Microsoft SharePoint Servers Actively Targeted By Hackers

Microsoft SharePoint Servers Actively Targeted By Hackers 1

Hackers are actively exploiting recent patched remote code execution vulnerabilities in the Microsoft SharePoint Servers version to inject the China Chopper web shell, which allows hackers to inject various commands.

Canadian and Saudi Arabian cybersecurity raised awareness about the ongoing attack targeting the outdated systems.

The vulnerability affects all versions of SharePoint Server 2010 to SharePoint Server 2019, and vulnerabilities can be tracked as CVE-2019-0604, it was patched by Microsoft in February, releasing security updates on March 12 and again April 25.

“An attacker who exploits the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. The exploitation of this vulnerability requires a specially crafted SharePoint application package.”

In this case, the attackers used the China Chopper web shell to access the compromised servers remotely and issue commands and manage files on the victim server.

The web shell allows an attacker to upload and download any files from the compromised server and to edit, delete, copy, rename and even to change the timestamp of existing files.

Alien vault security researcher Chris doman tweeted about the ongoing campaign and published some additional IoCs.

SharePoint CVE-2019-0604 now being exploited in the wild – reports by Saudi (https://t.co/m6VmF7n2Js) and Canadian (https://t.co/yhzY8qgxi8) National Cyber-Security Centres. Some additional IOCs @ https://t.co/gsGOoh6h9r pic.twitter.com/70LQCOmuTn

— chris doman (@chrisdoman) May 9, 2019
According to cybersecurity agencies, the targeted industries are academic, utility, heavy industry, manufacturing and technology sectors.

Mitigations

The organization running share point servers recommended updating the servers to addresses the vulnerability.

Indicators of compromise

SHA256 Hash
05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4
b560c3b9b672f42a005bdeae79eb91dfb0dec8dc04bea51f38731692bc995688
7d6812947e7eafa8a4cce84b531f8077f7434dbed4ccdaca64225d1b6a0e8604
2e4b7c022329e5c21e47d55e8916f6af852aabbbd1798f9e16985f22a8056646
c63f425d96365d906604b1529611eefe5524432545a7977ebe2ac8c79f90ad7e

SHA1 Hash
f0fb0f7553390f203669e53abc16b15e729e5c6f
ee583451c832b07d8f2b4d6b8dd36ccb280ff421
dc8e7b7de41cac9ded920c41b272c885e1aec279
4c3b262b4134366ad0a67b1a2d6378da428d712b

MD5 Hash
0eebeef32a8f676a1717f134f114c8bd
198ee041e8f3eb12a19bc321f86ccb88
708544104809ef2776ddc56e04d27ab1
b814532d73c7e5ffd1a2533adc6cfcf8

Filename
pay[.]aspx
stylecss[.]aspx
IP Address
114.25.219.100

Related Resources:

Microsoft Warns WannaCry-like Windows Attack

Outlook Hack Microsoft Informs Users of Breach

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register