Microsoft SharePoint servers are under attack

Canadian and Saudi cybersecurity agencies warn of attacks that have been going on for at least two weeks.
Written by Catalin Cimpanu, Contributor
Microsoft SharePoint
Logo: Microsoft // Composition: ZDNet

Hacker groups are attacking Microsoft SharePoint servers to exploit a recently patched vulnerability and gain access to corporate and government networks, according to recent security advisories sent out by Canadian and Saudi Arabian cybersecurity agencies.

The security flaw exploited in these attacks is tracked as CVE-2019-0604, which Microsoft patched through security updates released in February, March, and April this year.

"An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account," Microsoft said at the time.

Attacks started in late April

Demo exploit code for CVE-2019-0604 was published in March by Markus Wulftange, the security researcher who found the vulnerability, but other PoCs also popped up on GitHub and Pastebin.

Attacks started soon after, in late April. The Canadian Centre for Cyber Security first sent an alert last month, and then officials from the Saudi National Cyber Security Center (NCSC) sent a second security alert this week.

Both cybersecurity agencies reported seeing attackers take over SharePoint servers and plant a version of the China Chopper web shell, a type of malware installed on servers that allows hackers to connect to it and issue various commands.

"It's interesting that both the Canadian and Saudi government reported the installation of China Chopper at the start of the intrusions," Chris Doman, a security researcher at AT&T's Alien Vault Labs, told ZDNet today.

Canadian authorities said that "trusted researchers have identified compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors."

On the other hand, Saudi officials didn't say who attackers breached, but they did publish a post-mortem from one of the victim networks, showing how attackers used "PowerShell scripts to gain more access and establish the internal reconnaissance in the network."

They also said the attacks aimed at Saudi organizations running SharePoint team collaboration servers have been going on for roughly two weeks, putting the start of the attacks at the same time with the alert coming from the Canadian agency.

No evidence the attacks are connected

While this might look like the attacks are somehow related, current evidence doesn't support this theory.

"Both the Canadians and the Saudis mention the China Chopper web shell -- but that's pretty common," Doman told ZDNet. "Despite the name, China Chopper is used by attackers from a number of regions."

Furthermore, a researcher pointed out on Twitter that one of the IP addresses involved in the attacks on SharePoint servers had also been used by the FIN7 cybercrime group -- known for attacking the financial sector.

However, Doman doesn't believe that FIN7 is the group attacking Microsoft SharePoint servers -- at least for the time being.

"That IP has been used by FIN7 in the last couple of months and I haven't seen other malicious activity from it. It's not a commonly abused IP like a VPN or free web-host or similar," Doman told ZDNet. "At the same time, in itself it's a fairly weak link."

Patching or firewalling SharePoint servers is a must

With active attacks underway, companies running SharePoint servers are advised to bring their systems up to date to mitigate any threat.

CVE-2019-0604 is known to impact a large chunk of recent SharePoint releases, such as:

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2013 SP1
  • Microsoft SharePoint Server 2010 SP2
  • Microsoft SharePoint Server 2019

If patches can't be applied, organizations are advised to put vulnerable SharePoint servers behind a firewall, accessible on internal networks only. Servers might remain vulnerable, but at least they won't be a gateway for hackers into companies' networks.

High-performance storage: From flash drives to server hard drives (April 2018 edition)

Related malware and cybercrime coverage:

Editorial standards