Microsoft SharePoint Servers Actively Targeted By Hackers
Hackers are actively exploiting recent patched remote code execution vulnerabilities in the Microsoft SharePoint Servers version to inject the China Chopper web shell, which allows hackers to inject various commands.
Canadian and Saudi Arabian cybersecurity raised awareness about the ongoing attack targeting the outdated systems.
The vulnerability affects all versions of SharePoint Server 2010 to SharePoint Server 2019, and vulnerabilities can be tracked as CVE-2019-0604, it was patched by Microsoft in February, releasing security updates on March 12 and again April 25.
“An attacker who exploits the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. The exploitation of this vulnerability requires a specially crafted SharePoint application package.”
In this case, the attackers used the China Chopper web shell to access the compromised servers remotely and issue commands and manage files on the victim server.
The web shell allows an attacker to upload and download any files from the compromised server and to edit, delete, copy, rename and even to change the timestamp of existing files.
Alien vault security researcher Chris doman tweeted about the ongoing campaign and published some additional IoCs.
SharePoint CVE-2019-0604 now being exploited in the wild – reports by Saudi (https://t.co/m6VmF7n2Js) and Canadian (https://t.co/yhzY8qgxi8) National Cyber-Security Centres. Some additional IOCs @ https://t.co/gsGOoh6h9r pic.twitter.com/70LQCOmuTn
— chris doman (@chrisdoman) May 9, 2019
According to cybersecurity agencies, the targeted industries are academic, utility, heavy industry, manufacturing and technology sectors.
The organization running share point servers recommended updating the servers to addresses the vulnerability.
Indicators of compromise