Microsoft SharePoint server flaw CVE-2019-0604 actively being exploited in the wild

May 31, 2019

This week, SonicWall Capture Labs Threat Research team observed a huge spike in the hits targeting the Microsoft SharePoint server flaw. These HTTP requests are made to command and control the hosts that are infected with the exploits of CVE-2019-0604. It is seen to hit almost 100 countriesbut most observed only in the United States.

CVE-2019-0604 | Microsoft SharePoint Remote Code Execution Vulnerability:

A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker can exploit these vulnerabilities by sending malicious crafted requests to a vulnerable SharePoint server or enticing a SharePoint user to upload a specially crafted SharePoint application package to a vulnerable server. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.

Exploit:

Earlier this month, Canadian Center for Cyber Security and Saudi National Cyber Security Center have reported evidences of active exploitation of Microsoft SharePoint Remote Code Execution Vulnerability ( CVE-2019-0604).  The Threat actors exploited this vulnerability in order to deploy the China Chopper web shell. After establishing the initial foothold, threat actors utilized the web shell to run PowerShell scripts to download other malicious files including backdoor. The threat actors then installed HTTP backdoor to handle any requests to “hxxp://localhost:80/TEMPORARY_LISTEN_ADDRESSES/WSMAN”, or other folders such as WSMAN3 and SMSSERVICE. Through HTTP requests, malware receives commands encrypted by AES. The malware on the infected hosts has the ability to execute commands, download and upload files. The result is encoded and sent back to C&C server.

 

The majority of requests come from the IP address ‘188.166.64.99‘ trying to command & control the SharePoint servers that have been exploited already. The scan is so massive that around 30,000 SonicWall firewalls have observed these malicious HTTP requests and blocked them successfully. 

 

We have observed the following malicious HTTP requests :
  • hxxp://188.166.64.99/TEMPORARY_LISTEN_ADDRESSES/WSMAN
  • hxxp://188.166.64.99/TEMPORARY_LISTEN_ADDRESSES/WSMAN3
  • hxxp://188.166.64.99/TEMPORARY_LISTEN_ADDRESSES/SMSSERVICE

Trend Chart

The trend line below shows how this vulnerability in recent days has been actively exploited. 

Heat Map:

Heat map is based on the no of unique firewalls geographically hit by this attack

Fix:

Microsoft has released a patch that fixes the vulnerability. Please find the vendor advisory regarding this vulnerability: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604

The affected software versions are
  • Microsoft SharePoint Foundation 2010 Service Pack 2
  • Microsoft SharePoint Foundation 2013 Service Pack 1
  • Microsoft SharePoint Server 2010 Service Pack 2
  • Microsoft SharePoint Server 2013 Service Pack 1
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS 14201 Microsoft SharePoint Remote Code Execution 4
IPS 14216 WSMAN Inbound Access
IPS 14217 SMSSERVICE Inbound Access
IPS 14218 Microsoft SharePoint Remote Code Execution 5
IPS 14219 Microsoft SharePoint Remote Code Execution 6
IPS 14231 Microsoft SharePoint ActionRedirect.aspx Access
IPS 14232 Microsoft SharePoint downloadexternaldata.aspx Access
IPS 14233 Microsoft SharePoint profileredirect.aspx Access
WAF 1711 Microsoft Sharepoint Picker.aspx Remote Code Vulnerability