Microsoft SharePoint vulnerability being exploited
Earlier this year researchers published a remote code execution vulnerability against Microsoft SharePoint servers. This vulnerability is now being actively exploited to deploy a variant of the ChinaChopper webshell to gain access to organisations.
Microsoft has released patches for all vulnerable versions.
Microsoft SharePoint vulnerability CVE-2019-0604 is being actively exploited by attackers.
Microsoft released patches for this vulnerability in security updates earlier this year, however any system that remains unpatched is vulnerable to this attack.
The following SharePoint servers are vulnerable if unpatched:
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Foundation 2010 Service Pack 2
- Microsoft SharePoint Foundation Service Pack 1
- Microsoft SharePoint Server 2010 Service Pack 2
- Microsoft SharePoint Server 2013 Service Pack 1
- Microsoft SharePoint Server 2019
What this means
Organisations tracking these incidents have noted that attackers compromise vulnerable SharePoint servers, and install a version of the ChinaChopper webshell. This allows attackers to carry out remote code execution attacks.
What to look for
How to tell if you're affected
The Canadian Centre for Cyber Security has published some indicators of compromise regarding this attack.
What to do
CERT NZ recommends you patch any Microsoft SharePoint servers that are not up-to-date.
If you are unable to apply these security updates, we recommend you use other security controls to mitigate this risk – primarily ensuring your SharePoint Service is not accessible from the internet.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
For media enquiries, email our media desk at firstname.lastname@example.org or call the MBIE media team on 027 442 2141.