Three people are working together on a project.

SharePoint RCE Vulnerability: A Critical Threat To Corporate Network Security

Microsoft SharePoint recently encountered a vulnerability that allows cyberattacks on corporate networks. This vulnerability highlights that if hackers gain access to a vulnerable SharePoint server, they can potentially compromise the entire network’s security.

According to Rapid7 cybersecurity researchers, attackers got prompt access to target networks by taking use of a vulnerability known as CVE-2024-38094.

According to Rapid7 report:

Our investigation uncovered an attacker who accessed a server without authorization and moved laterally across the network, compromising the entire domain. The attacker remained undetected for two weeks. Rapid7 determined the initial access vector to be the exploitation of a vulnerability, CVE 2024-38094, within the on-premise SharePoint server.

This vulnerability, scored high severity with a CVSS v3.1 score of 7.2, is a remote code execution (RCE) bug affecting Microsoft SharePoint.

For two weeks, the attack went undetected, highlighting how skilled threat actors have gotten at evading detection. On July 9, 2024, Microsoft fixed this issue and rated it as important in their July Patch Tuesday release.

CISA has added CVE-2024-38094 to its list of known exploited vulnerabilities, although officials have not revealed the exact technique allowing attackers took advantage of this vulnerability.

A Zero-Day Exploit for Domain Admin Privileges in SharePoint

Rapid7 confirmed that hackers used a public proof-of-concept exploit to install a webshell called “ghostfile93.aspx” on a vulnerable SharePoint server by taking advantage of CVE-2024-38094.

This remote code execution (RCE) vulnerability allowed initial access, which resulted in the compromise of a Microsoft Exchange service account with domain admin privileges.

Attackers got domain administrator rights by breaching a Microsoft Exchange service account. By installing Huorong Antivirus, attackers further escalated access. This action interfered with defences already in place and turned off detecting systems, which allowed them to use Impacket for lateral movement.

SharePoint Zero-Day Attack Timeline
SharePoint Zero-Day Attack Timeline (Rapid7)

Attackers disabled Windows Defender, modified event logs, disrupted system logging, and used Mimikatz for credential harvesting to maintain persistence and evade detection.

Additional tools included everything.exe for network scanning, Certify.exe for ADFS certificate generation, and kerbrute for brute-forcing Active Directory tickets. Although attackers targeted third-party backups, these attempts to cause damage were unsuccessful.

This incident did not appear to be a typical ransomware attack, as no data encryption was detected. However, the hackers still exploited a Microsoft SharePoint vulnerability to gain access.

Cybercriminals are increasingly focussing on vulnerabilities like these to compromise systems. Attackers often use this type of attack, referred to as “initial access,” to get access.

Organisations must take a proactive approach to counter these evolving risks. This entails investing in strong security solutions, patching vulnerabilities on a regular basis, and keeping informed of the most recent security advancements.

Has your organisation started to increase cyber security measures yet? Start your two-week free trial today.

Recent posts