Warning issued after SharePoint flaw puts entire corporate networks at risk

Security researchers have issued an alert over threat actors exploiting a recently disclosed vulnerability in Microsoft Sharepoint, warning the weakness could allow attackers to compromise the entire network.

Researchers from Rapid7’s incident response team have published findings from an investigation where hackers compromised a Microsoft Exchange service account by exploiting a vulnerability in a public-facing application.

The attacker was able to access a SharePoint server without authorization, and subsequently used the admin privileges on an Exchange service account to move around the network “compromising the entire domain”, the report stated.

The report noted that after gaining initial access to the target’s corporate environment the threat actor was able to persist on the network undetected for two weeks.

Rapid7 said it has begun exploring suspicious activity tied to the Microsoft Exchange service account, including the installation of the Horoung antivirus software, which was not authorized in the environment.

Horoung is a popular antivirus solution in China, available on the Microsoft store, and was used in the attack chain to create a conflict with other security products active on the system, and weaken the environement’s overall security posture.

Hackers used Chinese antivirus software to disable existing security tools

After exploiting CVE-2024-38094, the attacker installed the Horoung antivirus in order to disrupt the existing security software on the system enabling malicious lateral movement activities.

First among these was to compromise a Microsoft Exchange service account with domain administrator privileges to enable further lateral movement around the environment.

Using authentication event logs from the organization’s domain controllers, Rapid7 were able to track the lateral movement events of the attack and construct a timeline covering the incident’s two-week dwell time, beginning with the exploitation of the target’s public-facing SharePoint server.

The conflict caused by the installation of Horoung allowed the attacker to use Python to install and execute Impacket from GitHub. Impacket is a collection of open-source network protocols, which are usually used to facilitate lateral movement on a target environment.

Rapid7 found the attacker used the Exchange service account to authenticate via RDP, going on to disable the system's Windows Defender Threat Detection (WDTD), adding an exclusion for a malicious binary called msvrp.exe, used to establish command and control.

“This binary is a tool called Fast Reverse Proxy (FRP), which allows external access to the system through a NAT-configured firewall,” the report noted

The attack also executed the Mimikatz program to harvest credentials, clear event logs, and disable system logging, helping obfuscate the threat actor’s TTPs.

Rapid7 recorded a litany of additional tools leveraged by the attacker including a renamed version of Mimikatz (66.exe), certify.exe to create ADFS certificates, and everything.exe – a tool frequently used in ransomware attacks to find files for encryption.

Finally, the threat actor appeared to attempt to destroy third party backups via multiple methods, according to the report, but were ultimately unsuccessful.

Rapid7 added that it did not observe any attempts to encrypt data in the environment, however, which is the usual indicator of a ransomware attack, leaving the exact nature of the attack undetermined.