AT&T Alien Labs researcher Chris Doman has seen a number of reports of active exploitation of a vulnerability in Microsoft Sharepoint (CVE-2019-0604).
One report by the Saudi Cyber Security Centre appears to be primarily targeted at organisations within the kingdom.
An earlier report by the Canadian Cyber Security Centre identified similar deployment of the tiny China Chopper web-shell to gain an initial foothold.
SharePoint CVE-2019-0604 now being exploited in the wild – reports by Saudi (https://t.co/m6VmF7n2Js) and Canadian (https://t.co/yhzY8qgxi8) National Cyber-Security Centres. Some additional IOCs @ https://t.co/gsGOoh6h9r pic.twitter.com/70LQCOmuTn
— chris doman (@chrisdoman) May 9, 2019
Expert Comments:
Chris Doman at AlienVault:
The vision2030 domains are impersonating the Saudi government site https://vision2030.gov.sa/ – indicating the campaign the Saudi’s reported on was likely targeting them.
The exploit isn’t particularly widely used at this point. Recent server side vulnerabilities like the Atlassian Confluence vulnerability and Oracle Weblogic vulnerabilities are being exploited very widely by a number of groups for crypto-mining and ransomware gangs. In contrast, I’ve seen few reports of this Sharepoint vulnerability being exploited so far.
I’ll have better telemetry soon once a new signature is deployed to our customers today – but currently my visibility is pretty poor.
I’m just seeing the malware (uploaded to VirusTotal from a user in China), the Saudi and Canadian reports, and reports from a couple of Twitters users from the US.
The attackers in the Saudi case are reasonably capable. The malware waits for encrypted commands from an attacker – rather than noisily reaching out to an attackers command and control server.
And they haven’t left any obvious indicators of their location in the malware or servers. The Saudi national cyber security centre mentions the attackers looking for Exchange and SQL servers – that would fit with attackers looking for information.
I’m not sure if the attacks are continuing or not. The Saudi domains didn’t serve me malware which indicates they may be down – but they may do if you connect from a machine in Saudi.
The Saudi report was released today –
https://twitter.com/NCSC_SA/status/1126420277947174912
The Shamoon text is unrelated – they’ve just stuck a few reports together on the same day.
