Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:10 PM
Connect Directly

SharePoint Bug Proves Popular Weapon for Nation-State Attacks

Thousands of servers could be exposed to SharePoint vulnerability CVE-2019-0604, recently used in cyberattacks against Middle East government targets.

Researchers have detected multiple instances of cyberattackers using SharePoint vulnerability CVE-2019-0604 to target government organizations in the Middle East. These mark the latest cases of adversaries exploiting the flaw, which was recently used to breach the United Nations.

CVE-2019-0604 exists when SharePoint fails to check the source markup of an application package. Attackers could exploit this by uploading a specially crafted SharePoint application package to an affected version of the software. If successful, they could run arbitrary code in the context of both the SharePoint application pool and the SharePoint server farm account.

Microsoft released a patch for the vulnerability in February 2019 and later updated its fix in April. Shortly after, reports surfaced indicating the remote code execution flaw was under active attack. A series of incidents used the China Chopper web shell to gain entry into a target; evidence shows attackers used the web shell to gain network access at several organizations.

New findings from Palo Alto Networks' Unit 42 suggest the vulnerability is still popular among attackers. In September 2019, researchers detected unknown threat actors exploiting the flaw to install several web shells on the website of a Middle East government organization. One of these was AntSword, a web shell freely available on GitHub that resembles China Chopper.

Attackers used these web shells to move laterally across the network to access other systems, explains cyber threat intelligence analyst Robert Falcone in a blog post on the findings. They employed a custom Mimikatz variant to dump credentials from memory and Impacket's atexec tool to use dumped credentials to run commands on other systems throughout the network.

Later in September, Unit 42 saw this same Mimikatz variant uploaded to a web shell hosted at another government organization in a second Middle East country. This variant is unique, Falcone writes, as it has an allegedly custom loader application written in .NET. Because of this, researchers believe the same group is behind the breaches at both government organizations.

This isn't the first time Unit 42 has seen CVE-2019-0604 used against government targets in the Middle East. In April 2019, researchers saw the Emissary Panda threat group exploiting this flaw to install web shells on SharePoint servers at government organizations in two Middle Eastern countries, both different from the nations targeted in the January attacks. There are no strong ties linking the two attacks aside from a common vulnerability, similar tool set, and government victims.

Emissary Panda has "extensively used" strategic Web compromises to target victims, Falcone writes in an email to Dark Reading. However, there is not sufficient information to say with confidence where they operate. The group has been active since at least 2010 and targeted organizations in the government, aerospace, defense, technology, energy, and manufacturing verticals, in addition to other victims, with the goal of infiltrating and performing network reconnaissance to pivot to other systems.

"The exploitation of this vulnerability is not unique to Emissary Panda, as multiple threat groups are using this vulnerability to exploit SharePoint servers to gain initial access to targeted networks," Falcone writes. There is a possibility of overlap in the use of AntSword, as Emissary Panda used China Chopper and the two are "incredibly similar," he explains, but researchers don't currently believe the attackers behind the April 2019 attacks leveraged AntSword.

CVE-2019-0604 appeared in a recent attack against the United Nations during which intruders compromised servers at UN offices in Geneva and Vienna. Attackers accessed Active Directories, likely compromising human resources and network data. It's unclear exactly which files were stolen in the breach. One UN IT official estimates some 400GB of files were downloaded.

"Once the actors are in after successfully exploiting the vulnerability, they can do whatever they want within the constraints of the compromised network," says Falcone of the vulnerability's popularity, noting that a security tool might block or stop an attacker's actions. The flaw is commonly used because it's remotely exploitable pre-authentication, and there is publicly available code. "The public exploit code makes it easier for attackers, because they can just use a tool and gain access," he adds.

In early January 2020, Unit 42 researchers used Shodan to search for Internet-accessible servers running versions of SharePoint exposed to CVE-2019-0604. Their findings showed 28,881 servers advertised a vulnerable version of the software. They did not check each server to verify its exposure, so it's possible many public-facing servers are not exposed or have been patched.

"Regardless, the sheer number of servers and publicly available exploit code suggests that CVE-2019-0604 is still a major attack vector," Falcone writes.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "C-Level & Studying for the CISSP."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-04-02
app/Model/feed.php in MISP before 2.4.124 allows administrators to choose arbitrary files that should be ingested by MISP. This does not cause a leak of the full contents of a file, but does cause a leaks of strings that match certain patterns. Among the data that can leak are passwords from databas...
PUBLISHED: 2020-04-02
A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of exim in openSUSE Factory allows local attackers to escalate from user mail to root. This issue affects: openSUSE Factory exim versions prior to
PUBLISHED: 2020-04-02
In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL.
PUBLISHED: 2020-04-01
The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web interface Firmware Update functionality, under certain circumstances, does not validate firmware download destinations to ensure they are within the intended destination directory tree. It accepts a request with a URL to firmware u...
PUBLISHED: 2020-04-01
The UniFi Video Server (Windows) web interface configuration restore functionality at the “backup� and “wizard� endpoints does not implement sufficient privilege checks. Low privileged users, belonging to the PUBLIC_GROUP ...