Microsoft: SharePoint attacks now officially include ransomware infections
(2025/07/24)
- Reference: 1753376088
- News link: https://www.theregister.co.uk/2025/07/24/microsoft_sharepoint_ransomware/
- Source link:
Ransomware has officially entered the Microsoft SharePoint exploitation ring.
Late Wednesday, in an [1]update to its earlier warning, Redmond confirmed that a threat group it tracks as Storm-2603 is abusing vulnerable on-premises SharePoint servers to deploy ransomware.
The software giant had already [2]pinned blame on three crews for the SharePoint attacks. Two of the crews are Chinese government-backed: Linen Typhoon (aka Emissary Panda, APT27) and Violet Typhoon (aka Zirconium, Judgment Panda, APT31).
[3]
The third, Storm-2603, is likely China-based but not necessarily a nation-state gang.
[4]
[5]
"Although Microsoft has observed this threat actor [Storm-2603] deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor's objectives," Microsoft said on Tuesday, noting that it's still investigating other gangs exploiting these vulnerabilities.
As of Wednesday, it [6]confirmed that Storm-2603 is, in fact, abusing the security holes to infect victims with ransomware.
[7]
"Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware," according to Redmond, adding that these ransomware attacks began on July 18.
After exploiting the now-patched vulnerabilities in internet-facing servers — CVE-2025-49704, which allows unauthenticated remote code execution, and CVE-2025-49706, a spoofing bug — Storm-2603 initiates several discovery commands, Microsoft said.
These include "whoami," to enumerate user context and validate privilege levels, plus "cmd.exe," the default command-line interpreter for Windows operating systems, and batch scripts.
[8]
"Notably, services.exe is abused to disable Microsoft Defender protections through direct registry modifications," Redmond wrote.
[9]Microsoft SharePoint victim count hits 400+ orgs in ongoing attacks
[10]Surprise, surprise: Chinese spies, IP stealers, other miscreants attacking Microsoft SharePoint servers
[11]Microsoft patches critical SharePoint 2016 zero-days amid active exploits
[12]Another massive security snafu hits Microsoft, but don't expect it to stick
The criminals then establish persistence on infected machines using the spinstall0.aspx web shell, and create scheduled tasks and manipulate Internet Information Services (IIS) components to load .NET assemblies, thus ensuring access to the servers even if the flaws are fixed.
Storm-2603 then steals users' credentials, using Mimikatz to target the Local Security Authority Subsystem Service (LSASS) memory and extract this sensitive info in plaintext, and moves laterally through the network using PsExec and the Impacket toolkit, executing commands via Windows Management Instrumentation (WMI).
"Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments," Microsoft said. It also warned that "Additional actors will continue to use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately."
Plus, there are multiple proof-of-concept exploits for CVE-2025-49704 and CVE-2025-49706, along with the newer RCE CVE-2025-53770 (related to the earlier CVE-2025-49704) and CVE-2025-53771 (a security bypass vulnerability for the previously disclosed CVE-2025-49706) in the public domain, so would-be attackers have blueprints on how to break into these servers.
The security holes affect SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Redmond had issued [13]fixes for all three by late Monday. [14]More than 400 organizations have been compromised thus far, according to Eye Security, and yesterday the US Energy Department confirmed to The Register that it, and its National Nuclear Security Administration (NNSA), which maintains America's nuclear weapons, was among the victims. ®
Get our [15]Tech Resources
[1] https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
[2] https://www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIZNNdyrcYQB0dTHxTflMgAAAIM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIZNNdyrcYQB0dTHxTflMgAAAIM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIZNNdyrcYQB0dTHxTflMgAAAIM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/#storm-2603
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIZNNdyrcYQB0dTHxTflMgAAAIM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIZNNdyrcYQB0dTHxTflMgAAAIM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/07/23/microsoft_sharepoint_400_orgs/
[10] https://www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/
[11] https://www.theregister.com/2025/07/22/microsoft_sharepoint_2016_patch/
[12] https://www.theregister.com/2025/07/21/massive_security_snafu_microsoft/
[13] https://www.theregister.com/2025/07/22/microsoft_sharepoint_2016_patch/
[14] https://www.theregister.com/2025/07/23/microsoft_sharepoint_400_orgs/
[15] https://whitepapers.theregister.com/
Late Wednesday, in an [1]update to its earlier warning, Redmond confirmed that a threat group it tracks as Storm-2603 is abusing vulnerable on-premises SharePoint servers to deploy ransomware.
The software giant had already [2]pinned blame on three crews for the SharePoint attacks. Two of the crews are Chinese government-backed: Linen Typhoon (aka Emissary Panda, APT27) and Violet Typhoon (aka Zirconium, Judgment Panda, APT31).
[3]
The third, Storm-2603, is likely China-based but not necessarily a nation-state gang.
