Researchers observed an attacker exploiting CVE-2024-38094—a vulnerability in Microsoft SharePoint. The attacker gained unauthorized access, escalated privileges, and moved laterally across the network to gain control over the entire domain. Through various techniques, including disabling security defenses and tampering with system logs, the attacker remained undetected for two weeks. The compromise included credential theft, remote access setup, and attempts to destroy third-party backups.
The initial access vector exploited CVE-2024-38094, a SharePoint remote code execution vulnerability that enabled the attacker to drop a webshell on the compromised server. This vulnerability has a CVSS v3.1 score of 7.2, marking it as a high-severity flaw. Logs showed multiple GET and POST requests used to exploit the vulnerability, leveraging external IPs to install the ghostfile93.aspx webshell. With elevated privileges, the attacker leveraged this foothold to compromise a Microsoft Exchange service account, enabling further movement across the domain.
The attacker deployed the Horoung Antivirus, a tool commonly available in China, to intentionally conflict with and disable legitimate security software. This allowed them to circumvent defenses, notably impairing detection and allowing Impacket’s lateral movement capabilities. Additional actions included disabling Windows Defender, installing Fast Reverse Proxy (FRP) for external access, and leveraging binaries such as Mimikatz for credential harvesting and Certify.exe for creating ADFS certificates. They used tools such as everything.exe for network scanning and kerbrute for brute-forcing Active Directory tickets. Attempts were also made to delete third-party backups, although these were unsuccessful.