Microsoft identifies SharePoint intrusions now involving ransomware threats
Breaking News: Global Cyberattack Targets Microsoft SharePoint Servers
Ransomware attacks have escalated, with the latest threat, Storm-2603, exploiting vulnerabilities in Microsoft SharePoint servers to deploy Warlock ransomware.
According to reports, Storm-2603 has been abusing vulnerable on-premises SharePoint servers since July 18, exploiting critical bugs such as CVE-2025-49704 and CVE-2025-49706. These vulnerabilities allow unauthenticated remote access and code execution on vulnerable servers.
The attack process begins with the upload and execution of a malicious web shell payload, like spinstall0.aspx, which runs within the SharePoint process (w3wp.exe). After gaining access, Storm-2603 runs discovery commands to enumerate user context and validate privileges, moves laterally across the network, and creates scheduled tasks and manipulates Internet Information Services (IIS) components for persistence.
To expand control over the network and systems, Storm-2603 steals credentials and employs the web shell for continued access. They also manipulate Windows services and registry entries to disable security tools like Microsoft Defender.
The final step in the attack is the deployment of Warlock ransomware, which is distributed across compromised environments by modifying Group Policy Objects (GPOs). This results in the encryption of data and demands ransom payments from victims.
The US Energy Department and its National Nuclear Security Administration (NNSA) have been among the victims, along with more than 400 organizations worldwide, according to cybersecurity firm Eye Security.
Microsoft has released patches for SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition to address these vulnerabilities. It is strongly advised that organizations update their systems promptly to prevent further compromise.
Additional actors are expected to use these exploits to target unpatched on-premises SharePoint systems. Storm-2603 has been observed deploying both Warlock and Lockbit ransomware in the past, and it is likely that other groups will follow suit.
Stay vigilant and ensure your systems are up-to-date to protect against these threats. For more information, visit Microsoft's Security Update Guide.
[1] Microsoft Security Response Centre Blog - [Link] [2] TechTarget - [Link] [3] ZDNet - [Link] [4] BleepingComputer - [Link]
- Amidst the global cyberattack targeting Microsoft SharePoint servers, it's essential for enterprises to apply the security patches provided by Microsoft promptly to mitigate risks.
- Leveraging AI and cybersecurity technology, organizations should strengthen their data-and-cloud-computing infrastructure to combat the spread of ransomware like Warlock and Lockbit.
- In the aftermath of the breach, many enterprises have been left vulnerable due to unpatched SharePoint servers, highlighting the significance of regular software updates in ensuring system security.
- To maintain a robust cybersecurity posture, it's crucial to integrate AI tools that can identify and respond to threats, and to closely monitor activity on SharePoint servers, especially when deploying critical patches to mitigate security vulnerabilities.
