Threat actors have exploited a vulnerability in Microsoft SharePoint Server, identified as CVE-2024-38094, allowing them to gain complete domain access and compromise critical systems. The Rapid7 incident response team has detailed how this sophisticated attack combines various techniques to achieve this level of access
The research team detected suspicious activity involving a Microsoft Exchange service account with domain administrator privileges. By exploiting the CVE-2024-38094 vulnerability in the SharePoint server, attackers managed to execute remote code, providing them the access they needed to move laterally across the network undetected for two weeks.
Once inside, the attacker used the compromised Exchange service account to install the Chinese Horoung Antivirus, which bypassed existing security measures. This allowed the attacker to deploy and run malicious tools like Impacket for lateral movement. Following the MITRE-Impairing Defenses (T1562) tactic, this intentional crash granted the attacker the foothold needed.
From the compromised SharePoint server, the attacker deployed Mimikatz to extract credentials and altered system logs to hide their activity. They also used a webshell named ghostfile93.aspx to maintain persistent access, generating numerous HTTP POST requests from a single external IP. This webshell, along with other malicious executables like Fast Reverse Proxy (FRP), enabled the attacker to map the network, collect credentials, and establish external connections.
Researchers noticed various binaries used by the attacker to broaden domain control. They ran everything.exe to index the NTFS file system and Certify.exe to generate Active Directory Federation Services (ADFS) certificates, giving them elevated privileges. The attacker also used Kerbrute, a tool for brute-forcing Kerberos tickets, pointing to a targeted strategy to breach authentication mechanisms and efforts to obliterate third-party backups.
The analysis highlights the importance of robust logging and early detection. It stresses that “examining authentication event logs from domain controllers” is crucial for spotting unusual activities, particularly those involving privileged accounts. It advises reviewing security policies, enhancing log monitoring, and keeping up with the latest patches, especially for high-risk services like SharePoint, to prevent similar breaches.
MITRE ATT@CK TTP
Indicators Of Compromise
- d3a6ed07bd3b52c62411132d060560f9c0c88ce183851f16b632a99b4d4e7581
- 61c0810a23580cf492a6ba4f7654566108331e7a4134c968c2d6a05261b2d8a1
- 95cc0b082fcfc366a7de8030a6325c099d8012533a3234edbdf555df082413c7
- d18aa84b7bf0efde9c6b5db2a38ab1ec9484c59c5284c0bd080f5197bf9388b0
- f618b09c0908119399d14f80fc868b002b987006f7c76adbcec1ac11b9208940
- 95cc0b082fcfc366a7de8030a6325c099d8012533a3234edbdf555df082413c7
- e451287843b3927c6046eaabd3e22b929bc1f445eec23a73b1398b115d02e4fb
- 1beec8cecd28fdf9f7e0fc5fb9226b360934086ded84f69e3d542d1362e3fdf3
- 6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc
- acb5de5a69c06b7501f86c0522d10fefa9c34776c7535e937e946c6abfc9bbc6
For more information, refer to the blog
