Warlock Ransomware: A Growing Threat to SharePoint Systems
Microsoft has recently issued a warning regarding the active exploitation of vulnerabilities in SharePoint systems, specifically pointing to the deployment of Warlock ransomware by threat actors. This information, shared in a recent update, stems from comprehensive threat intelligence gained through ongoing monitoring of exploitations linked to a group known as Storm-2603.
Understanding the Threat Actor: Storm-2603
The group identified as Storm-2603 is believed to operate from China and is financially motivated. They have previously been associated with deploying both Warlock and LockBit ransomware variants. The current attacks make use of specific vulnerabilities, notably CVE-2025-49706, which is a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched SharePoint servers.
How the Exploitation Works
The exploitation begins by leveraging both of these vulnerabilities to deploy a malicious payload known as spinstall0.aspx. This web shell allows the attackers to execute commands by exploiting the w3wp.exe process, integral to SharePoint operations. Following their entry point, the threat actors gather crucial information using commands like whoami to understand user contexts and privilege levels.
As they infiltrate deeper into the network, they utilize cmd.exe and batch scripts for further penetration, even disabling Microsoft Defender protections by altering Windows Registry settings. The malicious activity does not stop there; Storm-2603 also creates scheduled tasks and modifies Internet Information Services (IIS) components to launch suspicious .NET assemblies, thereby maintaining ongoing access despite potential remediation efforts by their targets.
Credential Theft and Lateral Movement
In addition to maintaining access, Storm-2603 employs Mimikatz to extract user credentials from the Local Security Authority Subsystem Service (LSASS) memory. This sets the stage for lateral movements within the network using tools like PsExec and Impacket, making the attacks increasingly sophisticated and damaging.
As their activities escalate, Storm-2603 modifies Group Policy Objects (GPO), effectively distributing the Warlock ransomware across compromised environments, thus amplifying the overall impact.
Key Mitigation Strategies
Given the scope of these attacks, Microsoft has recommended several proactive measures for users to safeguard their systems:
- Upgrade to supported versions of Microsoft SharePoint Server.
- Apply the latest security updates promptly.
- Ensure that the Antimalware Scan Interface (AMSI) is enabled and correctly configured.
- Utilize Microsoft Defender for Endpoint or similar solutions.
- Rotate SharePoint Server ASP.NET machine keys regularly.
- Restart IIS on all SharePoint servers by executing
iisreset.exe(particular attention should be paid to the rotation of keys if AMSI cannot be enabled). - Develop and implement an incident response plan.
The Scale of the Threat
Recent analyses indicate that these SharePoint vulnerabilities have already impacted at least 400 organizations. Other Chinese hacking groups, such as Linen Typhoon (also known as APT27) and Violet Typhoon (APT31), have also been linked to similar malicious activities, prompting broader concerns about cybersecurity globally.
In response to allegations against China for involvement in these cyber exploits, a spokesperson for the Chinese Foreign Ministry stated, “Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation.” The spokesperson also emphasized China’s stand against hacking activities.
Global Exploitation Patterns
Insights from cybersecurity firm ESET reveal that exploitation activity related to ToolShell has been observed worldwide, with the United States facing 13.3% of the attacks. Other key targets include countries like the United Kingdom, Italy, and Germany, particularly highlighting vulnerabilities in government organizations.
Notably, Check Point Research has identified over 4,600 compromise attempts affecting various sectors, including the financial services, telecommunications, and government domains, illustrating the widespread nature of the threat.
Emerging Tools and Techniques
Threat actors in these campaigns have employed a variety of sophisticated tools, such as GhostWebShell, a lightweight ASP.NET web shell enabling arbitrary command execution. This tool highlights the advanced capabilities of post-exploitation techniques utilized by these groups.
Additionally, tools like KeySiphon gather critical validation and decryption keys, enhancing attackers’ ability to manipulate applications and extract sensitive data from compromised systems.
The intricate methods employed by these groups underline the urgent need for organizations to remain vigilant, implement robust cybersecurity measures, and respond swiftly to emerging threats in the landscape.
