A critical RCE vulnerability found in SharePoint

A few days ago, information security specialists reported a vulnerability in SharePoint allegedly exploited by malicious hacker groups to attack government organizations around the world. Now, due to recent incidents affecting organizations in India, it has been confirmed that hackers are exploiting CVE-2019-0604, a remote code execution failure in SharePoint.

In early 2020, a security expert found a flaw in SharePoint that could be exploited to execute arbitrary code remotely by sending a specially crafted SharePoint application package. Due to the triviality of the exploitation, the researchers considered this a highly serious vulnerability.

The presence of a vulnerability discovered in the web applications of the Indian Tax Department (rentataxindia.dov.in), which used SharePoint to host its services, has been confirmed. To verify this, information security specialists sent a payload specially designed to perform remote DNS lookups. Dhiraj Mishra, an information security researcher, was in charge of filing the report with the Indian government.

During the investigation, it was also discovered that the web applications of the MIT Sloan School of Management were vulnerable to exploitation of CVE-2019-0604.

According to previous information security reports, dozens of United Nations (UN) servers were affected by an attack deployed between June and September 2019. Threat actors reportedly exploited multiple security bugs, despite subsequent attempts to repel the attack by UN cybersecurity teams.

Further investigation attributed the attacks to exploiting a known vulnerability in SharePoint. In a security alert sent internally to its system administrators, the UN said: “We work under the assumption that the entire domain has been compromised. So far, attackers have shown no signs of activity, although we assume they have already gained persistence in our systems.”

While this was a serious incident, specialists at the International Institute of Cyber Security (IICS) found that the UN only resorted to shutting down improper access, recommending employees to reset their passwords. Apparently, employees are unaware that their information was exposed to hackers, so they remain exposed to various variants of fraud and online crime.