Microsoft SharePoint Vulnerability Exploited in Widespread Corporate Network Breach

By /
sharepoint

A vulnerability in Microsoft SharePoint, tracked as CVE-2024-38094, has been actively exploited by attackers, leading to significant breaches of corporate networks. This remote code execution (RCE) flaw, classified as high-severity with a CVSS v3.1 score of 7.2, allows attackers to gain unauthorized access, bypassing multiple layers of network security. Known for its role as a popular intranet and document management platform, Microsoft SharePoint’s exposure to this exploit has raised concerns across industries reliant on its integration with Microsoft 365.

Overview of CVE-2024-38094

Microsoft addressed this RCE vulnerability on July 9, 2024, as part of the monthly Patch Tuesday updates, categorizing it as an “important” fix. The flaw has the potential to allow attackers to execute malicious code on vulnerable SharePoint servers, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-38094 to its Known Exploited Vulnerabilities (KEV) catalog shortly afterward. Despite its catalog inclusion, specific technical details on how attackers could leverage this flaw for exploitation were sparse.

This week, however, a new report from cybersecurity firm Rapid7 shed light on how attackers have used CVE-2024-38094 to breach corporate networks. Rapid7’s investigation into a recent attack revealed an unauthorized access event where an attacker successfully leveraged the SharePoint vulnerability to infiltrate and compromise an entire domain.

How CVE-2024-38094 Was Exploited: Insights from Rapid7’s Investigation

In Rapid7’s report, the vulnerability was exploited to gain initial access to a SharePoint server within a corporate network. Attackers reportedly took advantage of a publicly available proof-of-concept (PoC) exploit, planting a malicious web shell to establish their foothold. This access facilitated lateral movement within the network, which eventually led to a compromise of domain-level accounts and a cascade of further exploits.

During their investigation, Rapid7 identified that the attacker compromised a Microsoft Exchange service account with domain administrator privileges, a powerful escalation that opened the door to broader network access. This elevated access allowed the attacker to disable security defenses, a common tactic to prolong undetected access and execute more destructive actions.

Using Huorong Antivirus to Suppress Detection

To avoid detection, the attacker installed Huorong Antivirus, a less-common antivirus solution, which effectively created conflicts with the existing security framework. The attacker’s strategic installation of Huorong Antivirus led to disruptions in resource allocation, driver operations, and active services, causing legitimate antivirus defenses to crash.

A batch script (‘hrword install.bat’) was used to install Huorong Antivirus and execute components (‘sysdiag_win10.sys’ and ‘HRSword.exe’) through a VBS script. This arrangement resulted in the security controls of the affected organization being rendered powerless, giving the attacker a clear path to continue the attack undetected.

Timeline of the Attack

Once inside the network, the attacker executed a series of sophisticated tactics. Here is a breakdown of the stages of the breach:

  1. Initial Access: CVE-2024-38094 was exploited to plant a web shell on a SharePoint server.
  2. Privilege Escalation: The attacker compromised a domain administrator account tied to a Microsoft Exchange service.
  3. Defense Evasion: By installing Huorong Antivirus, the attacker disrupted the organization’s primary antivirus software, facilitating lateral movement.
  4. Lateral Movement and Credential Harvesting: Using tools like Mimikatz and Impacket, the attacker moved across the network, harvesting additional credentials.
  5. Persistence and Anti-Detection Measures: Windows Defender was disabled, event logs were altered, and system logging was manipulated to avoid detection.
  6. Additional Network Exploits: Tools like everything.exe (for network scanning), Certify.exe (for generating certificates), and kerbrute (for brute-forcing Active Directory tickets) were used to expand control over the network.
  7. Targeting Backups: The attacker attempted to erase third-party backups, a move reminiscent of ransomware attacks aiming to prevent recovery. However, Rapid7’s report indicated that the attackers did not encrypt data, making it unclear if ransomware was the intended outcome.
microsoft windows

Security Implications of CVE-2024-38094

The exploitation of CVE-2024-38094 highlights several critical security risks for organizations. The attack demonstrates how vulnerabilities in widely used platforms like SharePoint can serve as initial access points to breach corporate networks. Moreover, this incident underscores the potential impact of publicly available proof-of-concept exploits, as they provide a ready-made tool for threat actors to leverage recent vulnerabilities.

Organizations using on-premise SharePoint servers are advised to apply Microsoft’s July 2024 security patches without delay. These patches address CVE-2024-38094, closing off this specific entry point from exploitation. Given the rapid exploitation timeline, organizations must prioritize timely patching to prevent attackers from gaining a foothold within their networks.

Defensive Recommendations

To counter similar threats and mitigate the risk of lateral movement from future exploits, security teams should consider the following defensive measures:

  1. Apply All Available Patches: Update SharePoint installations with the latest patches from Microsoft, particularly the fix for CVE-2024-38094.
  2. Network Segmentation: Limit access between critical servers and applications. Segmenting the network can help contain potential breaches and limit an attacker’s ability to move laterally.
  3. Enhanced Privilege Management: Reduce privileges associated with service accounts, especially for widely used services like Microsoft Exchange, to limit the impact of compromised credentials.
  4. Monitor for Suspicious Software: Be wary of unusual antivirus or security software installations. Attackers often use less-common tools to evade detection and manipulate system defenses.
  5. Regular Backups and Backup Security: Ensure that backups are kept off-network and are regularly tested for recovery. By protecting backup files, organizations can recover from attacks without succumbing to ransom demands.

Looking Ahead

As exploitation of CVE-2024-38094 continues, this vulnerability exemplifies the importance of rapid patching and proactive security monitoring in today’s cybersecurity landscape. With the active use of public PoC exploits, organizations are at heightened risk, making prompt and continuous security updates essential to protecting network integrity and preventing costly breaches.

System administrators should stay vigilant for security bulletins and advisories regarding newly disclosed vulnerabilities and adopt a proactive approach in securing systems, especially for high-usage platforms like SharePoint.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

Interesting Article : Google Chrome’s Cookie Encryption System Bypassed

Scroll to Top