SharePoint Problem Returns. Be Afraid.

CVE-2019-0604, the SharePoint problem that became semi-famous because Microsoft had to reissue the patch for it after they had already put one out, has been seen in the wild.

Both Canada and Saudi Arabia issued alerts to the security community that they had observed traces of its presence as part of other cyber attacks.

Both of them said that the exploit ended up delivering the China Chopper web shell to vulnerable servers.

The Saudis said activity to drop the Chopper has happened "within the last two weeks" to "multiple organizations that have been impacted and infected by the active exploitation of the CVE-2019-0604, a vulnerability that can grant remote code execution."

They also say that they think this problem is poised to be highly amplified in the future since it affects Microsoft SharePoint, which is Internet-facing in most targets as well as in most cases being integrated with the internal Active Directory.

Not only is this exploitation technique still relatively successful, it is simple and can be performed using an HTTP request.

They also make the point that organizations may not have previously prioritized patching of vulnerabilities that were not known to be actively exploited. Like this one.

Once the first proof-of-concept (PoC) code hit for this problem, the Saudis "observed a spike in scanning activities on this specific vulnerability which indicates a rapid and quick adoption from multiple threat actors that are keen to utilize this easy and remote access to organization networks."

So they have quite reasonably come to the conclusion that, "Threat actors with varying motivations are often quick to weaponize PoC code following public disclosures. This swift exploitation ultimately increases the likelihood that their campaigns will be successful." Canada found that the academic, utility, heavy industry, manufacturing and technology sectors were all affected by this activity. They were also polite about why this happened: "Microsoft released security updates addressing this vulnerability in February and March 2019; however, many systems remain outdated." Security maven Kevin Beaumont tweeted the sightings in the wild to others, while adding his own comment.

"There isn't yet a public (web accessible) exploit for RCE against SharePoint (the ones on Github and ZDI don't work out the box). If that changes I think this will be one of the biggest vulns in years. It would own a lot of enterprises. Like, a LOT."

But his assessment of the threat actors is simple.

"Note some APT and crimeware groups are already using it, i.e. ones with skills."

This fits in with the Saudis saying it is desirable to use while finding evidence of a skilled level of attackers doing just that. The public exploits are nonfunctional which keeps the skids from attempting to use them. But if a functional one is posted, that would change the dynamics of the situation greatly. Mr. Beaumont seems to agree.

Patch. Now.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.