Security researchers have discovered attackers are actively exploiting recently patched remote code execution flaw in Microsoft’s Sharepoint servers.
The flaw tracked as CVE-2019-0604 occurs when the software fails to check the source markup of an application package.
According to the advisory, attackers could exploit this vulnerability by uploading a specially crafted SharePoint application package to the affected version of SharePoint.
“An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.”
The patch for the flaw was released by Microsoft in February and March 2019.
Security researchers at AT&T Alien Labs discovered no of attempts to exploit this flaw targeting organization in Saudi Arabia and Canada.
The web shell allows attackers to execute any commands, download and uploads any files.
The Saudi Cyber Security Centre also reported similar attacks stating attackers are targeting organization within the kingdom.
“AlienLabs has identified malware (https://pastebin.com/bUFPhucz) that is likely an earlier version of the second-stage malware deployed in the Saudi Intrusions. “
“This malware sample was shared by a target in China. The malware receives commands at http://$SERVER/Temporary_Listen_Addresses/SMSSERVICE – and has the ability to: – Execute commands. – Download and upload files. “
According to a user on Twitter, the exploitation attack originated from an IP address 194.36.189[.]177 which was also the command and control server for the malware linked to FIN7.
Researchers said that multiple attackers are now trying to exploit this flaw to target various organisations and for more details regarding this attack you can visit the blog post published AT&T Alien Lab researchers here.
You may be interested in reading: New Emotet Trojan Variant Uses Compromised Devices as Proxy C&C Servers