Microsoft has recently issued urgent warnings regarding the active exploitation of critical zero-day vulnerabilities in its SharePoint Server software. These vulnerabilities, identified as CVE-2025-53770 and CVE-2025-53771, have been leveraged by multiple threat actors, notably the China-based group Storm-2603, to deploy Warlock ransomware in compromised environments. The affected versions include SharePoint Server 2016, 2019, and the Subscription Edition, with exploitation attempts observed as early as July 7, 2025.
Understanding the Vulnerabilities
The attack chain commences with the exploitation of two specific vulnerabilities:
1. CVE-2025-49706: A spoofing vulnerability that allows attackers to impersonate legitimate users.
2. CVE-2025-49704: A remote code execution flaw enabling unauthorized code execution on the server.
These vulnerabilities are particularly concerning for internet-facing SharePoint servers. Attackers initiate their reconnaissance by sending POST requests to the ToolPane endpoint. Subsequently, they deploy malicious web shells named spinstall0.aspx and its variants, such as spinstall1.aspx and spinstall2.aspx. These web shells are instrumental in retrieving ASP.NET MachineKey data, which is crucial for session management and authentication processes. By extracting these cryptographic keys, attackers can gain unauthorized access and maintain persistence within the system.
Identified Threat Actors and Their Tactics
Microsoft has identified three primary threat actors exploiting these vulnerabilities:
1. Linen Typhoon: A Chinese state-sponsored group known for its cyber espionage activities.
2. Violet Typhoon: Another Chinese state-sponsored entity with a history of targeting critical infrastructure.
3. Storm-2603: A group that has escalated its attacks by deploying ransomware, specifically the Warlock variant.
Storm-2603 employs several sophisticated techniques to establish and maintain control over compromised systems:
– Persistence Mechanisms: The group sets up scheduled tasks and manipulates Internet Information Services (IIS) components to load suspicious .NET assemblies, ensuring continued access even after system reboots.
– Credential Access: Utilizing tools like Mimikatz, they target the Local Security Authority Subsystem Service (LSASS) memory to extract plaintext credentials. This facilitates lateral movement within the network.
– Command and Control Infrastructure: The attackers use domains such as update.updatemicfosoft.com and IP addresses like 65.38.121.198 and 131.226.2.6 to communicate with compromised systems.
– Ransomware Deployment: The culmination of their attack involves modifying Group Policy Objects (GPOs) to distribute Warlock ransomware across the network, encrypting critical data and demanding ransom payments.
Mitigation and Recommendations
In response to these threats, Microsoft has released comprehensive security updates and strongly recommends the following actions:
1. Immediate Patching: Apply the latest security updates to all affected SharePoint Server versions to close the exploited vulnerabilities.
2. Enable Antimalware Scan Interface (AMSI): Configure AMSI in Full Mode to enhance the detection and prevention of malicious activities.
3. Rotate ASP.NET Machine Keys: After applying the updates, rotate the SharePoint server’s ASP.NET machine keys to invalidate any keys that may have been compromised.
4. Restart IIS Services: Use the command `iisreset.exe` to restart IIS services, ensuring that all changes take effect and any malicious processes are terminated.
By implementing these measures promptly, organizations can significantly reduce the risk of exploitation and mitigate potential damages from these sophisticated attacks.
