The Saudi and Canadian Cyber Security Centres have issued reports on a vulnerability in Microsoft’s SharePoint that is being exploited in the wild.
The vulnerability, CVE-2019-0604, has been patched by Microsoft, but if exploited can give an attacker the ability to execute commands and download and upload files, reported AT&T Alien Labs. The malware involved is a backdoor that is likely an earlier version of the second-stage malware deployed in the intrusions reported by Saudi Arabia.
The Alien Labs team also has seen evidence the malware is being used by Fin7.
“It’s likely multiple attackers are now using the exploit. One user on Twitter has reported that they have seen exploitation from the IP address 194.36.189[.]177 - which we have also seen acting as a command and control server for malware linked to FIN7,” the report said.