Microsoft SharePoint RCE Bug Exploited to Breach Corporate Network
Summary:
Cybersecurity firm Rapid7 recently shed light on a Microsoft SharePoint remote code execution vulnerability (CVE-2024-38094) which is actively being exploited in attacks in the wild to gain initial access to corporate networks. Rapid7 was made aware of exploitation after being called to investigate a network breach. “Our investigation uncovered an attacker who accessed a server without authorization and moved laterally across the network, compromising the entire domain. The attacker remained undetected for two weeks. Rapid7 determined the initial access vector to be the exploitation of a vulnerability, CVE 2024-38094, within the on-premise SharePoint server,” stated Rapid7 in its blog post.
In the attack observed by Rapid7, the threat actor weaponized CVE 2024-38094 to gain unauthorized access to a vulnerable SharePoint server and plant a webshell. Once initial access was obtained, the actor compromised a Microsoft Exchange service account with domain administrator privileges. This account with elevated privileges was used to authenticate via Remote Desktop protocol (RDP), disable Windows Defender and add an exclusion for a binary called Fast Reverse Proxy, which would allow the actor external access to the system through a NAT-configured firewall. From here, the actor used Mimikatz to harvest credentials as well as tools like everything[.]exe, Certify[.]exe, and kerbrute to scan the network and brute-force active directory kerberos tickets.
Security Officer Comments:
A notable aspect of the intrusion observed by Rapid7 is the installation of Horoung, a popular Chinese antivirus solution. According to researchers, Horoung caused a conflict with security products active on the system, ultimately resulting in the crash of these services. By rendering these antivirus solutions ineffective, the actor was able to carry out malicious operations with little room for detection. To ensure persistence on the network, the actor also altered event logs and manipulated system logging on compromised systems.
The end goal of these attacks seem to be tailored towards maintaining persistent access and gathering as much information as possible, including credentials, which can be used to move laterally across the network. Researchers state that the actor also attempted to target third-party backups but ultimately failed. While the targeting of third-party backups is typically associated with ransomware actors, Rapid7 did not observe any sort of data encryption activity, making the type of attack unclear.
Suggested Corrections:
Organizations should ensure that SharePoint is patched to the latest version to prevent potential intrusions. Rapid7 has also provided a list of detections that are deployed and will alert on behavior related to exploitation of this vulnerability.
Link(s):
https://www.bleepingcomputer.com/ne...ce-bug-exploited-to-breach-corporate-network/
Cybersecurity firm Rapid7 recently shed light on a Microsoft SharePoint remote code execution vulnerability (CVE-2024-38094) which is actively being exploited in attacks in the wild to gain initial access to corporate networks. Rapid7 was made aware of exploitation after being called to investigate a network breach. “Our investigation uncovered an attacker who accessed a server without authorization and moved laterally across the network, compromising the entire domain. The attacker remained undetected for two weeks. Rapid7 determined the initial access vector to be the exploitation of a vulnerability, CVE 2024-38094, within the on-premise SharePoint server,” stated Rapid7 in its blog post.
In the attack observed by Rapid7, the threat actor weaponized CVE 2024-38094 to gain unauthorized access to a vulnerable SharePoint server and plant a webshell. Once initial access was obtained, the actor compromised a Microsoft Exchange service account with domain administrator privileges. This account with elevated privileges was used to authenticate via Remote Desktop protocol (RDP), disable Windows Defender and add an exclusion for a binary called Fast Reverse Proxy, which would allow the actor external access to the system through a NAT-configured firewall. From here, the actor used Mimikatz to harvest credentials as well as tools like everything[.]exe, Certify[.]exe, and kerbrute to scan the network and brute-force active directory kerberos tickets.
Security Officer Comments:
A notable aspect of the intrusion observed by Rapid7 is the installation of Horoung, a popular Chinese antivirus solution. According to researchers, Horoung caused a conflict with security products active on the system, ultimately resulting in the crash of these services. By rendering these antivirus solutions ineffective, the actor was able to carry out malicious operations with little room for detection. To ensure persistence on the network, the actor also altered event logs and manipulated system logging on compromised systems.
The end goal of these attacks seem to be tailored towards maintaining persistent access and gathering as much information as possible, including credentials, which can be used to move laterally across the network. Researchers state that the actor also attempted to target third-party backups but ultimately failed. While the targeting of third-party backups is typically associated with ransomware actors, Rapid7 did not observe any sort of data encryption activity, making the type of attack unclear.
Suggested Corrections:
Organizations should ensure that SharePoint is patched to the latest version to prevent potential intrusions. Rapid7 has also provided a list of detections that are deployed and will alert on behavior related to exploitation of this vulnerability.
- Suspicious Commands Launched by Webserver
- IIS Launching Discovery Commands
- IIS Spawns PowerShell
- Attacker Tool - Impacket
- Attacker Tool - MimiKatz
- Attacker Technique - Hash Dumping With NTDSUtil
- Attacker Technique - Clearing Event Logs
- Defense Evasion - Disabling Multiple Security or Backup Products
Link(s):
https://www.bleepingcomputer.com/ne...ce-bug-exploited-to-breach-corporate-network/