Microsoft SharePoint flaw exploited to hack corporate networks
RCE in SharePoint used to access a company’s network and disable antivirus
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Hackers were spotted abusing a high severity vulnerability inMicrosoftSharePoint to gain access to corporate IT infrastructure.
A report from cybersecurity researchers Rapid7 revealed how unnamed cybercriminals leveraged a flaw tracked as CVE-2024-38094 to establish initial access on the target’s network.
This is a remote code execution (RCE) flaw in SharePoint, Microsoft’s web-based platform forcollaborationand document management, with a severity score of 7.2, and was fixed in mid-July 2024 as part of a Patch Tuesday cumulative update.
Advanced reasoning
The vulnerability allowed the crooks to access the network, where they dwelled for two weeks.
During that time, they used a Fast Reverse Proxy to establish an outbound connection, ran Active Directory (AD) enumeration tools, and engaged in credential dumping via multiple tools such as NTDSUtil and Mimikatz.
Finally, they installed a Chinese antivirus solution to degrade, or disable, security tools on systems.
“This involved the service account installing the Horoung Antivirus (AV) software, which was not an authorized software in the environment,” the researchers said in the blog post.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“For context, Horoung Antivirus is a popular AV software in China that can be installed from Microsoft Store. Most notably, the installation of Horoung caused a conflict with active security products on the system. This resulted in a crash of these services. Stopping the system’s current security solutions allowed the attacker freedom to pursue follow-on objectives thus relating this malicious activity to Impairing Defenses.”
In the meantime, the US Cybersecurity and Infrastructure Security Agency (CISA) added the RCE flaw to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a tight deadline to address the flaw, or stop using SharePoint entirely.
ViaBleepingComputer
More from TechRadar Pro
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Nokia confirms data breach leaked third-party code, but its data is safe
Rising AI threats are making firms turn back to human intelligence
3 reasons why PIA fell in our best VPN rankings
