Threat Watch

SharePoint Vulnerability Being Exploited Against Organizations in Canada and Saudi Arabia

FIN7 and Unknown Others: A critical vulnerability for SharePoint, CVE-2019-0604, was discovered and disclosed earlier this year, resulting in an incomplete patch in February and another in March.  Evidence has been found by researchers at Palo Alto Unit 42 indicating that the vulnerability has been successfully exploited against organizations in both Canada and Saudi Arabia.  Even though patches were released in February and March, the first exploits were seen in early April.  The vulnerability is caused by a failure to check source markup of an application package. This can then be exploited by an attacker without the need for authentication.  In some of the cases seen in the wild, the vulnerability was exploited to deliver the China Chopper web shell to vulnerable servers.  According to a spokesman for the Canadian Center for Cyber Security, the organizations targeted with Canada have been primarily in the academic, utility providers, heavy industry, manufacturing, and technology sectors.  The vulnerability currently appears to be exploited by a variety of groups utilizing varying tactics

ANALYST NOTES

Links have been found which are leading some to believe that FIN7 are probably leveraging the vulnerability as well.