Security researchers have issued an alert over threat actors exploiting a recently disclosed vulnerability in Microsoft Sharepoint, warning the weakness could allow attackers to compromise the entire network.
Researchers from Rapid7’s incident response team have published findings from an investigation where hackers compromised a Microsoft Exchange service account by exploiting a vulnerability in a public-facing application.
The attacker was able to access a SharePoint server without authorization, and subsequently used the admin privileges on an Exchange service account to move around the network “compromising the entire domain”, the report stated.
The report noted that after gaining initial access to the target’s corporate environment the threat actor was able to persist on the network undetected for two weeks.
Rapid7 said it has begun exploring suspicious activity tied to the Microsoft Exchange service account, including the installation of the Horoung antivirus software, which was not authorized in the environment.
Horoung is a popular antivirus solution in China, available on the Microsoft store, and was used in the attack chain to create a conflict with other security products active on the system, and weaken the environement’s overall security posture.
Hackers used Chinese antivirus software to disable existing security tools
After exploiting CVE-2024-38094, the attacker installed the Horoung antivirus in order to disrupt the existing security software on the system enabling malicious lateral movement activities.
First among these was to compromise a Microsoft Exchange service account with domain administrator privileges to enable further lateral movement around the environment.
Using authentication event logs from the organization’s domain controllers, Rapid7 were able to track the lateral movement events of the attack and construct a timeline covering the incident’s two-week dwell time, beginning with the exploitation of the target’s public-facing SharePoint server.
The conflict caused by the installation of Horoung allowed the attacker to use Python to install and execute Impacket from GitHub. Impacket is a collection of open-source network protocols, which are usually used to facilitate lateral movement on a target environment.
Rapid7 found the attacker used the Exchange service account to authenticate via RDP, going on to disable the system's Windows Defender Threat Detection (WDTD), adding an exclusion for a malicious binary called msvrp.exe, used to establish command and control.
“This binary is a tool called Fast Reverse Proxy (FRP), which allows external access to the system through a NAT-configured firewall,” the report noted
The attack also executed the Mimikatz program to harvest credentials, clear event logs, and disable system logging, helping obfuscate the threat actor’s TTPs.
Rapid7 recorded a litany of additional tools leveraged by the attacker including a renamed version of Mimikatz (66.exe), certify.exe to create ADFS certificates, and everything.exe – a tool frequently used in ransomware attacks to find files for encryption.
Finally, the threat actor appeared to attempt to destroy third party backups via multiple methods, according to the report, but were ultimately unsuccessful.
Rapid7 added that it did not observe any attempts to encrypt data in the environment, however, which is the usual indicator of a ransomware attack, leaving the exact nature of the attack undetermined.
-
Enterprises can’t keep a lid on surging cyber incident costsNews With increasing threats and continuing skills shortages, AI tools are becoming a necessity for some
-
UK software developers are still cautious about AI, and for good reasonNews Experts say developers are “right to take their time” with AI coding solutions given they still remain a nascent tool
-
CISA issues alert after botched Windows Server patch exposes critical flawNews A critical remote code execution flaw in Windows Server is being exploited in the wild, despite a previous 'fix'
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
A terrifying Microsoft flaw could’ve allowed hackers to compromise ‘every Entra ID tenant in the world’News The Entra ID vulnerability could have allowed full access to virtually all Azure customer accounts
-
Microsoft and Cloudflare just took down a major phishing operationNews RaccoonO365’s phishing as a service platform has risen to prominence via Telegram
-
Microsoft quietly launched an AI agent that can detect and reverse engineer malwareNews Researchers say the tool is already achieving the “gold standard” in malware classification
-
Microsoft patched a critical vulnerability in its NLWeb AI search tool – but there's no CVE (yet)News Researchers found an unauthenticated path traversal bug in the tool debuted at Microsoft Build in May
-
SharePoint flaw: Microsoft says hackers deploying ransomwareNews Fallout from the serious zero-day SharePoint vulnerability continues with Microsoft warning about ransomware attacks
-
NCSC says ‘limited number’ of UK firms affected by SharePoint attack as global impact spreadsNews The SharePoint flaw has already had a wide impact according to reports from government security agencies
