HQ/EMEAFind out how we can help your business
A newly disclosed MS SharePoint flaw is a remote code execution vulnerability tracked by researchers as CVE-2024-38094, used to acquire initial access to business networks.
According to reports, the new RCE bug is a high-severity flaw that impacts Microsoft SharePoint. The affected company addressed the vulnerability last July as part of the month’s Patch Tuesday package.
The patch, which was almost four months ago, allowed researchers to shed light on how threat actors exploit the CVE. The study claims that SharePoint was utilised in a network breach that the researchers were tasked with investigating.
The research revealed the attacker entered a server without authority and went laterally across the network, compromising the entire domain. Moreover, the unauthorised individual became unidentified for two weeks.
The threat actors exploited the MS SharePoint flaw using a publicly available PoC attack.
An investigation of the MS SharePoint flaw showed that the threat actors exploited it to obtain unauthorised access to a susceptible server and install a web shell. The assessment also noted that the server was compromised using a publicly available SharePoint proof-of-concept attack.
The attacker used their initial access to exploit a Microsoft Exchange service account with domain admin rights, escalating its privileges. Subsequently, the attacker installed the Horoung Antivirus, which caused a conflict that disabled security protections and reduced detection, allowing them to install Impacket for lateral movement.
Specifically, the attacker used a batch script to install Huorong Antivirus on the system, establish a custom service, run a driver, and initiate the ‘HRSword.exe’ via VBScript. This series of malicious steps produced many conflicts in resource allocation, loaded drivers, and active services, rendering the company’s legitimate AV services deactivated.
Furthermore, the attackers leveraged the Mimikatz malware to collect credentials, FRP for remote access, and scheduled tasks to establish persistence. The unauthorised individuals also turned off Windows Defender, changed event logs, and modified system logging on the compromised computers to avoid detection.
There is an active exploitation of the critical vulnerability within the cybercriminal landscape. Therefore, system administrators who have yet to update their SharePoint since June should adopt the July patch ASAP to avoid the ongoing threat of the CVE.
