Network Security, Vulnerability Management, Threat Intelligence

Corporate network compromised via Microsoft SharePoint RCE exploit

Share
Microsoft SharePoint app seen in App Store on the screen of ipad and blurred finger pointing at it.

Threat actors have exploited a high-severity remote code execution vulnerability in Microsoft SharePoint, tracked as CVE-2024-38094, to compromise an entire corporate network domain without being detected for two weeks, BleepingComputer reports.

Initial access to the targeted SharePoint server through the flaw — which was recently added to the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog — was leveraged to breach a Microsoft Exchange service account with elevated privileges, deploy the Huorong Antivirus, and install Impacket, resulting in the deactivation of legitimate antivirus systems and lateral movement, according to an analysis from Rapid7. Aside from utilizing Mimikatz and FRP for credential compromise and remote access, respectively, attackers also deployed other network scanning tools, performed ADFS certificate generation, brute-forced Active Directory tickets, and ensured persistence through scheduled tasks while deactivating Windows Defender and impacted systems' logs to conceal malicious activity, said researchers, who did not observe any data encryption to be conducted as part of the attack.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.