Sponsored By

SharePoint Problem Returns. Be Afraid.

Both Canada and Saudi Arabia issued alerts to the security community that they had observed traces of CVE-2019-0604 as part of other cyber attacks.

Larry Loeb

May 14, 2019

3 Min Read

CVE-2019-0604, the SharePoint problem that became semi-famous because Microsoft had to reissue the patch for it after they had already put one out, has been seen in the wild.

Both Canada and Saudi Arabia issued alerts to the security community that they had observed traces of its presence as part of other cyber attacks.

Both of them said that the exploit ended up delivering the China Chopper web shell to vulnerable servers.

The Saudis said activity to drop the Chopper has happened "within the last two weeks" to "multiple organizations that have been impacted and infected by the active exploitation of the CVE-2019-0604, a vulnerability that can grant remote code execution."

They also say that they think this problem is poised to be highly amplified in the future since it affects Microsoft SharePoint, which is Internet-facing in most targets as well as in most cases being integrated with the internal Active Directory.

Not only is this exploitation technique still relatively successful, it is simple and can be performed using an HTTP request.

They also make the point that organizations may not have previously prioritized patching of vulnerabilities that were not known to be actively exploited. Like this one.

Once the first proof-of-concept (PoC) code hit for this problem, the Saudis "observed a spike in scanning activities on this specific vulnerability which indicates a rapid and quick adoption from multiple threat actors that are keen to utilize this easy and remote access to organization networks."

So they have quite reasonably come to the conclusion that, "Threat actors with varying motivations are often quick to weaponize PoC code following public disclosures. This swift exploitation ultimately increases the likelihood that their campaigns will be successful." Canada found that the academic, utility, heavy industry, manufacturing and technology sectors were all affected by this activity. They were also polite about why this happened: "Microsoft released security updates addressing this vulnerability in February and March 2019; however, many systems remain outdated." Security maven Kevin Beaumont tweeted the sightings in the wild to others, while adding his own comment.

"There isn't yet a public (web accessible) exploit for RCE against SharePoint (the ones on Github and ZDI don't work out the box). If that changes I think this will be one of the biggest vulns in years. It would own a lot of enterprises. Like, a LOT."

But his assessment of the threat actors is simple.

"Note some APT and crimeware groups are already using it, i.e. ones with skills."

This fits in with the Saudis saying it is desirable to use while finding evidence of a skilled level of attackers doing just that. The public exploits are nonfunctional which keeps the skids from attempting to use them. But if a functional one is posted, that would change the dynamics of the situation greatly. Mr. Beaumont seems to agree.

Patch. Now.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights