Sharepoint vulnerability exploited in the wild

May 10, 2019 | Chris Doman
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

The CVE-2019-0604 (Sharepoint) exploit and what you need to know

AT&T Alien Labs has seen a number of reports of active exploitation of a vulnerability in Microsoft Sharepoint (CVE-2019-0604).

One report by the Saudi Cyber Security Centre appears to be primarily targeted at organisations within the kingdom.

An earlier report by the Canadian Cyber Security Centre identified similar deployment of the tiny China Chopper web-shell to gain an initial foothold.

AT&T Alien Labs has identified malware that is likely an earlier version of the second-stage malware deployed in the Saudi Intrusions:

This malware sample was shared by a target in China. The malware receives commands encrypted with AES at http://$SERVER/Temporary_Listen_Addresses/SMSSERVICE  - and has the ability to:

  • Execute commands; and
  • Download and upload files

It’s likely multiple attackers are now using the exploit. One user on Twitter has reported that they have seen exploitation from the IP address 194.36.189[.]177 - which we have also seen acting as a command and control server for malware linked to FIN7.

A patch for the vulnerability is available from Microsoft.

Detection

Suricata

alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"AV TROJAN Neptune Backdoor WSMAN Inbound Access"; flow:established,to_server; content:"/TEMPORARY_LISTEN_ADDRESSES/WSMAN"; http_uri; nocase; content:"|0d 0a|Cookie\: "; nocase; content:"_REGUESTGUID"; sid:1111111111; rev:1;)

alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"AV TROJAN Neptune Backdoor SMSSERVICE Inbound Access"; flow:established,to_server; content:"/TEMPORARY_LISTEN_ADDRESSES/SMSSERVICE"; http_uri; nocase; sid:1111111112; rev:1;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"AV EXPLOIT SharePoint Picker.aspx RCE (CVE-2019-0604)"; flow:established,to_server; content:"POST"; http_method; content:"Picker.aspx?"; http_uri; content:"PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog"; fast_pattern; http_uri; distance:0; content:"ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData"; http_client_body; pcre:"/((?!\x0d\x0a)[\W\w])*Diag\x3aProcess/PRi"; content:"Diag|3a|Process"; distance:0; reference:url,https://x3fwy.bitcron.com/post/sharepoint-rce-explained; reference:cve,2019-0604; classtype:attempted-admin; sid:1111111114; rev:1;)

Yara Rules

import "dotnet"

rule NetptuneMAPIBackdoor {

           meta:

                       type = "malware"

                       description = "NetptuneMAPIBackdoor"

                       author = "[email protected]"

                       reference1 = "https://otx.alienvault.com/indicator/file/c63f425d96365d906604b1529611eefe5524432545a7977ebe2ac8c79f90ad7e"

                       reference2= "https://otx.alienvault.com/pulse/5cd3f89df12b501c477a6fba"

           strings:

                       $pdb = "SmsServiceServerTest.pdb"

                       $key = "2E4B7C022329E5C21E47D55E8916F6AF852AABBBD1798F9E16985F22A8056646"

                       $st2 = "CampaignData"

                       $st3 = "campaiginData"

                       $st4 = "HttpBindingBase"

                       $st5 = "set_UseShellExecute"

                       $st6 = "sendSMSFlash"

                       $st7 = "not uploaded" wide ascii

           condition:

                       uint16(0) == 0x5A4D and

                       ((dotnet.typelib == "a7d94843-0bdf-4675-9735-bf75857331fb" and

                       dotnet.guids[0] == "2945c3c4-1b62-4cfc-b902-1f639fa79fc5") or

                       $pdb or $key or all of ($st*))

}

rule alienvault_webshells_asp : Webshells

{

    meta:

        author = "AlienVault Labs"

        info = "Generic detections for possible PHP Web-Shells"

    strings:

        $sa = "<%eval request(" nocase wide ascii

        $sb = "Server.CreateObject(\"WSCRIPT.SHELL\")" nocase wide ascii

        $sc = "Eval(Request(" nocase wide ascii

        $sd = "ExecuteGlobal(StrReverse" nocase wide ascii

        $se = "<%eval(Request.Item[" nocase wide ascii

    condition:

        any of them

}

Chris Doman

About the Author: Chris Doman, AlienVault

I've had a long interest in security, but joined the industry after winning the civilian section of the Department of Defense's forensics competition. I run a popular threat intelligence portal (ThreatCrowd.org) in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a degree in Computer Science from the University of Cambridge.

Read more posts from Chris Doman ›

TAGS:

‹ BACK TO ALL BLOGS

Watch a Demo ›
Get Price Free Trial