Attackers have been taking advantage of a recently exposed remote code execution flaw in Microsoft SharePoint to gain initial access to corporate networks. Microsoft SharePoint plays a key role in the Microsoft 365 ecosystem by enabling the creation of intranets, web applications, and websites to streamline organizational processes. It also facilitates collaboration by allowing users to store files in SharePoint teams linked to Microsoft Teams.
The high-severity remote code execution vulnerability, known as CVE-2024-38094, impacts Microsoft SharePoint. Microsoft addressed this vulnerability on July 9, 2024, labeling it as “important” as part of the July Patch Tuesday package. The Cybersecurity and Infrastructure Security Agency (CISA) recently included CVE-2024-38094 in its list of exploited vulnerabilities, although specific details regarding the attacks were not disclosed for security reasons.
A report from Rapid7 provided insight into how attackers are exploiting the SharePoint vulnerability. According to the report, attackers leveraged CVE-2024-38094 to gain unauthorized access to a vulnerable SharePoint server and deploy a webshell. The investigation conducted by Rapid7 revealed that the server was compromised using a publicly available SharePoint proof-of-concept exploit.
Upon gaining initial access, the attacker compromised a Microsoft Exchange service account with domain administrator privileges, escalating their level of access. Subsequently, the attacker installed Horoung Antivirus, which caused interference that disabled security measures and reduced detection capabilities, facilitating the installation of Impacket, a set of open-source networking scripts.
The attacker utilized a batch script (“hrsword install.bat”) to deploy Huorong Antivirus on the system, create a custom service (“sysdiag”), execute the driver (“sysdiag_win10.sys”), and run “HRSword.exe” through a VBS script. These actions led to conflicts in resource allocation, loaded drivers, and active services, resulting in the disruption of the company’s legitimate antivirus services.
In the following stage of the attack, the attacker employed the Mimikatz tool to harvest credentials and Fast Reverse Proxy (FRP) for remote access through the firewall. To evade detection, Windows Defender was deactivated, event logs were altered, and system logs on compromised systems were tampered with. Additionally, tools such as everything.exe, Certify.exe, and Kerbrute were utilized to scan the network, generate ADFS certificates, and impact the Active Directory environment.
To safeguard organizations against attacks exploiting SharePoint vulnerabilities, it is crucial to ensure that the Microsoft 365 environment is kept up-to-date with the latest patches, as highlighted by a report from Computerworld Poland. By maintaining vigilance and implementing robust security measures, organizations can fortify their defenses against potential threats targeting Microsoft SharePoint.