Security researchers have issued an alert over threat actors exploiting a recently disclosed vulnerability in Microsoft Sharepoint, warning the weakness could allow attackers to compromise the entire network.
Researchers from Rapid7’s incident response team have published findings from an investigation where hackers compromised a Microsoft Exchange service account by exploiting a vulnerability in a public-facing application.
The attacker was able to access a SharePoint server without authorization, and subsequently used the admin privileges on an Exchange service account to move around the network “compromising the entire domain”, the report stated.
The report noted that after gaining initial access to the target’s corporate environment the threat actor was able to persist on the network undetected for two weeks.
Rapid7 said it has begun exploring suspicious activity tied to the Microsoft Exchange service account, including the installation of the Horoung antivirus software, which was not authorized in the environment.
Horoung is a popular antivirus solution in China, available on the Microsoft store, and was used in the attack chain to create a conflict with other security products active on the system, and weaken the environement’s overall security posture.
Hackers used Chinese antivirus software to disable existing security tools
After exploiting CVE-2024-38094, the attacker installed the Horoung antivirus in order to disrupt the existing security software on the system enabling malicious lateral movement activities.
First among these was to compromise a Microsoft Exchange service account with domain administrator privileges to enable further lateral movement around the environment.
Using authentication event logs from the organization’s domain controllers, Rapid7 were able to track the lateral movement events of the attack and construct a timeline covering the incident’s two-week dwell time, beginning with the exploitation of the target’s public-facing SharePoint server.
The conflict caused by the installation of Horoung allowed the attacker to use Python to install and execute Impacket from GitHub. Impacket is a collection of open-source network protocols, which are usually used to facilitate lateral movement on a target environment.
Rapid7 found the attacker used the Exchange service account to authenticate via RDP, going on to disable the system's Windows Defender Threat Detection (WDTD), adding an exclusion for a malicious binary called msvrp.exe, used to establish command and control.
“This binary is a tool called Fast Reverse Proxy (FRP), which allows external access to the system through a NAT-configured firewall,” the report noted
The attack also executed the Mimikatz program to harvest credentials, clear event logs, and disable system logging, helping obfuscate the threat actor’s TTPs.
Rapid7 recorded a litany of additional tools leveraged by the attacker including a renamed version of Mimikatz (66.exe), certify.exe to create ADFS certificates, and everything.exe – a tool frequently used in ransomware attacks to find files for encryption.
Finally, the threat actor appeared to attempt to destroy third party backups via multiple methods, according to the report, but were ultimately unsuccessful.
Rapid7 added that it did not observe any attempts to encrypt data in the environment, however, which is the usual indicator of a ransomware attack, leaving the exact nature of the attack undetermined.
-
Customizing for Every CustomerPersonalise customer experiences at scale with CRM+AI+Data+Trust. True 1-to-1 personalisation is finally possible.
-
The Data Foundation for the Age of AISee how you can build a data strategy for the age of AI. How Data Cloud unifies data for use in personalisation and grounded AI.
-
Microsoft patched a critical vulnerability in its NLWeb AI search tool – but there's no CVE (yet)News Researchers found an unauthenticated path traversal bug in the tool debuted at Microsoft Build in May
-
SharePoint flaw: Microsoft says hackers deploying ransomwareNews Fallout from the serious zero-day SharePoint vulnerability continues with Microsoft warning about ransomware attacks
-
NCSC says ‘limited number’ of UK firms affected by SharePoint attack as global impact spreadsNews The SharePoint flaw has already had a wide impact according to reports from government security agencies
-
Microsoft’s new SharePoint vulnerability – everything you need to knowNews ToolShell allows unauthorized access to on-premises SharePoint servers
-
Confused at all the threat group names? You’re not alone. CrowdStrike and Microsoft want to change thatNews CrowdStrike and Microsoft hope to "bring clarity and coordination" to the cyber industry by unifying threat group naming conventions.
-
A flaw in OneDrive’s File Picker feature could give access to hundreds of appsNews The OneDrive File Picker flaw could affect hundreds of apps, researchers warn
-
Microsoft ramps up zero trust capabilities amid agentic AI pushNews The move from Microsoft looks to bolster agent security and prevent misuse
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
