Threat Actors Still Exploiting SharePoint Vulnerability to Attack Middle East Government Organizations


On September 10, 2019, we observed unknown threat actors exploiting a vulnerability in SharePoint described in CVE-2019-0604 to install several webshells on the website of a Middle East government organization. One of these webshells is the open source AntSword webshell freely available on Github, which is remarkably similar to the infamous China Chopper webshell.

On January 10, 2020, we used Shodan to search for Internet accessible servers running versions of SharePoint vulnerable to CVE-2019-0604. While admittedly the version numbers provided by SharePoint within HTTP responses do not always provide the precise SharePoint version number, we decided to use it to check if it was less than the version numbers of the patched SharePoint versions from the Microsoft advisory.

Read more…
Source: Palo Alto