Introduction

A serious security alert is ringing alarm bells as a newly discovered Microsoft SharePoint remote code execution (RCE) vulnerability, labeled CVE-2024-38094, is actively being exploited to infiltrate corporate networks across the globe.

Vulnerability Overview

This high-severity flaw, which boasts a CVSS v3.1 score of 7.2, poses a significant risk to Microsoft SharePoint—a platform crucial for enterprises needing robust intranet, document management, and collaboration capabilities, often seamlessly integrated with Microsoft 365 applications.

Microsoft's Response

Microsoft responded to this urgent security threat by patching the vulnerability on July 9, 2024, during its regular Patch Tuesday updates, categorizing the issue as "important." Despite swift action, the damage had already begun as the Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2024-38094 to its Known Exploited Vulnerability Catalog, albeit without revealing specifics on how cybercriminals were executing these attacks.

Investigation Findings

A recent investigation by cybersecurity firm Rapid7 uncovered a worrisome pattern: attackers breached a network by exploiting the SharePoint vulnerability. Their report revealed that cyber intruders accessed a server illicitly and found ways to move laterally through the network, effectively compromising the entire domain.

Attackers' Methodology

Remarkably, these attackers operated undetected for a staggering two weeks. Initial entry into the system was traced back to exploitation of the CVE-2024-38094 vulnerability within an on-premise SharePoint server. They were able to implant a webshell, which is often used to maintain access discreetly.

Compromise of Microsoft Exchange Account

Further forensic analysis revealed that the cybercriminals leveraged their initial breach to target and compromise a Microsoft Exchange service account with domain administrator privileges. This provided them with elevated access rights and an open pathway for further nefarious actions.

Introduction of Rogue Application

As if this weren’t alarming enough, Rapid7 revealed that the attackers introduced a rogue application—referred to as Horoung Antivirus—into the system. This was done through a specific batch script, 'hrword install.bat,' effectively disabling existing security measures and allowing the attackers to implement tools like Impacket for lateral movement within the network.

Impact of Malicious Software

The malicious software installation created significant confusion within the system, crashing legitimate antivirus operations and rendering them ineffective against ongoing attacks. To maintain stealth, the attackers employed Mimikatz for credential harvesting and FRP for remote access, alongside setting up scheduled tasks to ensure persistence within the system. They took additional measures to cover their tracks by disabling Windows Defender and tampering with event logs.

Nature of the Attack

Whether their motives align with traditional ransomware tactics remains uncertain; Rapid7 noted that while there were attempts to wipe third-party backups—typical behavior to thwart recovery efforts—no evidence of data encryption was found, which complicates the classification of their attack.

Urgent Call to Action

For organizations still running an outdated version of SharePoint and who haven't applied necessary patches since June 2024, immediate action is crucial. The clock is ticking as cybercriminals continue to exploit this vulnerability with alarming frequency. Cybersecurity experts urge swift patch implementation to shield corporate networks from potential breaches. Failure to act may result in devastating consequences for businesses that could fall victim to these ruthless cybercriminals.

Conclusion

Stay tuned for further updates as this situation evolves!