As such, those with updated servers should have nothing to fear, but the Canadian Center for Cyber Security (CCCS) and Saudi National Cyber Security Center (SNSC) both reported attacks. Attacks began shortly after demo exploit code was published in March. According to the agencies, attackers took over SharePoint servers with a version of the China Chopper web shell malware. This was utilized for remote code execution on affected servers, Saudi officials citing the use of PowerShell scripts to gain further access. Thought the Saudi government did not reveal the victims of the attacks, the CCCS gave information about targets in Canada. According to the organization, compromised systems were noted in “academic, utility, heavy industry, manufacturing and technology sectors” by trusted researchers.
No Evidence of Nation State Involvement
Neither country has suggested evidence of a nation-state attack at this time. However, as ZDNet notes, the attacks do have a similar time period. The Saudis say SharePoint team collaboration sever attacks have been happening for around two weeks, the same as Canada’s began. Researchers say this is not evidence of a coordinated attack. The China Chopper Web shell is a common tool. Further, the disclosure of the demo exploits creates a natural common timeframe for attacks. The vulnerability required the upload of a specially crafted SharePoint application package to exploit. SharePoint server fails to correctly check the source markup, enabling arbitrary code execution. It affects SharePoint Enterprise Server 2016, 2013 SP1, 2010 SP2, and 2019. Organizations should patch their servers as quickly as possible, or put them behind an internal network only firewall to mitigate some of the damage if that’s not possible. Last week, researchers also noticed a highly sophisticated attack on Microsoft Exchange Servers that allowed for a stealthy backdoor. Last month Microsoft admitted to a serious Outlook.com breach. Clearly, it’s been a tough few weeks for security teams at the company.
