Cocktail of tools used in attack and persistence.
A high-severity remote code execution vulnerability in Microsoft SharePoint was exploited to compromise an entire corporate network domain without being detected for two weeks.
According to Bleeping Computer, the flaw - tracked as CVE-2024-38094 and rated at 7.2 severity - was leveraged to breach a Microsoft Exchange service account with elevated privileges, according to Rapid7.
The attacker deployed the Huorong Antivirus and installed Impacket, resulting in the deactivation of legitimate antivirus systems and lateral movement.
The researchers also utilised Mimikatz and FRP for credential compromise and remote access, and deployed other network scanning tools, performed ADFS certificate generation, brute-forced Active Directory tickets, and ensured persistence through scheduled tasks while deactivating Windows Defender and impacted systems' logs to conceal malicious activity.
However researchers did not observe any data encryption to be conducted as part of the attack.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
