Microsoft Warns of Active Ransomware Threat Targeting SharePoint
Microsoft’s Threat Intelligence team recently issued an urgent warning regarding a new malware threat. The Chinese hacker group, referred to as Storm-2603, is now exploiting unpatched on-premises SharePoint systems to deploy a variant of Warlock ransomware. This development marks a significant shift in their tactics from prior attempts to steal sensitive information.
Evolving Tactics of Storm-2603
Initially, Microsoft researchers noted that Storm-2603 aimed to exfiltrate MachineKeys through vulnerabilities specifically related to on-premises SharePoint: CVE-2025-53770 and CVE-2025-53771. The attackers used a malicious script named spinstall0.aspx, capable of retrieving MachineKey data and transmitting it via GET requests. This breach allows unauthorized access to critical security materials, jeopardizing the integrity of the affected systems.
Importance of MachineKeys in SharePoint
In SharePoint Online, MachineKeys play a crucial role in securing various functionalities, such as view state management, forms authentication, and session status verification. They ensure that data exchanged between the server and client is both trusted and untampered, thereby maintaining the integrity of web applications. This is especially essential in a web farm environment where multiple servers handle user requests simultaneously.
The Attack Cycle: A Detailed Look
The ransomware deployment process initiated on July 18, when attackers exploited internet-facing on-premises SharePoint servers to gain initial access to their targets. The spinstall0.aspx payload set the stage for this unauthorized infiltration, enabling the attackers to execute processes like w3wp.exe, which is responsible for handling web requests and executing related applications.
Reconnaissance and Environment Profiling
Once inside, the attackers launched a series of commands aimed at understanding the victim’s environment. By utilizing commands such as whoami and cmd.exe, they verified user permissions and established a broader execution strategy. They also leveraged services.exe to disable Microsoft Defender protections through modifications in the registry.
To ensure persistence within the compromised environment, multiple strategies were employed. The attackers utilized their initial web shell, created scheduled tasks, and manipulated Internet Information Services (IIS) components to introduce suspicious .NET assemblies. These tactics allowed them to remain undetected, even if initial attack vectors were addressed.
Credential Harvesting and Lateral Movement
In the subsequent phase, Storm-2603 implemented tools like Mimikatz to extract plaintext credentials from the Local Security Authority Subsystem Service (LSASS) memory. This facilitated lateral movement across the network, employing PsExec and various commands through Windows Management Instrumentation (WMI), as noted by Microsoft researchers.
Final Steps: Ransomware Distribution
In the concluding stage of their operation, the attackers modified Group Policy Objects (GPO) to effectively distribute the Warlock ransomware within the compromised networks. The overarching motives behind this wave of attacks remain unclear, although Microsoft has previously documented Storm-2603’s deployment of both Warlock and Lockbit ransomware variants.
Urgency for Patching Vulnerable Systems
Microsoft has underscored the urgency for organizations to patch their unprotected on-premises SharePoint systems to mitigate potential risks. According to the Shadowserver Foundation, there are nearly 424 internet-facing SharePoint servers still unpatched, primarily located in the U.S., with additional instances noted in Russia, Iran, Germany, and India.
The ongoing threat from Storm-2603 indicates that without immediate action, vulnerable systems will continue to be targeted, leading to severe ramifications for businesses and organizations reliant on SharePoint technology.
Stay Updated on Vulnerabilities
Organizations are encouraged to remain vigilant about potential vulnerabilities such as CVE-2025-53770 and CVE-2025-53771 and to promptly implement patches from Microsoft. The evolving nature of cyber threats requires ongoing attention, and proactive measures can fortify defenses against these sophisticated attack patterns.
