India‘s income tax department patched a bug on its website last week, that allowed attackers to gain control of the site. Thankfully, there was no loss of data.
Security researcher Dhiraj Mishra discovered the vulnerability, and informed CERT-In, the country’s nodal agency to deal with cybersecurity threats. The agency acknowledged the bug and it was patched silently.
The website was vulnerable to SharePoint RCE (Remote Code Execution) — code CVE-2019-0604 — which was discovered last year. The exploit allows attackers to run arbitrary code on the server to affect operations of the site.
Mishra said attackers can gain access to data such as employee logins:
Once exploited, the vulnerability can give full access of the remote system to the attacker. In my case, it was the Income tax website. So you can deface the entire website of Income tax India because they use Microsoft SharePoint to host the website. You can even possibly view data such as employee logins and official email system.
Last year, a group called Emissary Panda targeted several Middle Eastern government websites using the SharePoint RCE bug.