Hackers were spotted abusing a high severity vulnerability in Microsoft SharePoint to gain access to corporate IT infrastructure.
A report from cybersecurity researchers Rapid7 revealed how unnamed cybercriminals leveraged a flaw tracked as CVE-2024-38094 to establish initial access on the target’s network.
This is a remote code execution (RCE) flaw in SharePoint, Microsoft’s web-based platform for collaboration and document management, with a severity score of 7.2, and was fixed in mid-July 2024 as part of a Patch Tuesday cumulative update.
Advanced reasoning
The vulnerability allowed the crooks to access the network, where they dwelled for two weeks.
During that time, they used a Fast Reverse Proxy to establish an outbound connection, ran Active Directory (AD) enumeration tools, and engaged in credential dumping via multiple tools such as NTDSUtil and Mimikatz.
Finally, they installed a Chinese antivirus solution to degrade, or disable, security tools on systems.
“This involved the service account installing the Horoung Antivirus (AV) software, which was not an authorized software in the environment,” the researchers said in the blog post.
“For context, Horoung Antivirus is a popular AV software in China that can be installed from Microsoft Store. Most notably, the installation of Horoung caused a conflict with active security products on the system. This resulted in a crash of these services. Stopping the system’s current security solutions allowed the attacker freedom to pursue follow-on objectives thus relating this malicious activity to Impairing Defenses.”
In the meantime, the US Cybersecurity and Infrastructure Security Agency (CISA) added the RCE flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a tight deadline to address the flaw, or stop using SharePoint entirely.
Via BleepingComputer
More from TechRadar Pro
Services Marketplace – Listings, Bookings & Reviews