The severe vulnerability in Microsoft’s SharePoint software is not only paving the way for data theft, but also ransomware attacks.
On Wednesday night, Microsoft issued an alert about a hacking group deploying the new “Warlock” ransomware after exploiting the flaw in SharePoint servers. Its investigation found that a China-based hacking group, called Storm-2603, began deploying the ransomware using the vulnerability starting last Friday — right as the security community became aware of the problem.
This Tweet is currently unavailable. It might be loading or has been removed.
Not much is known about Storm-2603; Microsoft hasn’t been able to link its activities with other Chinese state-sponsored hackers, which typically focus on cyberespionage. But the company notes Storm-2603 has been exploiting the SharePoint flaw to try and steal “MachineKeys,” a folder that stores private keys to encrypt communications for computers and users.
The vulnerability has already been raising alarm bells for creating a way for hackers to access internal SharePoint servers, which can host confidential files and websites. However, the new alert from Microsoft shows Storm-2603 has also been using the flaw to dig through SharePoint servers and locate credentials for other IT systems on the same network.
(Credit: Microsoft)
“The actor moves laterally using PsExec and the Impacket toolkit, executing commands using Windows Management Instrumentation (WMI),” Microsoft warned. “Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments.”
Microsoft has been urging affected users to patch their servers. But for many customers it might be too late, even though Microsoft released patches for the flaw. Cybersecurity vendor Eye Security said on Wednesday: “In total, we discovered more than 400 systems actively compromised during four confirmed waves of attack.”
Recommended by Our Editors
Victims include US government agencies. On Wednesday, the Department of Energy confirmed hackers had abused the SharePoint flaw to try and infiltrate a “very small number” of department systems, including at an agency that manages the US nuclear weapons stockpile. But so far, there’s no indication that the hackers stole sensitive or classified information.
The National Institutes of Health and Department of Homeland Security have also been affected. “The investigation to identify potential exposure remains ongoing. However, there is no evidence of data exfiltration at DHS or any of its components at this time,” the agency tells us.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
About Michael Kan
Senior Reporter
