Attackers exploited a recent remote code execution vulnerability in Microsoft SharePoint to gain initial access to corporate networks.
SharePoint’s primary role in the Microsoft 365 ecosystem is to build intranets and dedicated web applications to support organizational processes. It is also used to create websites, and to group together files in SharePoint groups connected to the Microsoft Teams communicator.
CVE-2024-38094 is a potentially critical remote code execution (RCE) vulnerability affecting Microsoft SharePoint. Microsoft fixed the vulnerability on July 9, 2024 as part of the July Patch Tuesday package, rating it as “critical”.
Last week, CISA added CVE-2024-38094 to the catalog of known exploited vulnerabilities, but for security reasons did not specify how the vulnerability was exploited in the attack.
A report from Rapid7 last week sheds light on how attackers are exploiting SharePoint vulnerabilities.
Rapid7 reports that attackers used CVE-2024-38094 to gain unauthorized access to a vulnerable SharePoint server and use a webshell. Its investigation revealed that the server was compromised using a publicly disclosed SharePoint proof-of-concept exploit.
Using initial access, the attacker breached the Microsoft Exchange service account with domain administrator privileges, gaining elevated access.
The attacker then installed Horoung Antivirus, which caused a conflict that disabled security and made it vulnerable, allowing him to install Impacket, a collection of open source network documents.
Specifically, the attacker used a batch script (“hrsword install.bat”) to install Huorong Antivirus into the system, stop the custom service (“sysdiag”), run the driver (“sysdiag_win10.sys”), and then run “HRSword .exe” using the VBS script.
This configuration caused many conflicts in resource allocation, loaded drivers, and running services, causing the company’s official antivirus services to crash.
In the next step, the attacker used the Mimikatz tool to gather information and Fast Reverse Proxy (FRP) to remotely access the security system.
To avoid detection, Windows Defender was disabled, event logs were modified, and system logs on compromised systems were used.
Additional tools such as everything.exe, Certify.exe, and Kerbrute are used to scan the network and generate ADFS certificates and affect the Active Directory environment.
To protect your organization from attacks based on SharePoint vulnerabilities, you should ensure that your Microsoft 365 environment is updated to the latest version, reports Computerworld Poland.
Source link