One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1140185 |
| Date de publication | 2019-05-10 14:42:00 (vue: 2019-06-05 04:00:24) |
| Titre | Sharepoint vulnerability exploited in the wild |
| Texte |
The CVE-2019-0604 (Sharepoint) exploit and what you need to know
AT&T Alien Labs has seen a number of reports of active exploitation of a vulnerability in Microsoft Sharepoint (CVE-2019-0604).
One report by the Saudi Cyber Security Centre appears to be primarily targeted at organisations within the kingdom.
An earlier report by the Canadian Cyber Security Centre identified similar deployment of the tiny China Chopper web-shell to gain an initial foothold.
AT&T Alien Labs has identified malware that is likely an earlier version of the second-stage malware deployed in the Saudi Intrusions:
.jpg)
This malware sample was shared by a target in China. The malware receives commands encrypted with AES at http://$SERVER/Temporary_Listen_Addresses/SMSSERVICE - and has the ability to:
Execute commands; and
Download and upload files
It’s likely multiple attackers are now using the exploit. One user on Twitter has reported that they have seen exploitation from the IP address 194.36.189[.]177 - which we have also seen acting as a command and control server for malware linked to FIN7.
A patch for the vulnerability is available from Microsoft.
Detection
Suricata
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"AV TROJAN Neptune Backdoor WSMAN Inbound Access"; flow:established,to_server; content:"/TEMPORARY_LISTEN_ADDRESSES/WSMAN"; http_uri; nocase; content:"|0d 0a|Cookie\: "; nocase; content:"_REGUESTGUID"; sid:1111111111; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"AV TROJAN Neptune Backdoor SMSSERVICE Inbound Access"; flow:established,to_server; content:"/TEMPORARY_LISTEN_ADDRESSES/SMSSERVICE"; http_uri; nocase; sid:1111111112; rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"AV EXPLOIT SharePoint Picker.aspx RCE (CVE-2019-0604)"; flow:established,to_server; content:"POST"; http_method; content:"Picker.aspx?"; http_uri; content:"PickerDialogType=Microsoft.SharePoint.WebControls.ItemPickerDialog"; fast_pattern; http_uri; distance:0; content:"ctl00$PlaceHolderDialogBodySection$ctl05$hiddenSpanData"; http_client_body; pcre:"/((?!\x0d\x0a)[\W\w])*Diag\x3aProcess/PRi"; content:"Diag|3a|Process"; distance:0; reference:url,https://x3fwy.bitcron.com/post/sharepoint-rce-explained; reference:cve,2019-0604; classtype:attempted-admin; sid:1111111114; rev:1;)
Yara Rules
import "dotnet"
rule NetptuneMAPIBackdoor {
meta: |
| Envoyé | Oui |
| Condensat | $external $home $http $key $pdb $sa $sb $sc $sd $se $st* $st2 $st3 $st4 $st5 $st6 $st7 *diag /temporary 0604 0604; 0a|cookie 0bdf 0x5a4d 177 189 194 1b62 1f639fa79fc5 2019 2945c3c4 2e4b7c022329e5c21e47d55e8916f6af852aabbbd1798f9e16985f22a8056646 4675 4cfc 9735 a7d94843 ability access acting active address addresses/smsservice addresses/wsman admin; aes alert alien alienvault all also any appears are ascii asp aspx at&t attackers author available b902 backdoor bf75857331fb bitcron body; campaigindata campaigndata canadian centre china chopper classtype:attempted client com com/indicator/file/c63f425d96365d906604b1529611eefe5524432545a7977ebe2ac8c79f90ad7e com/post/sharepoint com/pulse/5cd3f89df12b501c477a6fba command commands commands; condition: content: control createobject ctl00$placeholderdialogbodysection$ctl05$hiddenspandata cve cyber deployed deployment description detection detections diag|3a|process distance:0; dotnet download earlier encrypted eval execute executeglobal explained; exploit exploitation exploited fast files fin7 flow:established foothold from gain generic guids has have http http://$server/temporary httpbindingbase https://otx https://x3fwy identified import inbound info initial intrusions: it’s itempickerdialog kingdom know labs labs@alienvault likely linked listen malware meta: method; microsoft msg: multiple need neptune net netptunemapibackdoor nocase nocase; not now number one organisations patch pattern; pcre: pdb php picker pickerdialogtype=microsoft ports possible post primarily rce receives reference1 reference2= reference:cve reference:url reguestguid report reported reports request rev:1; rule rules sample saudi second security seen sendsmsflash server server; set shared sharepoint shell shells sid:1111111111; sid:1111111112; sid:1111111114; similar smsservice smsserviceservertest stage strings: strreverse suricata target targeted them tiny to: trojan twitter type typelib uint16 upload uploaded uri; user useshellexecute using version vulnerability web webcontrols webshells what which wide wild within wscript wsman x0a x0d x3aprocess/pri yara |0d |
| Tags | Malware Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.