November 2, 2024 at 07:40PM
A Microsoft SharePoint vulnerability (CVE-2024-38094) is being actively exploited for unauthorized network access. Attackers exploited this RCE flaw to compromise systems, disable security measures, and conduct lateral movement within networks. Rapid7’s report highlights an ongoing threat, urging administrators to apply updates from July 2024 promptly to mitigate risks.
**Meeting Takeaways**
1. **Vulnerability Overview**:
– Microsoft SharePoint has a recently disclosed remote code execution (RCE) vulnerability, CVE-2024-38094, which is currently being exploited for unauthorized access to corporate networks.
– The CVSS v3.1 score for this vulnerability is 7.2, classifying it as high-severity.
2. **Patch Information**:
– Microsoft released a fix for CVE-2024-38094 on July 9, 2024, as part of the July Patch Tuesday updates, labeling it as “important.”
3. **CISA Notification**:
– The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-38094 to its Known Exploited Vulnerability Catalog without disclosing specific exploitation methods.
4. **Rapid7 Investigation Findings**:
– Rapid7 reported that an attacker exploited CVE-2024-38094 to gain unauthorized access to a SharePoint server, consequently compromising the entire network domain.
– The attacker remained undetected for two weeks, moving laterally across the network.
5. **Attack Methodology**:
– Attackers planted a webshell on the SharePoint server and compromised a Microsoft Exchange service account with domain admin privileges.
– A critical component of the attack was the installation of Horoung Antivirus, which interfered with existing security defenses and enabled further malicious activities.
– The attacker employed various methods, including:
– Using a batch script to install the antivirus and set up custom services.
– Disabling Windows Defender and altering event logs for stealth.
– Utilizing tools like Mimikatz for credential harvesting and FRP for remote access.
6. **Network and Data Targeting**:
– The attacker conducted network reconnaissance, generated Active Directory Federation Services (ADFS) certificates, and attempted to destroy third-party backups.
– Notably, no data encryption was observed, making the nature of the attack unclear.
7. **Action Items for System Administrators**:
– System administrators are urged to promptly apply the SharePoint updates if they have not done so since June 2024 to mitigate exploitation risks.
This summary emphasizes the ongoing threat posed by CVE-2024-38094 and the importance of timely patching to secure corporate networks.