A web application security testing revealed that threat actors are actively exploiting a remote code execution vulnerability in some versions of SharePoint Server to install the hacking tool known as The China Copper. Although the vulnerability had already been patched, not all SharePoint deployments had been updated.
The vulnerability, tracked as CVE-2019-0604,
affects all versions from SharePoint 2010 to SharePoint 2019; Microsoft
corrected the flaw in February and released update patches in March and April.
“After the web application security testing,
we discovered that a hacker trying to exploit this vulnerability could execute
arbitrary code in the SharePoint application pool”, the specialists
mentioned. According to reports, to exploit this vulnerability an attacker
needs a specially designed SharePoint application package.
To exploit this vulnerability, threat actors
used the hacking tool known as The
China Chopper to remotely access compromised servers to send commands
and manage files on victims’ servers.
The China Chopper allows hackers to upload and
download any file on a compromised server, in addition to editing, deleting or
renaming in any file, concluded the web application security testing.
The main objectives of the operators of this SharePoint
vulnerability exploitation hacking campaign are public sector institutions,
universities, in addition to the manufacturing and technology industries, say
the specialists from the International Institute of Cyber Security (IICS).
Due to the lack of workarounds known to solve
this security issue, specialists recommend system administrators to install the
server update to prevent the exploitation of this vulnerability.
Microsoft announced that this year it will expand
the scope and amounts granted to researchers through its vulnerability bounty
program; this extension is expected to apply to services such as SharePoint,
among other platforms developed by the company. Last year, Microsoft paid more
than $2M USD to the cybersecurity community researchers for reporting several
security flaws, some of them considered as critical.
