Cocktail of tools used in attack and persistence.
A high-severity remote code execution vulnerability in Microsoft SharePoint was exploited to compromise an entire corporate network domain without being detected for two weeks.
According to Bleeping Computer, the flaw - tracked as CVE-2024-38094 and rated at 7.2 severity - was leveraged to breach a Microsoft Exchange service account with elevated privileges, according to Rapid7.
The attacker deployed the Huorong Antivirus and installed Impacket, resulting in the deactivation of legitimate antivirus systems and lateral movement.
The researchers also utilised Mimikatz and FRP for credential compromise and remote access, and deployed other network scanning tools, performed ADFS certificate generation, brute-forced Active Directory tickets, and ensured persistence through scheduled tasks while deactivating Windows Defender and impacted systems' logs to conceal malicious activity.
However researchers did not observe any data encryption to be conducted as part of the attack.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
