FIN7 Linked to Escalating Active Exploits for Microsoft SharePoint Bug

Microsoft SharePoint Bug

Using a bug patched in March, the attacks are starting to ramp up worldwide.

A recently patched, high-severity vulnerability in Microsoft SharePoint (CVE-2019-0604) that allows remote code-execution is being increasingly exploited in the wild, according to researchers – possibly by the FIN7 group, among others.

According to the Microsoft’s advisory, the vulnerability (which carries a 7.8 CVSS v.3.0 score) exists because the software fails to check the source markup of an application package – Microsoft issued a patch in March.

The Canadian Cyber Security Centre in April warned that the bug is being exploited in Canada, using “the tiny China Chopper web-shell to gain an initial foothold.” But efforts appear to be escalating. A report Friday from the Saudi Cyber Security Centre (NCA) warned of attacks happening across the Kingdom, also using the one-line China Chopper.

“In the last two weeks, NCA has observed evidence of multiple organizations that have been impacted and infected by the active exploitation of the CVE-2019-0604, a vulnerability that can grant remote code execution were the threat actors exploits this vulnerability and use the Command Prompt to implant the known China Chopper web-shell,” the NCA said. “The threat actors through the vulnerability runs the command prompt and writes the…web-shell in all available folders in the SharePoint server.”

From there, the attackers utilize the web-shell to install other PowerShell scripts to move laterally and begin internal reconnaissance in the victim network. Second-stage payloads include a “new, custom backdoor,” according to the NCA.

Following on this, AT&T Alien Labs has also identified additional attacks that exploit the bug, dropping a second-stage binary related to those attacks. The malicious code can carry out remote code-execution, data exfiltration and downloads of more malware.

“[One] malware sample was shared by a target in China,” Chris Doman, researcher at Alien Labs, said in a posting on Friday. “[It] is likely an earlier version of the second-stage malware deployed in the Saudi intrusions.”

In looking at the Saudi attacks, “the attackers are reasonably capable,” Doman added via email. “The malware waits for encrypted commands from an attacker – rather than noisily reaching out to an attacker’s command-and-control server. And they haven’t left any obvious indicators of their location in the malware or servers. The Saudi report mentioned the attackers looking for Exchange and SQL servers – that would fit with attackers looking for information.”

Doman also said that Alien Labs believes there are multiple attackers now using exploiting the vulnerability – including potentially the FIN7 cybercrime gang. Since 2015, FIN7 has targeted point-of-sale systems at casual-dining restaurants, casinos and hotels. The group typically uses malware-laced phishing attacks against victims in hopes they will be able to infiltrate systems to steal bank-card data and sell it. Its choice of malware is always evolving, including occasionally using never-before-seen samples that surprise researchers.

Doman explained the SharePoint attacks’ connection to the group: “One user on Twitter has reported that they have seen exploitation from the IP address 194.36.189[.]177 – which we have also seen acting as a command-and-control server for malware linked to FIN7.”

Doman added via e-mail that while there might be multiple attackers, the exploit itself isn’t particularly widely used at this point.

“Recent server-side vulnerabilities like the Atlassian Confluence vulnerability and Oracle Weblogic vulnerabilities are being exploited very widely by a number of groups, for cryptomining and ransomware gangs,” he said. “In contrast, I’ve seen few reports of this SharePoint vulnerability being exploited so far,” including “a couple of Twitter users in the U.S.”

The Saudis warned that they expect snowballing attacks however in the short term: “Threat actors with varying motivations are often quick to weaponize PoC code following public disclosures. This swift exploitation ultimately increases the likelihood that their campaigns will be successful. Therefore, it is critical that organizations with a SharePoint installation should apply the published security updates.”