Critical Vulnerability in Microsoft SharePoint is being Exploited. A Quick look.

Windows

Critical Vulnerability in Microsoft SharePoint is being Exploited. A Quick look.

Introduction

The recent exploitation of a Microsoft SharePoint remote code execution (RCE) vulnerability, tracked as CVE-2024-38094, has raised significant concerns among cybersecurity professionals. This vulnerability has been actively exploited to gain unauthorized access to corporate networks, highlighting the critical need for timely patching and robust security measures.

Essential-sharepoint-screen-1-1024x661 Critical Vulnerability in Microsoft SharePoint is being Exploited. A Quick look.

Unveiling the RCE Vulnerability

The CVE-2024-38094 vulnerability is a high-severity RCE flaw impacting Microsoft SharePoint, a widely used web-based platform for intranet, document management, and collaboration. This vulnerability allows attackers to inject arbitrary code and execute it within the context of the SharePoint server.

Technical Context and Specifics

CVE-2024-38094 was patched by Microsoft on July 9, 2024, as part of the July Patch Tuesday updates. However, attackers have been exploiting this vulnerability to gain initial access to corporate networks. The flaw was added to the Known Exploited Vulnerabilities Catalog by the US Cybersecurity and Infrastructure Security Agency (CISA) on October 23, 2024. The attackers used a publicly disclosed proof-of-concept (PoC) exploit to gain unauthorized access to a vulnerable SharePoint server.

Consequences and Broader Implications

The exploitation of CVE-2024-38094 has serious implications for organizations using Microsoft SharePoint. Attackers can leverage this vulnerability to move laterally across the network, compromising the entire domain. In one reported incident, attackers remained undetected for two weeks, during which they installed malicious software, harvested credentials, and disabled security defenses.

Real-World Examples and Additional Insights

In the investigated breach, attackers used the Horoung Antivirus to create conflicts that disabled legitimate antivirus services, allowing them to install Impacket for lateral movement. They also used Mimikatz for credential harvesting, FRP for remote access, and scheduled tasks for persistence. The attackers attempted to destroy third-party backups but failed, indicating that the attack was not ransomware-related.

Conclusion

The exploitation of the CVE-2024-38094 vulnerability underscores the importance of timely patching and proactive security measures. Organizations must prioritize applying security updates to mitigate the risk of such attacks. By staying vigilant and implementing robust security practices, companies can better protect their networks from potential breaches.


You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Post Comment