A recently disclosed remote code execution (RCE) vulnerability in Microsoft SharePoint, tracked as CVE-2024-38094, is being exploited to gain initial access to corporate networks.
CVE-2024-38094 is a high severity RCE flaw (CVSS v3.1 score: 7.2) that affects Microsoft SharePoint, a widely used web-based platform that functions as an intranet, document management, and collaboration tool that can seamlessly are integrated with Microsoft 365 apps.
Microsoft fixed the vulnerability on July 9, 2024 as part of the Patch Tuesday of July package, marking the issue as ‘important’.
Last week, CISA added CVE-2024-38094 to the Known Exploited Vulnerability Catalog, but did not share how the flaw was exploited in attacks.
A new report from Rapid7 this week sheds light on how attackers are exploiting the SharePoint flaw, saying it was used in a network breach they were tasked with investigating.
“Our investigation revealed an attacker who had gained unauthorized access to a server and was moving laterally across the network, compromising the entire domain,” he says. reads the accompanying report.
“The attacker remained undetected for two weeks. Rapid7 determined that the initial access vector was an exploitation of a vulnerability, CVE 2024-38094, within the local SharePoint server.”
Using AVs to compromise security
Rapid7 now reports that attackers have used CVE-2024-38094 to gain unauthorized access to a vulnerable SharePoint server and deploy a web shell. The investigation revealed that the server was being exploited via a publicly disclosed SharePoint proof-of-concept exploit.
Taking advantage of their initial access, the attacker compromised a Microsoft Exchange service account with domain administrator rights, gaining elevated access.
The attacker then installed the Horoung Antivirus, creating a conflict that disabled security defenses and detection, allowing them to install Imppacket for lateral movement.
Specifically, the attacker used a batch script (‘hrword install.bat’) to install Huorong Antivirus on the system, set up a custom service (‘sysdiag’), run a driver (‘sysdiag_win10.sys’) and ‘HRSword ‘run .exe’ using a VBS script.
This setup caused multiple conflicts in resource allocation, loaded drivers, and running services, causing the company’s legitimate antivirus services to crash and become powerless.
Timeline of the attack
Source: Rapid7
In the next phase, the attacker used Mimikatz to collect credentials, FRP for remote access, and set up scheduled tasks for persistence.
To avoid detection, they disabled Windows Defender, modified the event logs, and manipulated system logging on the compromised systems.
Additional tools such as Everything.exe, Certify.exe and kerbrute were used for network scanning, generating ADFS certificates and brute-forcing Active Directory tickets.
Third-party backups were also destroyed, but the attackers failed in their attempts to compromise them.
While attempting to delete backups is typical in ransomware attacks, to prevent easy recovery, Rapid7 did not observe any data encryption, so the type of attack is unknown.
With active exploitation underway, system administrators who have not applied SharePoint updates since June 2024 should do so as soon as possible.