servers to exploit a recently patched vulnerability and gain access to corporate and government networks, according to recent security advisories sent out by Canadian and Saudi Arabian cyber-security agencies.
The security flaw exploited in these attacks is tracked as CVE-2019-0604, which Microsoft patched through security updates released in February, March, and April this year.
“An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,” Microsoft said at the time.
Attacks started in late April
Attacks started soon after, in late April. The Canadian Centre for Cyber Security first sent an alert last month, and then officials from the Saudi National Cyber Security Center (NCSC) sent a second security alert this week.
Both cyber-security agencies reported seeing attackers take over SharePoint servers and plant a version of the China Chopper web shell, a type of malware installed on servers that allows hackers to connect to it and issue various commands.
“It’s interesting that both the Canadian and Saudi government reported the installation of Chinna Chopper at the start of the intrusions,” Chris Doman, a security researcher at AT&T’s Alien Vault Labs, told ZDNet today.
Canadian authorities said that “trusted researchers have identified compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors.”
On the other hand, Saudi officials didn’t said who attackers breached, but they did publish a post-mortem from one of the victim networks, showing how attackers used “PowerShell scripts to gain more access and establish the internal reconnaissance in the network.”
They also said the attacks aimed at Saudi organizations running SharePoint team collaboration servers have been going on for roughly two weeks, putting the start of the attacks at the same time with the alert coming from the Canadian agency.
No evidence the attacks are connected
While this might look like the attacks are somehow related, current evidence doesn’t support this theory.
“Both the Canadians and the Saudis mention the China Chopper web shell – but that’s pretty common,” Doman told ZDNet. “Despite the name, China Chopper is used by attackers from a number of regions.”
Furthermore, a researcher pointed out on Twitter that one of the IP addresses involved in the attacks on SharePoint servers had also been used by the FIN7 cyber-crime group –known for attacking the financial sector.
However, Doman doesn’t believe that FIN7 is the group attacking Microsoft SharePoint servers –at least for the time being.
“That IP has been used by FIN7 in the last couple of months and I haven’t seen other malicious activity from it. It’s not a commonly abused IP like a VPN or free web-host or similar,” Doman told ZDNet. “At the same time, in itself if it’s a fairly weak link.”
Patching or firewalling SharePoint servers is a must
With active attacks underway, companies running SharePoint servers are advised to bring their systems up to date, to mitigate any threat.
CVE-2019-0604 is known to impact a large chunk of recent SharePoint releases, such as:
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Foundation 2013 SP1
- Microsoft SharePoint Server 2010 SP2
- Microsoft SharePoint Server 2019
If patches can’t be applied, organizations are advised to put vulnerable SharePoint servers behind a firewall, accessible on internal networks only. Servers might remain vulnerable, but at least it won’t be a gateway for hackers into companies’ networks.
Related malware and cybercrime coverage: