Threat Intelligence Report: Microsoft SharePoint Remote Code Execution Vulnerability

Date: 05 June 2019

Summary: Threat actors are attempting to exploit the Microsoft SharePoint vulnerability (CVE-20190604) in attacks in the wild. Invinsec security operations team has identified a persistent malicious IP scanning several of our customers, looking for vulnerable SharePoint servers.

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source mark-up of an application package. An attacker who successfully exploits this could run arbitrary code in the SharePoint application pool and the server farm account.

The security update addresses the vulnerability by correcting how SharePoint checks the source mark-up of application packages.

Conclusions: Microsoft SharePoint is popular business software, coupled with observed active attempts to find vulnerable services amongst Invinsec’s customer base leads to the conclusion that there is a higher than usual risk.

Successful exploitation of this vulnerability could allow an attacker to gain access to sensitive data, enable lateral movement within a network and potentially use the access to target an organisation’s customers and suppliers.

Tactics, Techniques and Procedures: Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.

Attackers are installing China Chopper Web shells (a publicly available web shell) on SharePoint Servers to carry out remote code execution attacks.

Indicators of Compromise

  • 188.166.64[.]99

Vulnerable Software Versions

  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Server 2010 Service Pack 2

Advice : Invinsec recommend that customers running a vulnerable version of software, install the updates to be protected from this vulnerability and block the IP address listed in this report

  • 4462199 for Microsoft SharePoint Server 2019
  • 4462211 for Microsoft SharePoint Enterprise Server 2016
  • 4462202 for Microsoft SharePoint Foundation 2013 Service Pack 1
  • 4462184 for Microsoft SharePoint Server 2010 Service Pack 2

Leave a Reply