Attacking SharePoint servers is a popular threat, apparently because in many cases the SharePoint servers are integrated in the Active Directory service. Gaining access to the Active Directory allows attackers to gain a foothold inside the victim’s network. Furthermore, since SharePoint servers are exposed to the internet, attacks can be executed relatively easily. As an example, the CVE-2019-0604 SharePoint vulnerability, disclosed and patched in 2019, has gained popularity among threat actors, who have exploited it in different attacks since it was published. This is particularly true among nation-state actors (such as the Chinese nation-state Emissary Panda group). The vulnerability even became one of the ten most exploited vulnerabilities between 2016 and 2019, according to authorities in the US. Therefore, we estimate the new CVE-2020-1147 SharePoint vulnerability, patched in July 2020, may gain similar popularity among same threat actors, stressing the importance of applying the security update fixing this vulnerability as soon as possible.
CVE-2020-1147: NEW AND DANGEROUS
During July 2020, Microsoft patched a critical remote code execution vulnerability (CVE-2020-1147) affecting Microsoft SharePoint servers (CSVV score: 7.8).
The vulnerability resides in two .NET components, namely DataSet and DataTable, used for managing data sets, and stems from the fact that the software fails to check the source markup of XML file input. An attacker can exploit the vulnerability by uploading a specially crafted document to a server using a vulnerable product to process content. In addition, the vulnerability also affects the .NET Framework and Visual Studio. Since the vulnerability was disclosed, a security researcher published a technical analysis that includes an explanation on how it works, and demonstrates how even an attacker with low privileges can exploit it to execute code remotely on a vulnerable SharePoint server. Although the researcher did not provide a full PoC exploit code that can be used to deploy an attack, his analysis included a detailed explanation of the different stages required for exploiting the vulnerability, which can be used by potential attackers to build an exploit script. Of note, we observed that the researcher’s analysis was already shared on several Dark Web hacking forums.
Both Microsoft and the researcher emphasized the utmost importance of applying the patch as soon as possible, and stressed that the vulnerability exists in several additional .NET-based applications, and could therefore be exploited against additional products besides SharePoint, so even if an organization does not use SharePoint, it can still be affected by this vulnerability and exposed to attacks.
SHAREPOINT VULNERABILITIES GAIN POPULARITY AMONG NATION STATE ACTORS
The previous CVE-2019-0604 vulnerability in SharePoint allows attackers to execute arbitrary code remotely. The vulnerability stems from a failure to check the source markup of an application package and can be exploited by uploading a specially crafted SharePoint application package to a vulnerable version of SharePoint. The vulnerability was addressed and patched in February 2019.
We identified that mostly Chinese and Iranian state-sponsored groups exploited the previous SharePoint vulnerability (CVE-2019-0604) against multiple sectors around the world, and therefore it is highly possible the same threat actors will exploit the new vulnerability (CVE-2020-1147) as part of future campaigns. Throughout 2019-2020, we identified attacks against North America, Europe, Australia and the Middle East exploiting this vulnerability, targeting mainly government agencies, energy companies, International organizations, and academic institutions.
In May 2019, two different campaigns exploiting this vulnerability were uncovered. The first campaign, which focused on the technological and academic sectors in Canada, exploited the vulnerability to install the known China Chopper WebShell, active since 2012, mostly in the hands of Chinese threat actors. The second campaign, which targeted organizations in Saudi Arabia, also exploited the SharePoint vulnerability to install the China Chopper WebShell on all the folders on the victims’ SharePoint servers, and then distributed additional malware to collect information from the infected network.
Later, researchers discovered that the Chinese APT group Emissary Panda exploited this vulnerability to install WebShells on vulnerable SharePoint servers of government entities in two different Middle Eastern countries.
The researchers found code overlaps between the WebShells installed on the vulnerable SharePoint servers of the government entities in the Middle East and those used in the attacks against Canada and Saudi Arabia.
In December 2019, details emerged about a new data wiper malware named ZeroCleare that targeted the energy and industrial sectors in the Middle East. The malware was apparently developed by two Iranian APT groups – OilRig (also known as APT34) and xHunt (also known as Hive0081.) First, the attackers used brute-force to gain initial access to the targeted network, and then exploited a vulnerability in SharePoint to install different WebShells (such as China Chopper and Tunna) and move laterally across the network and wipe data from the disk. Although the researcher did not disclose the CVE identifier of the vulnerability, due to the similarities between this attack and the campaigns described above, we estimate this is possibly the same vulnerability – CVE-2019-0604. Either way, this attack demonstrates the popularity of SharePoint vulnerabilities among threat actors, and especially nation-state backed actors.
CYBER ATTACKS USING SHAREPOINT FLAWS DURING 2020
Even though this is a vulnerability from 2019, reports about its exploitation continued into 2020. For example, at the end of January 2020, it was reported that the UN offices in Geneva and Vienna had fallen victim to a cyber-attack that affected dozens of their servers and resulted in a data leak. The attack was described as sophisticated, and nation-state threat actors are believed to be behind it. The incident was discovered after an internal UN document was leaked to the press. According to this document, the attackers may have exploited the CVE-2019-0604 vulnerability during the attack.
In April 2020, authorities in the US and Australia issued an advisory warning regarding an increase in the exploitation of vulnerable web servers by malicious actors to install WebShells to gain and maintain access to victims’ networks. The advisory explores the most popular and common vulnerabilities exploited by threat actors to install WebShells, with one being the Microsoft SharePoint CVE-2019-0604 vulnerability. Later, in May 2020, US authorities published an advisory detailing the ten most exploited vulnerabilities between 2016 and 2019, which included the CVE-2019-0604 SharePoint vulnerability.
Finally, in June 2020, Australian authorities published an advisory alerting of an increase in cyber-attacks against Australian companies and government entities, executed by nation-state actors, supposedly from China. According to the advisory, the attackers exploited known remote code execution vulnerabilities affecting Internet-facing systems in an attempt to gain initial access and infect the victims’ network with the PlugX malware, used by multiple Chinese APT groups in the past. One of the vulnerabilities exploited by the attackers for this purpose was the CVE-2019-0604 SharePoint vulnerability.
Finally, we estimate that we will soon witness the new SharePoint vulnerability (CVE-2020-1147) exploited in different cyber-attacks and nation-state campaigns around the world.