Hackers from all over the world attack Microsoft SharePoint servers: noticed traces of famous FIN7

IT-experts from Canada and Saudi Arabia warned about cyberattacks on Microsoft SharePoint servers that last more than two weeks. In the attacks, hackers exploit famous CVE-2019-0604 vulnerability.

According to Microsoft security notification, vulnerability allows random code execution in the context of SharePoint applications’ pool and SharePoint server’s accounts. Company fixed CVE-2019-0604 with the release of patches in February, March and April of this year.

Markus Wolfgang, the researcher that discovered it in March, though soon on GitHub, published demo-exploit for vulnerability and Papstein started arriving Poc-codes from other developers.

Attacks did not made to wait for them – the first has been noted at the end of April. Canadian Centre for Cyber Security published its warning last month, and last week arrived another one, this time from National Cyber Security Center (NCSC) of Saudi Arabia.

According to report of both organization, cybercriminals hack PowerPoint servers and install China Chopper, variant of malware program. Program represents a web-shell that enables attackers switch to hacked server and start different commands.

Experts cannot say who is responsible for the attacks.

“Trusted researchers have identified compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors”, — report Canadian Centre for Cyber Security

The following versions of Microsoft SharePoint are known to be affected:

• Microsoft SharePoint Enterprise Server 2016
• Microsoft SharePoint Foundation 2013 SP1
• Microsoft SharePoint Server 2010 SP2
• Microsoft SharePoint Server 2019

It is likely that the current campaign is leveraging CVE-2019-0604 in order to deploy the web shell. Microsoft released security updates addressing this vulnerability in February and March 2019; however, many systems remain outdated.

NCSC does not report who exactly became a victim of attacks, however, it is obviously a Saudi Arabian organization.

At a glance attacks can be seem connected between each other, though it may be not so. China Chopper is a very common malware, and regardless its name, used by cybercriminals worldwide. Developer Chis Doman says that one of the used in the attacks IP-address was previously noted in FIN7 band arsenal.

“One user on twitter has reported that they have seen exploitation from the IP address 194.36.189[.]177 – which we have also seen acting as a command and control server for malware linked to FIN7”, — reported Chris Doman.

As Adware.Guru reported, Cybercriminal organization FIN7 is still active, despite arrest of its key members

Source: https://www.zdnet.com