Researchers have detected multiple instances of cyberattackers using SharePoint vulnerability CVE-2019-0604 to target government organizations in the Middle East. These mark the latest cases of adversaries exploiting the flaw, which was recently used to breach the United Nations.
CVE-2019-0604 exists when SharePoint fails to check the source markup of an application package. Attackers could exploit this by uploading a specially crafted SharePoint application package to an affected version of the software. If successful, they could run arbitrary code in the context of both the SharePoint application pool and the SharePoint server farm account.
Microsoft released a patch for the vulnerability in February 2019 and later updated its fix in April. Shortly after, reports surfaced indicating the remote code execution flaw was under active attack. A series of incidents used the China Chopper web shell to gain entry into a target; evidence shows attackers used the web shell to gain network access at several organizations.
New findings from Palo Alto Networks' Unit 42 suggest the vulnerability is still popular among attackers. In September 2019, researchers detected unknown threat actors exploiting the flaw to install several web shells on the website of a Middle East government organization. One of these was AntSword, a web shell freely available on GitHub that resembles China Chopper.
Attackers used these web shells to move laterally across the network to access other systems, explains cyber threat intelligence analyst Robert Falcone in a blog post on the findings. They employed a custom Mimikatz variant to dump credentials from memory and Impacket's atexec tool to use dumped credentials to run commands on other systems throughout the network.
Later in September, Unit 42 saw this same Mimikatz variant uploaded to a web shell hosted at another government organization in a second Middle East country. This variant is unique, Falcone writes, as it has an allegedly custom loader application written in .NET. Because of this, researchers believe the same group is behind the breaches at both government organizations.
This isn't the first time Unit 42 has seen CVE-2019-0604 used against government targets in the Middle East. In April 2019, researchers saw the Emissary Panda threat group exploiting this flaw to install web shells on SharePoint servers at government organizations in two Middle Eastern countries, both different from the nations targeted in the January attacks. There are no strong ties linking the two attacks aside from a common vulnerability, similar tool set, and government victims.
Emissary Panda has "extensively used" strategic Web compromises to target victims, Falcone writes in an email to Dark Reading. However, there is not sufficient information to say with confidence where they operate. The group has been active since at least 2010 and targeted organizations in the government, aerospace, defense, technology, energy, and manufacturing verticals, in addition to other victims, with the goal of infiltrating and performing network reconnaissance to pivot to other systems.
"The exploitation of this vulnerability is not unique to Emissary Panda, as multiple threat groups are using this vulnerability to exploit SharePoint servers to gain initial access to targeted networks," Falcone writes. There is a possibility of overlap in the use of AntSword, as Emissary Panda used China Chopper and the two are "incredibly similar," he explains, but researchers don't currently believe the attackers behind the April 2019 attacks leveraged AntSword.
CVE-2019-0604 appeared in a recent attack against the United Nations during which intruders compromised servers at UN offices in Geneva and Vienna. Attackers accessed Active Directories, likely compromising human resources and network data. It's unclear exactly which files were stolen in the breach. One UN IT official estimates some 400GB of files were downloaded.
"Once the actors are in after successfully exploiting the vulnerability, they can do whatever they want within the constraints of the compromised network," says Falcone of the vulnerability's popularity, noting that a security tool might block or stop an attacker's actions. The flaw is commonly used because it's remotely exploitable pre-authentication, and there is publicly available code. "The public exploit code makes it easier for attackers, because they can just use a tool and gain access," he adds.
In early January 2020, Unit 42 researchers used Shodan to search for Internet-accessible servers running versions of SharePoint exposed to CVE-2019-0604. Their findings showed 28,881 servers advertised a vulnerable version of the software. They did not check each server to verify its exposure, so it's possible many public-facing servers are not exposed or have been patched.
"Regardless, the sheer number of servers and publicly available exploit code suggests that CVE-2019-0604 is still a major attack vector," Falcone writes.