Microsoft has recently identified that the threat actor known as Storm-2603 is actively exploiting vulnerabilities in SharePoint Server to deploy Warlock ransomware on systems that have not been updated with the latest security patches. This development underscores the critical importance of maintaining up-to-date software to protect against emerging cyber threats.
Background on Storm-2603
Storm-2603 is a cyber threat group believed to be based in China, with a history of deploying ransomware variants such as Warlock and LockBit. Their activities are financially motivated, focusing on infiltrating systems to encrypt data and demand ransom payments.
Exploitation of SharePoint Vulnerabilities
The group has been exploiting two specific vulnerabilities in on-premises SharePoint servers:
– CVE-2025-49706: A spoofing vulnerability that allows attackers to impersonate legitimate users.
– CVE-2025-49704: A remote code execution vulnerability enabling attackers to run arbitrary code on the server.
By leveraging these vulnerabilities, Storm-2603 gains initial access to the system and deploys a malicious web shell named `spinstall0.aspx`. This web shell facilitates further command execution using the `w3wp.exe` process, which is integral to SharePoint’s operation.
Attack Methodology
Once access is established, Storm-2603 executes a series of commands to assess the system’s user context and privilege levels. The attack sequence includes:
1. Command Execution: Utilizing `cmd.exe` and batch scripts to navigate and manipulate the system.
2. Disabling Security Measures: Modifying the Windows Registry via `services.exe` to disable Microsoft Defender protections.
3. Persistence Mechanisms: Creating scheduled tasks and altering Internet Information Services (IIS) components to launch suspicious .NET assemblies, ensuring continued access even if initial entry points are secured.
4. Credential Harvesting: Deploying tools like Mimikatz to extract credentials from the Local Security Authority Subsystem Service (LSASS) memory.
5. Lateral Movement: Utilizing tools such as PsExec and the Impacket toolkit to move laterally within the network.
6. Ransomware Deployment: Modifying Group Policy Objects (GPO) to distribute Warlock ransomware across compromised environments.
Mitigation Strategies
To defend against such attacks, Microsoft recommends the following actions:
– Upgrade SharePoint Servers: Ensure all on-premises SharePoint Server installations are updated to supported versions.
– Apply Security Updates: Install the latest security patches to address known vulnerabilities.
– Enable Antimalware Scan Interface (AMSI): Activate and properly configure AMSI to detect and prevent malicious activities.
– Deploy Endpoint Protection: Utilize Microsoft Defender for Endpoint or equivalent solutions to monitor and protect systems.
– Rotate Machine Keys: Regularly change SharePoint Server ASP.NET machine keys to prevent unauthorized access.
– Restart IIS Services: After applying updates and rotating keys, restart IIS on all SharePoint servers using `iisreset.exe`.
– Implement Incident Response Plans: Develop and maintain comprehensive incident response strategies to address potential breaches promptly.
Broader Implications
The exploitation of SharePoint vulnerabilities by groups like Storm-2603 highlights the persistent threat posed by state-sponsored cyber actors. Other Chinese hacking groups, such as Linen Typhoon (APT27) and Violet Typhoon (APT31), have also been linked to similar malicious activities targeting unpatched systems. These incidents emphasize the necessity for organizations to adopt proactive cybersecurity measures, including regular system updates, employee training, and robust incident response protocols.
Conclusion
The recent activities of Storm-2603 serve as a stark reminder of the evolving landscape of cyber threats. Organizations must remain vigilant, ensuring that their systems are up-to-date and that comprehensive security measures are in place to defend against sophisticated attacks. By implementing the recommended mitigation strategies, businesses can significantly reduce their risk of falling victim to such exploits.
