A recently uncovered vulnerability in Microsoft SharePoint (CVE-2024-38094) has caught the attention of security experts and IT teams worldwide. This high-severity remote code execution (RCE) flaw—one that allows attackers to run malicious code on vulnerable systems—has been used to infiltrate corporate networks. For any company using SharePoint, the implications are serious, especially since SharePoint is widely used for document management, collaboration, and integration with Microsoft 365.
Microsoft patched the vulnerability in July 2024, marking it as “important.” However, companies that haven’t applied the updates remain exposed to this threat. The urgency escalated when the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-38094 to its Known Exploited Vulnerabilities Catalog, though details on how attackers were breaching systems were not initially shared.
How Attackers are Exploiting the SharePoint Flaw
In a recent investigation, Rapid7 uncovered how this SharePoint vulnerability has been used in real-world attacks. An unauthorized individual accessed a server through this flaw and moved undetected across the network for two weeks. During this time, they compromised the entire network domain, giving them broad access to sensitive data and critical systems.
The attacker’s approach included gaining access to a Microsoft Exchange service account, which held domain administrator privileges. With these elevated permissions, they deployed a third-party antivirus program (Huorong Antivirus) that ironically disrupted existing security software, reducing detection capabilities. This move allowed them to install tools for further lateral movement across the network.
Advanced Techniques for Remaining Undetected
The attackers used sophisticated techniques to cover their tracks and maintain control within the network. They disabled Windows Defender, altered event logs, and adjusted system logging, making it difficult for IT administrators to detect the breach.
A series of specialized tools were deployed, each with a specific purpose:
- Mimikatz: Harvested credentials from the compromised systems.
- FRP (File Replication Program): Enabled remote access to the network.
- Everything.exe, Certify.exe, and Kerbrute: These tools were used for network mapping, generating security certificates, and brute-forcing Active Directory (AD) tickets.
While it’s common in ransomware attacks to target backups to prevent recovery, the attackers failed to compromise third-party backups. Rapid7 noted that despite efforts to destroy backup files, there was no sign of encryption, so the full nature of the attack remains uncertain.
What Companies Should Do Now
Companies using SharePoint on-premises should verify that their systems have the latest security updates applied. The vulnerability was patched by Microsoft in July 2024, and it’s crucial that any unpatched systems are addressed immediately to prevent exploitation.
A few additional steps to consider include:
- Regularly Reviewing Access Permissions: Ensure that accounts with domain admin privileges are limited and monitored closely.
- Implementing Multi-Factor Authentication (MFA): MFA adds a layer of security, especially for accounts with elevated access.
- Conducting Periodic Security Assessments: Regular security checks and penetration tests help identify potential vulnerabilities.
Investing in Threat Detection Tools: Advanced detection tools can spot unusual activity, like changes in logging or unauthorized installations, which may indicate a security breach.
Moving Forward: Strengthening Cyber Defenses
With this vulnerability actively exploited, system administrators and security teams should prioritize staying informed on emerging threats. Cybersecurity is an ongoing commitment, and adapting to new threats with a proactive stance is essential. The exploitation of the SharePoint vulnerability is a reminder of the importance of timely software updates and a well-rounded security strategy.