A sophisticated attack that compromised an entire domain by exploiting a critical vulnerability in Microsoft SharePoint.
The attack, which remained undetected for two weeks, showcases threat actors’ evolving tactics and the importance of robust security measures.
The attackers gained initial access by exploiting CVE-2024-38094, a remote code execution (RCE) vulnerability in an on-premise SharePoint server. They used a series of GET and POST requests to deploy a webshell named “ghostfile93.aspx” on the target system.
Rapid7’s Incident Response team uncovered the initial breach, which occurred through the exploitation of CVE 2024-38094, a vulnerability in Microsoft SharePoint that allows attackers to execute code remotely.
Once inside the network, the hackers moved laterally, compromising a Microsoft Exchange service account with domain administrator privileges. They utilized various tools and techniques to expand their foothold:
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
- Impacket: Attempted to install and execute this collection of Python scripts for network protocol interaction.
- Horoung Antivirus: Installed this Chinese AV software to disable existing security solutions.
- Fast Reverse Proxy (FRP): Deployed to maintain external access through firewalls.
SharePoint RCE Vulnerability Exploited
The attackers demonstrated sophisticated knowledge of network penetration and evasion techniques:
- Active Directory Exploitation: Used tools like ADExplorer64.exe, NTDSUtil.exe, and nxc.exe to map the AD environment and gather credentials.
- Credential Harvesting: Employed Mimikatz (disguised as 66.exe) to extract login information.
- Log Tampering: Disabled system logging and cleared event logs to cover their tracks.
- Persistence: Established scheduled tasks on the domain controller for the FRP tool.
The attackers remained undetected in the network for two weeks, during which they attempted to compromise third-party backups and used additional tools like Certify.exe to create ADFS certificates for elevated actions within the Active Directory environment.
The hackers also attempted to cover their tracks by tampering with system logs and disabling logging mechanisms on the compromised SharePoint server. This action significantly hindered the investigation process.
One notable tactic employed by the attackers was installing Huorong AntiVirus, which caused conflicts with existing security products, effectively disabling them and allowing the attackers greater freedom to pursue their objectives.
This incident highlights several critical points for cybersecurity professionals:
- The importance of promptly patching known vulnerabilities, especially in public-facing servers.
- There is a need for continuous monitoring and rapid incident response capabilities.
- The evolving sophistication of attackers in using legitimate tools and software to evade detection.
As exploitation for initial access continues to be a common theme in 2024, organizations must prioritize security tooling and efficient response procedures to mitigate the risk of major breaches.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!