Microsoft SharePoint Remote Code Execution Vulnerability Exploited in Corporate Network Breach
November 2, 2024
A high-severity remote code execution (RCE) vulnerability in Microsoft SharePoint, known as CVE-2024-38094, has been exploited to breach corporate networks. This flaw, which Microsoft patched in July 2024, continues to be exploited by threat actors to gain initial access to systems. The issue was highlighted by the cybersecurity firm Rapid7, which investigated a network breach where this vulnerability was exploited.
The report from Rapid7 revealed that an unauthorized actor accessed a server and moved across the network, compromising the entire domain. The actor remained undetected for two weeks. As stated in the report, "Our investigation uncovered an attacker who accessed a server without authorization and moved laterally across the network, compromising the entire domain." The initial access vector was found to be the exploitation of the CVE-2024-38094 vulnerability within the on-premise SharePoint server.
The attacker utilized the SharePoint vulnerability to gain unauthorized access to the server and install a webshell. The server was exploited using a publicly disclosed SharePoint proof-of-concept exploit. The attacker then compromised a Microsoft Exchange service account with domain administrator privileges, thereby gaining elevated access. The attacker installed the Horoung Antivirus, which created a conflict that disabled security defenses, impairing detection, and allowed for the installation of Impacket for lateral movement.
The attacker also used Mimikatz for credential harvesting, FRP for remote access, and set up scheduled tasks for persistence. To further avoid detection, they disabled Windows Defender, altered event logs, and manipulated system logging on the compromised systems. They also attempted to destroy third-party backups, but failed. Despite these actions being typical of ransomware attacks, no data encryption was observed, leaving the nature of the attack unclear.
Due to the ongoing exploitation of this vulnerability, system administrators are urged to apply SharePoint updates from June 2024 onwards as soon as possible. The case underscores the importance of timely patching and robust cybersecurity measures.
Related News
Latest News
- Critical Authentication Vulnerabilities Threaten Smart Factory Equipment
- Critical Zero-Day Vulnerabilities Found in PTZ Cameras: Hackers on the Prowl
- High-Severity Flaw in LiteSpeed Cache WordPress Plugin Allows Admin Access to Hackers
- Enhanced LightSpy Spyware Targets iPhones with Advanced Surveillance and Destructive Features
- Google Addresses Critical Vulnerability in Chrome Browser
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.