A High-Severity Vulnerability with Devastating Consequences

A high-severity remote code execution (RCE) vulnerability in Microsoft SharePoint, tracked as CVE-2024-38094, is being actively exploited by attackers to gain initial access to corporate networks. This vulnerability, rated 7.2 on the Common Vulnerability Scoring System (CVSS v3.1), allows an attacker to execute arbitrary code on a vulnerable SharePoint server.

Background and Fix

Microsoft’s Response

Microsoft fixed the CVE-2024-38094 vulnerability as part of its July Patch Tuesday package on July 9, 2024, marking it as “important.” However, CISA added the vulnerability to its Known Exploited Vulnerability Catalog earlier this month without disclosing how it was exploited in attacks.

Importance of Updates

System administrators who have not applied SharePoint updates since June 2024 must do so as soon as possible to prevent exploitation of this vulnerability. The use of actively exploited vulnerabilities highlights the importance of keeping software up-to-date and implementing robust security controls to detect and respond to attacks quickly.

Attack Vector and Lateral Movement

A New Attack Vector

A new report from Rapid7 sheds light on how attackers are exploiting the SharePoint flaw. The investigation revealed that an attacker accessed a server without authorization, moved laterally across the network, and compromised the entire domain. The initial access vector used by the attacker was the exploitation of CVE-2024-38094 within the on-premise SharePoint server.

Initial Access and Webshell Planting

Exploiting the Vulnerability

Rapid7 discovered that attackers used the publicly disclosed SharePoint proof-of-concept exploit to gain unauthorized access to a vulnerable SharePoint server and plant a webshell. The server was compromised using this exploit, which allowed the attacker to execute arbitrary code and maintain control over the system.

Elevated Access and Antivirus Disablement

Gaining Elevated Access

The attacker then compromised a Microsoft Exchange service account with domain administrator privileges, gaining elevated access. To avoid detection, they installed the Horoung Antivirus, which created conflicts that disabled security defenses and impaired detection. The attacker used Impacket for lateral movement, exploiting multiple vulnerabilities to install the antivirus and execute malicious code.

Timeline of the Attack

Here is a breakdown of the attack timeline:

• Initial Access: Attacker exploits CVE-2024-38094 vulnerability in SharePoint server.
• Webshell Planting: Webshell planted on compromised server.
• Elevated Access: Microsoft Exchange service account compromised with domain administrator privileges.
• Antivirus Disablement: Horoung Antivirus installed, disabling security defenses and impairing detection.
• Lateral Movement: Impacket used for lateral movement, exploiting multiple vulnerabilities to install antivirus and execute malicious code.
• Credential Harvesting: Mimikatz used for credential harvesting.
• Remote Access: FRP used for remote access.
• Scheduled Tasks: Scheduled tasks set up for persistence.
• Data Destruction: Third-party backups targeted for destruction, but failed attempts observed.

Conclusion and Recommendations

The exploitation of this vulnerability highlights the importance of keeping software up-to-date and implementing robust security controls to detect and respond to attacks quickly. System administrators should prioritize patching SharePoint servers and reviewing their security posture to prevent similar incidents.