Hackers Exploiting Microsoft Sharepoint Vulnerability to Hack Government Organization Networks

Researchers observed that the cybercriminals are still exploiting the patched MS Sharepoint remote code execution vulnerability to compromise the government organization in the Middle East.

SharePoint is a web-based collaborative platform that integrates with Microsoft Office. With a Microsoft Sharepoint intranet, your teams can share files, data, and resources and collaborate on work.

Threat actors are installing web shells to the SharePoint server and use it to run the commands and upload additional tools to infect the network where the unpatched Sharepoint servers deployed.

Researchers utilize that the actors are using open source AntSword web shell freely available on Github that similar to the infamous China Chopper web shell.

The patched SharePoint vulnerability can be tracked as CVE-2019-0604 that allows attackers to execute remote code on the vulnerable SharePoint servers when the software fails to check the source markup of an application package.

Researchers from Checkpoint used Shodan to search for Internet-accessible servers running versions of SharePoint vulnerable to CVE-2019-0604, in result, there are 28,881 servers are a vulnerable version of SharePoint.

Also researchers said, Using this Vulnerability, attackers can easily moving further other systems on the network by dumping credentials using the variety of dangerous hacking tools such as the notorious Mimikatz tool, and it leads to run the command on the other systems deployed in the same network.

According to Checkpoint report ” Back in April 2019,  Emissary Panda threat group exploiting CVE-2019-0604 to install web shells on SharePoint servers at government organizations in two Middle Eastern countries. Fast forward five months to the current attacks and we see exploitation of the same vulnerability at government organizations in two different countries compared to the April attacks.”

In this current attack, there are no strong ties were observed that the Emissary Panda threat group involved in this attack.

Exploiting the Sharepoint vulnerability is not unique to the Emissary Panda threat group, but multiple threat groups are targeting to exploit SharePoint servers to gain initial access to targeted networks.

“We would like to acknowledge the possibility of overlap in the AntSword web shell, as we stated that Emissary Panda used China Chopper in the April attacks and AntSword and China Chopper web shells are incredibly similar.” Checkpoint said.

Researchers also observed that the actors also using a credential dumping tool called Dumpert which had not been seen in any of the previous incidents that exploited the CVE-2019-0604.

You can also read the complete technical writeup of the exploiting CVE-2019-0604 using the various open-source hacking tools here.

Indicators of Compromise

Awen Webshell
5d4628d4dd89f31236f8c56686925cbb1a9b4832f81c95a4300e64948afede21
AntSword Webshell
15ecb6ac6c637b58b2114e6b21b5b18b0c9f5341ee74b428b70e17e64b7da55e
Mimikatz
da53dcaeede03413ba02802c4be10883c4c28d3d28dee11734f048b90eb3d304
Related Tools
da53dcaeede03413ba02802c4be10883c4c28d3d28dee11734f048b90eb3d304
2836cf75fa0538b2452d77848f90b6ca48b7ff88e85d7b006924c3fc40526287
26d9212ec8dbca45383eb95ec53c05357851bd7529fa0761d649f62e90c4e9fd
a4aca75bcc8f18b8a2316fd67a7e545c59b871d32de0b325f56d22584038fa10
e4e05c9a216c2f2b3925293503b5d5a892c33db2f6ea58753f032b80608c3f2e

Also Read:

Top 10 Best Open Source Firewall to Protect Your Enterprise Network 2020

Top 10 Best Open Source Intelligence Tools (OSINT Tools) for Penetration Testing – 2020

Leave a Reply