Sign In with your
Trend Micro Account
需要協助?
需要協助?

若您需要技術支援,請 按此建立案件。

SECURITY ALERT: China Chopper Malware targeting vulnerable SharePoint Servers

    • 更新於:
    • 產品/版本:
    • 作業系統:
概要

Trend Micro is aware of a campaign that is targeting several unpatched versions of Microsoft SharePoint Server in order to try and deploy the China Chopper web shell.

It is believed that the campaign is leveraging CVE-2019-0604, a vulnerability originally discovered and disclosed to Microsoft by Markus Wulftange (@mwulftange) working with Trend Micro's Zero Day Initiative, in order to deploy the web shell by exploiting the vulnerability to allow a successful attacker to run arbitrary code in the context of the SharePoint application pool and server farm account.

Microsoft released updates and security guidance for vulnerable versions of SharePoint in February and March of 2019, however, many servers remain unpatched.

詳情
Public

Vulnerable Versions of Microsoft SharePoint


The following unpatched versions of Microsoft SharePoint are vulnerable:


  • Microsoft SharePoint Server 2019
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Foundation 2013 SP1
  • Microsoft SharePoint Server 2010 SP2


Mitigation and Protection


The first line of protection against any exploited vulnerability to ensure the affected systems are patched with Microsoft's latest security update. In addition, any SharePoint servers that are designated for corporate intranet or internal use should be sufficiently isolated from the outside Internet.


Trend Micro Detection and Protection


In addition to applying Microsoft's Security Update, Trend Micro provides additional rules and filters to compliment the patch or to help mitigate some risk before affected servers are patched.


Trend Micro Deep Security  


  • Rule 1009535 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2019-0604)
  • Rule 1007170 - Identified Suspicious China Chopper Webshell Communication


Trend Micro TippingPoint ThreatDV


  • Filter 33692: Microsoft SharePoint EntityInstanceEncoder Insecure Deserialization Vulnerability
  • Filter 34152: HTTP: China Chopper PHP Webshell Traffic Detected (My Script RunInBrowser Control Command)
  • Filter 34153: HTTP: China Chopper PHP Webshell Traffic Detected (Control Commands)
  • Filter 34154: HTTP: China Chopper ASP Webshell Traffic Detected (Control Commands)
  • Filter 34257: HTTP: China Chopper ASPX Webshell Traffic Detected (Control Commands) 


Trend Micro Deep Discovery Inspector (DDI)


  • Rule 2063: CHOPPER - HTTP (Request)


Trend Micro Malware Detection


  • Official Pattern Release 15.111.00: contains detection for some known IOCs as Backdoor.ASP.CHOPSHELL.A and a client component executable as BKDR_CHOPPER.B.



References


 

Trend Micro will continue to monitor this threat and will provide updates as necessary.

 

Premium
Internal
評價:
分類:
Remove a Malware / Virus
解決方案ID:
000131747
評定這個解決方案
本文是否幫助解決您的問題?

感謝您的意見!

請留下您的Email方便進一步的聯繫,協助我們改進文章內容:
我們不會透過以上Email寄送任何可能騷擾您的垃圾信.

本意見調查系統為自動運作,將不會回覆如銷售、技術、產品等一般問題.

若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.