Hackers are exploiting a SharePoint RCE vulnerability to compromise the entire domain

Exploiting vulnerabilities in popular software platforms is a common theme in the ever-evolving cybersecurity landscape. Hackers Exploiting SharePoint Vulnerability. A sophisticated cyber attack recently brought this reality to the forefront when threat actors successfully compromised an entire domain by exploiting a critical remote code execution (RCE) vulnerability in Microsoft SharePoint.

The attackers’ approach was marked by precision and patience. They infiltrated the target network, silently remaining undetected for two weeks, gathering sensitive information and planting malware to maintain persistent access. This incident underscores the growing sophistication of cyber threats and the constant pressure on security teams to stay ahead of attackers.

Microsoft SharePoint, a widely used collaboration and content management platform, has become a tempting target for hackers due to its integration with many organizations’ core business processes. The RCE vulnerability allowed the attackers to execute arbitrary code, thereby gaining unauthorized control over the SharePoint server. From there, they methodically moved laterally across the network, escalating privileges and compromising the entire domain.

The attack’s ability to evade detection for such an extended period highlights the evolving tactics used by modern cybercriminals. Rather than launching a loud, easily detectable assault, the attackers opted for a low-profile, stealthy approach that gave them ample time to achieve their objectives. This stealth made it easier for security tools and monitoring systems to recognize the threat once it was too late.

One key lesson from this breach is understanding and mitigating vulnerabilities before they can be exploited. The SharePoint RCE flaw was a known vulnerability, but it served as a reminder that patching and updating systems promptly is critical to reducing risk exposure. Organizations that fail to do so leave themselves vulnerable to similar attacks.

Moreover, this incident demonstrates the necessity of robust, multi-layered security measures. Relying solely on traditional defenses like firewalls and antivirus software is no longer sufficient. Modern threats require advanced detection systems, continuous network monitoring, and proactive threat hunting to identify and respond to suspicious activity.

The breach also raises questions about the role of human oversight in cybersecurity. No matter how sophisticated security technologies become, human error and delayed response times remain weak points attackers can exploit. Therefore, investing in regular cybersecurity training and simulations for staff members is vital to strengthen an organization’s security posture.

Finally, as organizations increasingly adopt digital collaboration platforms like SharePoint, the balance between usability and security becomes more critical. The need for seamless information sharing and workflow management must be carefully weighed against the potential risks, with ongoing assessments to ensure security does not take a backseat.

As this attack demonstrates, vigilance and adaptability are essential in cybersecurity. With threat actors constantly refining their techniques, organizations must remain alert, continuously updating and testing their defenses to stay ahead of the curve.

Initial Access and Hackers Exploiting SharePoint Vulnerability

Cybercriminals’ evolving tactics highlight vulnerabilities in even the most robust systems. A recent case exemplifies this perfectly: attackers successfully exploited CVE-2024-38094, a critical remote code execution (RCE) vulnerability in an on-premise Microsoft SharePoint server. This breach emphasizes organizations’ need to stay vigilant and adopt advanced defensive measures.

CVE-2024-38094 is a newly discovered RCE vulnerability that gives threat actors a potent weapon against vulnerable SharePoint installations. By exploiting this flaw, attackers can execute arbitrary code on the target server, gaining unauthorized access and control. In this instance, the hackers leveraged a combination of GET and POST requests to infiltrate the system and establish persistence.

Once initial access was secured, the attackers deployed a web shell named “ghostfile93.aspx” on the compromised SharePoint server. This web shell served as a backdoor, allowing the attackers to remotely control the compromised system, execute commands, and deploy additional malicious payloads. The simplicity and efficiency of this approach highlight the creativity and resourcefulness of today’s cyber adversaries.

Rapid7’s Incident Response Team was pivotal in uncovering the initial breach. The Team’s investigation revealed that the exploitation of CVE-2024-38094 provided a straightforward entry point for the attackers, enabling them to bypass traditional security measures. Detecting the web shell was critical in understanding the full scope of the attack and its impact on the target environment.

The deployment of “ghostfile93.aspx” demonstrates a familiar yet effective tactic cybercriminals use: establishing persistence through web shells. Web shells like this one are challenging to detect and can provide attackers long-term access to compromised systems. This persistent foothold allows threat actors to escalate activities, move laterally within the network, and exfiltrate valuable data.

Microsoft SharePoint, widely used for content management and collaboration, is an attractive target for attackers. The platform’s integration with various organizational processes often means that any vulnerability can have far-reaching consequences. The CVE-2024-38094 vulnerability underscores the importance of timely patch management and continuous monitoring for unusual activities.

