Key Takeaways:
- Microsoft confirms active exploitation of a SharePoint vulnerability by the Storm-2603 threat group.
- Over 400 servers are estimated to be compromised using the ToolShell exploit.
- Initial security patches were bypassed, prompting an emergency update and new mitigation steps.
Microsoft has issued a warning that hackers are actively exploiting vulnerabilities in on-premises SharePoint servers to launch ransomware attacks. According to the Microsoft Threat Intelligence team, the China-linked threat group Storm-2603 is leveraging these flaws to deploy the Warlock ransomware.
Eye Security first spotted the SharePoint vulnerability (also known as “ToolShell”) over the weekend. It enables unauthenticated remote code execution on on-premises SharePoint servers. Eye Security estimated that this exploit has already compromised at least 400 SharePoint servers. This flaw affects SharePoint Server Subscription, SharePoint 2019, and SharePoint 2016. However, it doesn’t affect SharePoint Online in Microsoft 365.
How the Warlock ransomware is being deployed?
Microsoft has warned that a Chinese threat actor (dubbed Storm-2603) is exploiting the vulnerability to infect SharePoint servers with LockBit and Warlock ransomware. The attacker exploits known vulnerabilities to gain initial access, then uses discovery commands to assess privileges and establish persistence by manipulating scheduled tasks and IIS components. The actor steals credentials, moves laterally across systems, and ultimately modifies Group Policy Objects to deploy Warlock ransomware across compromised environments.
“Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware,” Microsoft explained. “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.”
Why the initial patch wasn’t enough to protect SharePoint servers?
Microsoft released a security patch to address the SharePoint vulnerability on July 8. However, security researchers later found that the patches were incomplete and were then bypassed by attackers. Earlier this week, Microsoft released an emergency update to fix the security holes affecting SharePoint Server Subscription Edition, SharePoint 2019, and SharePoint 2016.
Microsoft recommends that organizations should apply the security updates immedtialy to protect their systems against ransomware attacks. Administrators should deploy endpoint protection solutions, rotate SharePoint Server ASP.NET machine keys, restart IIS on all SharePoint servers, and implement an incident response plan. It’s also recommended to look for indicators of compromise in the system event logs. These indicators of compromise can be found in Microsoft’s official blog post.
