Threat actors have exploited a high-severity remote code execution vulnerability in Microsoft SharePoint, tracked as CVE-2024-38094, to compromise an entire corporate network domain without being detected for two weeks, BleepingComputer reports.
Initial access to the targeted SharePoint server through the flaw — which was recently added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog — was leveraged to breach a Microsoft Exchange service account with elevated privileges, deploy the Huorong Antivirus, and install Impacket, resulting in the deactivation of legitimate antivirus systems and lateral movement, according to an analysis from Rapid7. Aside from utilizing Mimikatz and FRP for credential compromise and remote access, respectively, attackers also deployed other network scanning tools, performed ADFS certificate generation, brute-forced Active Directory tickets, and ensured persistence through scheduled tasks while deactivating Windows Defender and impacted systems' logs to conceal malicious activity, said researchers, who did not observe any data encryption to be conducted as part of the attack.
