Security researchers have issued an alert over threat actors exploiting a recently disclosed vulnerability in Microsoft Sharepoint, warning the weakness could allow attackers to compromise the entire network.
Researchers from Rapid7’s incident response team have published findings from an investigation where hackers compromised a Microsoft Exchange service account by exploiting a vulnerability in a public-facing application.
The attacker was able to access a SharePoint server without authorization, and subsequently used the admin privileges on an Exchange service account to move around the network “compromising the entire domain”, the report stated.
The report noted that after gaining initial access to the target’s corporate environment the threat actor was able to persist on the network undetected for two weeks.
Rapid7 said it has begun exploring suspicious activity tied to the Microsoft Exchange service account, including the installation of the Horoung antivirus software, which was not authorized in the environment.
Horoung is a popular antivirus solution in China, available on the Microsoft store, and was used in the attack chain to create a conflict with other security products active on the system, and weaken the environement’s overall security posture.
Hackers used Chinese antivirus software to disable existing security tools
After exploiting CVE-2024-38094, the attacker installed the Horoung antivirus in order to disrupt the existing security software on the system enabling malicious lateral movement activities.
First among these was to compromise a Microsoft Exchange service account with domain administrator privileges to enable further lateral movement around the environment.
Using authentication event logs from the organization’s domain controllers, Rapid7 were able to track the lateral movement events of the attack and construct a timeline covering the incident’s two-week dwell time, beginning with the exploitation of the target’s public-facing SharePoint server.
The conflict caused by the installation of Horoung allowed the attacker to use Python to install and execute Impacket from GitHub. Impacket is a collection of open-source network protocols, which are usually used to facilitate lateral movement on a target environment.
Rapid7 found the attacker used the Exchange service account to authenticate via RDP, going on to disable the system's Windows Defender Threat Detection (WDTD), adding an exclusion for a malicious binary called msvrp.exe, used to establish command and control.
“This binary is a tool called Fast Reverse Proxy (FRP), which allows external access to the system through a NAT-configured firewall,” the report noted
The attack also executed the Mimikatz program to harvest credentials, clear event logs, and disable system logging, helping obfuscate the threat actor’s TTPs.
Rapid7 recorded a litany of additional tools leveraged by the attacker including a renamed version of Mimikatz (66.exe), certify.exe to create ADFS certificates, and everything.exe – a tool frequently used in ransomware attacks to find files for encryption.
Finally, the threat actor appeared to attempt to destroy third party backups via multiple methods, according to the report, but were ultimately unsuccessful.
Rapid7 added that it did not observe any attempts to encrypt data in the environment, however, which is the usual indicator of a ransomware attack, leaving the exact nature of the attack undetermined.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
-
Hackers are using this new phishing technique to bypass MFANews Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFANews Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
-
Hackers are using Microsoft Teams to conduct “email bombing” attacksNews Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