[4]
[5]
"Although Microsoft has observed this threat actor [Storm-2603] deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor's objectives," Microsoft said on Tuesday, noting that it's still investigating other gangs exploiting these vulnerabilities.
As of Wednesday, it [6]confirmed that Storm-2603 is, in fact, abusing the security holes to infect victims with ransomware.
[7]
"Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware," according to Redmond, adding that these ransomware attacks began on July 18.
After exploiting the now-patched vulnerabilities in internet-facing servers — CVE-2025-49704, which allows unauthenticated remote code execution, and CVE-2025-49706, a spoofing bug — Storm-2603 initiates several discovery commands, Microsoft said.
These include "whoami," to enumerate user context and validate privilege levels, plus "cmd.exe," the default command-line interpreter for Windows operating systems, and batch scripts.
[8]
"Notably, services.exe is abused to disable Microsoft Defender protections through direct registry modifications," Redmond wrote.
[9]Microsoft SharePoint victim count hits 400+ orgs in ongoing attacks
[10]Surprise, surprise: Chinese spies, IP stealers, other miscreants attacking Microsoft SharePoint servers
[11]Microsoft patches critical SharePoint 2016 zero-days amid active exploits
[12]Another massive security snafu hits Microsoft, but don't expect it to stick
The criminals then establish persistence on infected machines using the spinstall0.aspx web shell, and create scheduled tasks and manipulate Internet Information Services (IIS) components to load .NET assemblies, thus ensuring access to the servers even if the flaws are fixed.
Storm-2603 then steals users' credentials, using Mimikatz to target the Local Security Authority Subsystem Service (LSASS) memory and extract this sensitive info in plaintext, and moves laterally through the network using PsExec and the Impacket toolkit, executing commands via Windows Management Instrumentation (WMI).
"Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments," Microsoft said. It also warned that "Additional actors will continue to use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately."
Plus, there are multiple proof-of-concept exploits for CVE-2025-49704 and CVE-2025-49706, along with the newer RCE CVE-2025-53770 (related to the earlier CVE-2025-49704) and CVE-2025-53771 (a security bypass vulnerability for the previously disclosed CVE-2025-49706) in the public domain, so would-be attackers have blueprints on how to break into these servers.
The security holes affect SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Redmond had issued [13]fixes for all three by late Monday. [14]More than 400 organizations have been compromised thus far, according to Eye Security, and yesterday the US Energy Department confirmed to The Register that it, and its National Nuclear Security Administration (NNSA), which maintains America's nuclear weapons, was among the victims. ®
Get our [15]Tech Resources
[1] https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
[2] https://www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIZNNdyrcYQB0dTHxTflMgAAAIM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIZNNdyrcYQB0dTHxTflMgAAAIM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIZNNdyrcYQB0dTHxTflMgAAAIM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/#storm-2603
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIZNNdyrcYQB0dTHxTflMgAAAIM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIZNNdyrcYQB0dTHxTflMgAAAIM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/07/23/microsoft_sharepoint_400_orgs/
[10] https://www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/
[11] https://www.theregister.com/2025/07/22/microsoft_sharepoint_2016_patch/
[12] https://www.theregister.com/2025/07/21/massive_security_snafu_microsoft/
[13] https://www.theregister.com/2025/07/22/microsoft_sharepoint_2016_patch/
[14] https://www.theregister.com/2025/07/23/microsoft_sharepoint_400_orgs/
[15] https://whitepapers.theregister.com/
Re: Phew it's on-prem
sedregj
"so was mostly avoided by my clients"
Somewhat smug and very stupid.
No loss
Grunchy
My working theory is that you could delete every sharepoint site on earth and probably nobody would care (not only that: nobody would even notice).
It’s like how hackers were attacking FBI website, etc. Honestly, if nobody ever mentioned it, how would you know?
You would probably not notice it for the rest of your life, is what the truth is.
Re: No loss
Gene Cash
It wouldn't make sharepoint search any less functional...
According to whom?
VoiceOfTruth
>> Two of the crews are Chinese government-backed
Prove it. Meanwhile MS scrapes data for the NSA. So MS is a nation state backed info stealer.
Really?
IGotOut
"The software giant had already pinned blame on three crews for the ..."
I pin it on a single company, more concerned with line going up, rather than, ooo I don't know, spending time on money on security and quality products.
considered harmful
Anonymous Coward
Which has caused more damage, from security problems or otherwise: Sharepoint, or Teams
Sharepoint has probably used (wasted) more resources, but Teams inevitably wastes more time. Too close to call.
Don't tell me
MachDiamond
Wait, some M$ software has been exploited? O..... M..... G. Who would have seen that coming?
/s
Phew it's on-prem
Luckily on-prem SharePoint is a hellish nightmare, so was mostly avoided by my clients and ditched by the few when they got 365.