Using a remote code execution attack to compromise a domain raises concerns about how organizations protect their on-premise infrastructure. Despite cloud and hybrid solutions advancements, many organizations still rely on on-premise servers that require constant security updates and assessments. This attack is a stark reminder of the risks associated with unmanaged or outdated software.

Understanding the techniques used in this attack is crucial for developing effective defenses. The attackers’ combination of GET and POST requests to deploy the web shell reflects a deliberate and well-thought-out approach to avoid detection. It also underscores the need for advanced threat detection and response capabilities to identify and mitigate suspicious behaviors.

The incident also highlights the critical role of incident response teams in defending against cyber threats. Rapid7’s timely detection and analysis of the breach limited the attackers’ potential impact and provided valuable insights into their methods. This collaboration between incident response and ongoing threat intelligence is essential for modern cybersecurity practices.

Organizations must take this breach as a wake-up call to assess security measures. Implementing regular vulnerability assessments, updating software promptly, and employing comprehensive monitoring solutions can make a significant difference. As attackers grow more sophisticated, a proactive approach to cybersecurity becomes increasingly vital.

In conclusion, the exploitation of CVE-2024-38094 is a stark example of how quickly threat actors can turn a vulnerability into a full-scale attack. Organizations can better prepare to defend against future threats by understanding the tactics and techniques. As the landscape evolves, staying informed and agile is critical to maintaining a secure environment.

Once inside the network, the hackers moved laterally, compromising a Microsoft Exchange service account with domain administrator privileges. They utilized various tools and techniques to expand their foothold:

• The Impacket: I attempted to install and run this set of Python scripts for network protocol interaction.
• Horoung Antivirus: I installed this Chinese antivirus software to turn off the existing security solutions.
• Fast Reverse Proxy (FRP): Used to protect external access via firewalls.

The SharePoint RCE vulnerability was exploited.

The SharePoint RCE vulnerability was exploited, a cyberattack in which attackers took advantage of a security flaw in Microsoft SharePoint, a widely used collaboration and content management platform. The attackers showed a thorough understanding of network penetration and evasion strategies:

• Active Directory Exploitation: Attackers leveraged tools such as ADExplorer64.exe, NTDSUtil.exe, and nxc.exe to map the Active Directory (AD) environment thoroughly. This survey enabled them to collect valuable information and extract credentials, providing a comprehensive understanding of the network’s structure.
• Credential Harvesting: The attackers used the popular tool Mimikatz, disguised under “66.exe,” to steal sensitive login credentials from the compromised system. This step was crucial for gaining higher-level access and moving laterally within the network.
• Log Tampering: To avoid detection, the attackers turned off the system’s logging mechanisms and erased event logs, effectively covering their tracks and making it difficult for defenders to trace their malicious activities.
• Persistence: The attackers ensured continued access to the compromised environment by setting up scheduled tasks on the domain controller. These tasks supported the operation of the Fast Reverse Proxy (FRP) tool, enabling them to maintain external access despite security defenses.

Stealth Tactics and Escalation Techniques

The attackers exhibited remarkable stealth, remaining undetected in the compromised network for two weeks. During this time, they focused on maximizing their access and expanding their influence within the environment. One of their critical efforts included targeting third-party backup systems to compromise these essential recovery tools and undermine potential restoration efforts.

In addition to targeting backups, the attackers employed advanced tools like Certify.exe, which enabled them to generate ADFS (Active Directory Federation Services) certificates. These certificates allowed the attackers to perform elevated actions within the Active Directory environment, escalating their privileges and facilitating further lateral movement across the network.

To obfuscate their presence, the attackers engaged in extensive log tampering. They tampered with existing system logs and disabled critical logging mechanisms on the compromised SharePoint server. This maneuver complicated the efforts of security teams, making it exceedingly difficult to trace the attackers’ activities and piece together a comprehensive timeline of the breach.

A particularly disruptive tactic was the installation of Huorong AntiVirus, a Chinese antivirus software. By deploying this software, the attackers caused conflicts with the existing security solutions, effectively disabling them. This action created a security void, allowing the attackers to operate with fewer restrictions and reducing the chance of their malicious activities being detected.

The attackers’ use of Huorong AntiVirus was strategic, as it facilitated their ongoing efforts to disable and bypass security mechanisms. By suppressing existing defenses, they created an environment where they could continue their activities undisturbed, pursuing their objectives and escalating their access with minimal resistance.

This blend of stealth tactics and escalation techniques underscores the attackers’ sophistication. Their calculated actions to maintain persistence, cover their tracks, and neutralize security measures illustrate the lengths cybercriminals will go to achieve their goals. It also highlights the importance of proactive monitoring and advanced threat detection to counter persistent and evasive threats.

For more:

https://cybersecuritynews.com/hackers-exploiting-sharepoint-rce-vulnerability/