Recently, a RCE vulnerability in Microsoft SharePoint, identified as CVE-2024-38094, has been discovered and is being exploited to infiltrate corporate networks.
CVE-2024-38094 has a high severity rating (CVSS score: 7.2) and affects SharePoint, a widely used web platform for building intranet sites, managing documents, and seamlessly integrating with Microsoft 365 applications.
Microsoft addressed this vulnerability on July 9, 2024, as part of the July Patch Tuesday security update. Last week, CISA added CVE-2024-38094 to its catalog of known vulnerabilities but did not provide details on how this vulnerability is being exploited in attacks. Subsequently, reports emerged detailing how attackers exploited the SharePoint vulnerability during a network breach under investigation.
The reports indicate that the attackers gained unauthorized access to the server, executed lateral movements, and compromised the entire domain without detection for two weeks. Rapid7 identified that the attackers exploited CVE-2024-38094 on vulnerable SharePoint servers to install a web shell.
Once access was obtained, the attackers infiltrated a Microsoft Exchange service account with administrative privileges, thereby expanding their access. They installed Horoung Antivirus, causing conflicts with the defense systems and undermining detection capabilities. This enabled the attackers to deploy Impacket for lateral movement within the system.
The attackers employed a script to install malware and manipulate the system, rendering the company’s antivirus services ineffective. In the subsequent phase, they utilized Mimikatz to collect credentials such as passwords and login information, employed FRP for remote access, and established scheduled tasks to maintain control over the compromised system.
To evade detection, the attackers disabled Windows Defender, altered event logs, and manipulated logging activities on the compromised systems. Additionally, the attackers utilized various tools such as everything.exe for network scanning, Certify.exe to create ADFS (Active Directory Federation Services) certificates, and kerbrute to attempt brute-force attacks on Active Directory services.
The attackers also attempted to delete external backups to diminish the victim’s data recovery capabilities, though this effort was unsuccessful. Notably, the attackers did not encrypt data, which diverges from typical ransomware attacks, making this type of attack less clearly defined.
With the ongoing exploitation of this vulnerability, system administrators who have not updated SharePoint since June 2024 are advised to implement updates immediately to safeguard their systems.
Source: Bleeping Computer
