Microsoft SharePoint Remote Code Execution Vulnerability Exploited in Corporate Network Breach

November 2, 2024

A high-severity remote code execution (RCE) vulnerability in Microsoft SharePoint, known as CVE-2024-38094, has been exploited to breach corporate networks. This flaw, which Microsoft patched in July 2024, continues to be exploited by threat actors to gain initial access to systems. The issue was highlighted by the cybersecurity firm Rapid7, which investigated a network breach where this vulnerability was exploited.

The report from Rapid7 revealed that an unauthorized actor accessed a server and moved across the network, compromising the entire domain. The actor remained undetected for two weeks. As stated in the report, "Our investigation uncovered an attacker who accessed a server without authorization and moved laterally across the network, compromising the entire domain." The initial access vector was found to be the exploitation of the CVE-2024-38094 vulnerability within the on-premise SharePoint server.

The attacker utilized the SharePoint vulnerability to gain unauthorized access to the server and install a webshell. The server was exploited using a publicly disclosed SharePoint proof-of-concept exploit. The attacker then compromised a Microsoft Exchange service account with domain administrator privileges, thereby gaining elevated access. The attacker installed the Horoung Antivirus, which created a conflict that disabled security defenses, impairing detection, and allowed for the installation of Impacket for lateral movement.

The attacker also used Mimikatz for credential harvesting, FRP for remote access, and set up scheduled tasks for persistence. To further avoid detection, they disabled Windows Defender, altered event logs, and manipulated system logging on the compromised systems. They also attempted to destroy third-party backups, but failed. Despite these actions being typical of ransomware attacks, no data encryption was observed, leaving the nature of the attack unclear.

Due to the ongoing exploitation of this vulnerability, system administrators are urged to apply SharePoint updates from June 2024 onwards as soon as possible. The case underscores the importance of timely patching and robust cybersecurity measures.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.