Hackers are actively exploiting a recently patched critical remote code execution vulnerability in SharePoint Server versions to inject China Chopper web shell which allows hackers to inject and issue various commands.
Canadian and Saudi Arabian cybersecurity raised awareness about the ongoing attack targeting the outdated systems.
The vulnerability affects all the versions of the versions from SharePoint Server 2010 to through SharePoint Server 2019, and the vulnerability can be tracked as CVE-2019-0604, it was patched by Microsoft in February, released security updates on March 12, and again on April 25.
“An attacker who exploits the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. The exploitation of this vulnerability requires a specially crafted SharePoint application package.”
In this case, the attackers used China Chopper web shell to access the compromised servers remotely and to issue commands and to manage files on the victim server.
The web shell allows an attacker to upload and download any files from the compromised server and to edit, delete, copy, rename and even to change the timestamp of existing files.
Alien vault security researcher Chris doman tweeted about the ongoing campaign and published Some additional IoCs.
According to cybersecurity agencies, the targeted industries are academic, utility, heavy industry, manufacturing and technology sectors.
The organization running share point servers recommended updating the servers to addresses the vulnerability.
Indicators of compromise
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.
Microsoft Exchange Server Zero-day Flaw Exploit Provide Highest Admin Privilege to Hackers
Microsoft Releases Security Advisory for Privilege Escalation Vulnerability With Exchange Server