Security researchers have issued an alert over threat actors exploiting a recently disclosed vulnerability in Microsoft Sharepoint, warning the weakness could allow attackers to compromise the entire network.
Researchers from Rapid7’s incident response team have published findings from an investigation where hackers compromised a Microsoft Exchange service account by exploiting a vulnerability in a public-facing application.
The attacker was able to access a SharePoint server without authorization, and subsequently used the admin privileges on an Exchange service account to move around the network “compromising the entire domain”, the report stated.
The report noted that after gaining initial access to the target’s corporate environment the threat actor was able to persist on the network undetected for two weeks.
Rapid7 said it has begun exploring suspicious activity tied to the Microsoft Exchange service account, including the installation of the Horoung antivirus software, which was not authorized in the environment.
Horoung is a popular antivirus solution in China, available on the Microsoft store, and was used in the attack chain to create a conflict with other security products active on the system, and weaken the environement’s overall security posture.
Hackers used Chinese antivirus software to disable existing security tools
After exploiting CVE-2024-38094, the attacker installed the Horoung antivirus in order to disrupt the existing security software on the system enabling malicious lateral movement activities.
First among these was to compromise a Microsoft Exchange service account with domain administrator privileges to enable further lateral movement around the environment.
Using authentication event logs from the organization’s domain controllers, Rapid7 were able to track the lateral movement events of the attack and construct a timeline covering the incident’s two-week dwell time, beginning with the exploitation of the target’s public-facing SharePoint server.
The conflict caused by the installation of Horoung allowed the attacker to use Python to install and execute Impacket from GitHub. Impacket is a collection of open-source network protocols, which are usually used to facilitate lateral movement on a target environment.
Rapid7 found the attacker used the Exchange service account to authenticate via RDP, going on to disable the system's Windows Defender Threat Detection (WDTD), adding an exclusion for a malicious binary called msvrp.exe, used to establish command and control.
“This binary is a tool called Fast Reverse Proxy (FRP), which allows external access to the system through a NAT-configured firewall,” the report noted
The attack also executed the Mimikatz program to harvest credentials, clear event logs, and disable system logging, helping obfuscate the threat actor’s TTPs.
Rapid7 recorded a litany of additional tools leveraged by the attacker including a renamed version of Mimikatz (66.exe), certify.exe to create ADFS certificates, and everything.exe – a tool frequently used in ransomware attacks to find files for encryption.
Finally, the threat actor appeared to attempt to destroy third party backups via multiple methods, according to the report, but were ultimately unsuccessful.
Rapid7 added that it did not observe any attempts to encrypt data in the environment, however, which is the usual indicator of a ransomware attack, leaving the exact nature of the attack undetermined.
-
Trump's AI executive order could leave US in a 'regulatory vacuum'News Citing a "patchwork of 50 different regulatory regimes" and "ideological bias", President Trump wants rules to be set at a federal level
-
TPUs: Google's home advantageITPro Podcast How does TPU v7 stack up against Nvidia's latest chips – and can Google scale AI using only its own supply?
-
Microsoft Teams is getting a new location tracking feature that lets bosses snoop on staff – research shows it could cause workforce pushbackNews A new location tracking feature in Microsoft Teams will make it easier to keep tabs on your colleague's activities – and for your boss to know exactly where you are.
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
CISA just published crucial new guidance on keeping Microsoft Exchange servers secureNews With a spate of attacks against Microsoft Exchange in recent years, CISA and the NSA have published crucial new guidance for organizations to shore up defenses.
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
