A critical vulnerability in Microsoft’s SharePoint collaboration platform has been exploited in the wild to deliver malware.
The security hole, tracked as CVE-2019-0604, got its first patch in February and another one in March after the first fix turned out to be incomplete. Microsoft described the issue as a remote code execution vulnerability caused by the software’s failure to check the source markup of an application package. It can be exploited without the need for authentication.
“An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account,” Microsoft said in an advisory.
Markus Wulftange, the researcher who reported the flaw to Microsoft through Trend Micro’s Zero Day Initiative (ZDI), disclosed details and proof-of-concept (PoC) code on March 13, one day after Microsoft released the second round of patches.
Several PoC exploits were later made public and the first attacks exploiting CVE-2019-0604 were apparently spotted in early April.
The Canadian government’s Canadian Center for Cyber Security published an alert on April 23 to warn organizations that the SharePoint vulnerability had been exploited to deliver the China Chopper web shell to affected servers.
“Trusted researchers have identified compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors,” the agency said...