CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094)

A high-severity vulnerability identified as CVE-2024-38094 has been recently cataloged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as a Known Exploited Vulnerability (KEV), highlighting an active exploitation risk. This flaw, which pertains to Microsoft SharePoint and bears a CVSS score of 7.2, is classified as a deserialization vulnerability capable of facilitating remote code execution. Microsoft has indicated that authenticated attackers with Site Owner permissions can leverage this vulnerability to inject and execute arbitrary code within the context of SharePoint Server.

Patches for CVE-2024-38094 were released during Microsoft’s Patch Tuesday updates in July 2024. The situation is exacerbated by the availability of proof-of-concept (PoC) exploits in the public domain, allowing attackers to automate authentication to targeted SharePoint sites using NTLM, create specific folders and files, and send crafted XML payloads designed to trigger the vulnerability. Currently, there are no known instances of this vulnerability being exploited in actual attacks; however, Federal Civilian Executive Branch (FCEB) agencies are mandated to implement the necessary fixes by November 12, 2024, to safeguard their networks from potential threats.

Simultaneously, a separate zero-day vulnerability in Samsung’s mobile processors, tracked as CVE-2024-44068 and rated with a CVSS score of 8.1, was disclosed. This flaw has also been addressed as of October 7, 2024, with Samsung characterizing it as a “use-after-free” issue leading to privilege escalation. Although Samsung’s advisory did not explicitly indicate any real-world exploitation, researchers from Google’s Threat Analysis Group (TAG) revealed that a zero-day exploit has been incorporated into an exploit chain enabling arbitrary code execution within a privileged cameraserver process. The attackers allegedly renamed the process to obscure their actions for anti-forensic purposes.

Amid these vulnerabilities, CISA has proposed new security requirements aimed at preventing unauthorized access to sensitive personal and government-related data by potentially threatening nations. Organizations would be expected to remediate known exploited vulnerabilities within 14 days, critical vulnerabilities lacking exploits within 15 days, and high-severity vulnerabilities with no exploit discovered within a month. The agency emphasized the need for establishing audit logs to track access to sensitive data and developing robust identity management processes.

In an alarming update, cybersecurity firm Rapid7 reported that threat actors have been actively exploiting CVE-2024-38094 to gain initial access and deliver a web shell. The attack reportedly went undetected for two weeks, during which the attackers established persistence, executed lateral movement, and ultimately compromised a Microsoft Exchange service account with domain administrator privileges. Tools used in the attack included Impacket, Fast Reverse Proxy (FRP), and Mimikatz, with the attackers neutralizing Windows Defender Threat Detection and creating an exclusion rule to prevent detection of the FRP execution.

The compromised Exchange service account was utilized to install Horoung Antivirus, inadvertently creating conflicts with pre-existing security tools, leading to a system crash. This disruption allowed the attackers greater freedom to pursue their objectives without interference from the system’s current security measures, ultimately compromising the integrity of the targeted network.

Overall, the developments around CVE-2024-38094 and CVE-2024-44068 underscore significant challenges in cybersecurity, particularly regarding the active exploitation of vulnerabilities and the imperative for organizations to respond swiftly to mitigate risks associated with such emerging threats. The ongoing efforts by CISA and related agencies to enforce stringent security requirements aim to bolster defenses against increasingly sophisticated cyber adversaries.