Researchers observed that the cybercriminals are still exploiting the patched MS Sharepoint remote code execution vulnerability to compromise the government organization in the Middle East.
SharePoint is a web-based collaborative platform that integrates with Microsoft Office. With a Microsoft Sharepoint intranet, your teams can share files, data, and resources and collaborate on work.
Threat actors are installing web shells to the SharePoint server and use it to run the commands and upload additional tools to infect the network where the unpatched Sharepoint servers deployed.
Researchers utilize that the actors are using open source AntSword web shell freely available on Github that similar to the infamous China Chopper web shell.
The patched SharePoint vulnerability can be tracked as CVE-2019-0604 that allows attackers to execute remote code on the vulnerable SharePoint servers when the software fails to check the source markup of an application package.
Researchers from Checkpoint used Shodan to search for Internet-accessible servers running versions of SharePoint vulnerable to CVE-2019-0604, in result, there are 28,881 servers are a vulnerable version of SharePoint.
Also researchers said, Using this Vulnerability, attackers can easily moving further other systems on the network by dumping credentials using the variety of dangerous hacking tools such as the notorious Mimikatz tool, and it leads to run the command on the other systems deployed in the same network.
According to Checkpoint report ” Back in April 2019, Emissary Panda threat group exploiting CVE-2019-0604 to install web shells on SharePoint servers at government organizations in two Middle Eastern countries. Fast forward five months to the current attacks and we see exploitation of the same vulnerability at government organizations in two different countries compared to the April attacks.”
In this current attack, there are no strong ties were observed that the Emissary Panda threat group involved in this attack.
Exploiting the Sharepoint vulnerability is not unique to the Emissary Panda threat group, but multiple threat groups are targeting to exploit SharePoint servers to gain initial access to targeted networks.
“We would like to acknowledge the possibility of overlap in the AntSword web shell, as we stated that Emissary Panda used China Chopper in the April attacks and AntSword and China Chopper web shells are incredibly similar.” Checkpoint said.
Researchers also observed that the actors also using a credential dumping tool called Dumpert which had not been seen in any of the previous incidents that exploited the CVE-2019-0604.
You can also read the complete technical writeup of the exploiting CVE-2019-0604 using the various open-source hacking tools here.
Indicators of Compromise