In recent developments, a cyber threat actor identified as Storm-2603 has been actively exploiting critical vulnerabilities in Microsoft SharePoint Server to deploy Warlock ransomware on unpatched systems. Microsoft’s security team has been closely monitoring this activity, attributing it to a suspected China-based group known for previous deployments of both Warlock and LockBit ransomware.
Understanding the Vulnerabilities
The primary vulnerabilities exploited in these attacks are CVE-2025-49706 and CVE-2025-49704, collectively referred to as ToolShell. These flaws allow attackers to execute remote code and spoof server identities, providing unauthorized access to SharePoint servers. Despite Microsoft’s release of patches in July 2025, threat actors have developed methods to bypass these fixes, leaving systems exposed.
Attack Methodology
Storm-2603’s attack sequence begins with the exploitation of the aforementioned SharePoint vulnerabilities, leading to the deployment of a web shell named spinstall0.aspx. This web shell facilitates command execution via the w3wp.exe process, integral to SharePoint’s operation. Following initial access, the attackers execute a series of discovery commands, such as whoami, to ascertain user context and privilege levels.
The attackers employ cmd.exe and batch scripts to deepen their infiltration, while services.exe is manipulated to disable Microsoft Defender protections through direct registry modifications. Persistence is achieved by creating scheduled tasks and altering Internet Information Services (IIS) components to load suspicious .NET assemblies, ensuring continued access even if initial entry points are addressed.
Credential Theft and Lateral Movement
To escalate their attack, Storm-2603 utilizes Mimikatz to extract credentials from the Local Security Authority Subsystem Service (LSASS) memory. Lateral movement within the network is facilitated using tools like PsExec and the Impacket toolkit, with commands executed via Windows Management Instrumentation (WMI). The attackers further modify Group Policy Objects (GPO) to distribute Warlock ransomware across compromised environments.
Deployment of Warlock Ransomware
A notable aspect of this campaign is the deployment of Warlock ransomware, marking a shift from espionage to destructive operations. Warlock is designed to encrypt victims’ files, demanding a ransom for decryption. The attackers leverage the compromised SharePoint infrastructure to deploy this ransomware, transitioning from intelligence gathering to extortion.
Mitigation Strategies
Organizations utilizing on-premises Microsoft SharePoint Server are urged to implement the following measures to mitigate these threats:
– Upgrade and Patch: Ensure all SharePoint servers are updated to supported versions and have the latest security patches applied.
– Enable Security Features: Activate the Antimalware Scan Interface (AMSI) and configure it correctly.
– Deploy Endpoint Protection: Utilize Microsoft Defender for Endpoint or equivalent solutions to detect and respond to threats.
– Rotate Machine Keys: Change SharePoint Server ASP.NET machine keys to invalidate any stolen by attackers.
– Restart IIS Services: After applying updates and rotating keys, restart IIS on all SharePoint servers using iisreset.exe.
– Implement Incident Response Plans: Develop and execute comprehensive incident response strategies to address potential breaches.
Broader Implications
The exploitation of SharePoint vulnerabilities by Storm-2603 has led to the compromise of approximately 400 organizations, including U.S. federal agencies and various sectors such as education, healthcare, transportation, technology, and finance. The attackers have been observed stealing machine keys, allowing them to maintain access even after patches are applied. This underscores the importance of not only patching systems but also implementing additional security measures to prevent unauthorized access.
Conclusion
The activities of Storm-2603 highlight the evolving landscape of cyber threats, where state-affiliated actors are increasingly engaging in ransomware attacks. Organizations must remain vigilant, promptly apply security updates, and adopt comprehensive security practices to safeguard against such sophisticated threats.
