Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11:15 AM
Larry Loeb
Larry Loeb
Larry Loeb

SharePoint Problem Returns. Be Afraid.

Both Canada and Saudi Arabia issued alerts to the security community that they had observed traces of CVE-2019-0604 as part of other cyber attacks.

CVE-2019-0604, the SharePoint problem that became semi-famous because Microsoft had to reissue the patch for it after they had already put one out, has been seen in the wild.

Both Canada and Saudi Arabia issued alerts to the security community that they had observed traces of its presence as part of other cyber attacks.

Both of them said that the exploit ended up delivering the China Chopper web shell to vulnerable servers.

The Saudis said activity to drop the Chopper has happened "within the last two weeks" to "multiple organizations that have been impacted and infected by the active exploitation of the CVE-2019-0604, a vulnerability that can grant remote code execution."

They also say that they think this problem is poised to be highly amplified in the future since it affects Microsoft SharePoint, which is Internet-facing in most targets as well as in most cases being integrated with the internal Active Directory.

Not only is this exploitation technique still relatively successful, it is simple and can be performed using an HTTP request.

They also make the point that organizations may not have previously prioritized patching of vulnerabilities that were not known to be actively exploited. Like this one.

Once the first proof-of-concept (PoC) code hit for this problem, the Saudis "observed a spike in scanning activities on this specific vulnerability which indicates a rapid and quick adoption from multiple threat actors that are keen to utilize this easy and remote access to organization networks."

So they have quite reasonably come to the conclusion that, "Threat actors with varying motivations are often quick to weaponize PoC code following public disclosures. This swift exploitation ultimately increases the likelihood that their campaigns will be successful." Canada found that the academic, utility, heavy industry, manufacturing and technology sectors were all affected by this activity. They were also polite about why this happened: "Microsoft released security updates addressing this vulnerability in February and March 2019; however, many systems remain outdated." Security maven Kevin Beaumont tweeted the sightings in the wild to others, while adding his own comment.

"There isn't yet a public (web accessible) exploit for RCE against SharePoint (the ones on Github and ZDI don't work out the box). If that changes I think this will be one of the biggest vulns in years. It would own a lot of enterprises. Like, a LOT."

But his assessment of the threat actors is simple.

"Note some APT and crimeware groups are already using it, i.e. ones with skills."

This fits in with the Saudis saying it is desirable to use while finding evidence of a skilled level of attackers doing just that. The public exploits are nonfunctional which keeps the skids from attempting to use them. But if a functional one is posted, that would change the dynamics of the situation greatly. Mr. Beaumont seems to agree.

Patch. Now.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.