The Saudi Arabian and Canadian cyber security centres have issued reports on a vulnerability in Microsoft’s SharePoint that is being exploited in the wild.
The vulnerability, CVE-2019-0604, has been patched by Microsoft, but if exploited can give an attacker the ability to execute commands and download and upload files, reported AT&T Alien Labs. The malware involved is a backdoor that is likely an earlier version of the second-stage malware deployed in the intrusions reported by Saudi Arabia.
The Alien Labs team also has seen evidence the malware is being used by Fin7.
"It’s likely multiple attackers are now using the exploit. One user on Twitter has reported that they have seen exploitation from the IP address 194.36.189[.]177 – which we have also seen acting as a command and control server for malware linked to FIN7," the report said.
The threat is explained in a blog from Chris Doman, threat engineer at AT&T Alien Labs. In an email to SC Media UK Doman adds
"The vision2030 domains are impersonating the Saudi government site https://vision2030.gov.
"The exploit isn't particularly widely used at this point. Recent server side vulnerabilities like the Atlassian Confluence vulnerability and Oracle Weblogic vulnerabilities are being exploited very widely by a number of groups for crypto-mining and ransomware gangs. In contrast, I've seen few reports of this Sharepoint vulnerability being exploited so far.
"I'll have better telemetry soon once a new signature is deployed to our customers today - but currently my visibility is pretty poor. I'm just seeing the malware (uploaded to VirusTotal from a user in China), the Saudi and Canadian reports, and reports from a couple of Twitters users from the US.
"The attackers in the Saudi case are reasonably capable. The malware waits for encrypted commands from an attacker - rather than noisily reaching out to an attackers command and control server.
"And they haven't left any obvious indicators of their location in the malware or servers. The Saudi national cyber security centre mentions the attackers looking for Exchange and SQL servers - that would fit with attackers looking for information.
"I'm not sure if the attacks are continuing or not. The Saudi domains didn't serve me malware which indicates they may be down - but they may do if you connect from a machine in Saudi Arabia."
Recorded Future also quotes Doman Chris Doman explaining how he found it interesting that both security agencies reported the China Chopper installations at the start of the intrusions, but went on to say that there is no evidence of a connection between the two. "While both found the China Chopper shell, it is not an uncommon occurrence and that despite the name indicating otherwise, the malware was used by hackers from various different regions."
An earlier version of this article was originally published on SC Media US.