Microsoft SharePoint vulnerability CVE-2019-0604 is under active attack, according to AT&T Alien Labs researchers, who cite instances of exploitation from around the world.
CVE-2019-0604 is a remote code execution vulnerability that exists when SharePoint fails to verify the source markup of an application package. Exploitation requires a user to upload a specially crafted SharePoint application package to affected versions of the software. If successful, an attacker could exploit the bug and run arbitrary code in the context of the SharePoint application pool and SharePoint server farm account. Microsoft has issued a patch.
When the vulnerability was first disclosed, it was not believed to be under active attack. Now it seems a wave of attacks are exploiting this flaw and using the China Chopper web shell to gain initial access. The Saudi Arabia National Cyber Security Center reports evidence that shows several organizations have been affected by hackers using the web shell for network access. Another report, from the Canadian Cyber Security Centre, describes similar China Chopper activity.
It seems multiple attackers are now using the exploit, Alien Labs reports. Researchers found malware they say is likely an earlier version of the second-stage malware used in the Saudi attacks; the malware sample was reportedly shared by another target in China.
Read more details here.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.