Microsoft SharePoint hackers now deploying ransomware
The hackers behind the widespread exploitation of flaws in Microsoft’s SharePoint software have begun deploying ransomware, according to the tech giant.
Hundreds of organisations and government agencies have fallen victim to a widespread espionage campaign believed to have been undertaken by Chinese state-sponsored hackers after Microsoft failed to patch a flaw in its SharePoint software in May.
Most recently, hackers breached the US National Nuclear Security Agency, the US agency responsible for managing the nation’s nuclear weapons stockpile and cleaning.
You’re out of free articles for this month
Now, Microsoft has identified one group deploying ransomware during the exploitation of the flaws.
“We have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware,” said Microsoft.
Storm-2603 is, Microsoft believes, most likely linked to the People’s Republic of China, but investigations into who the group is exactly, and who they are close to, are ongoing.
“Although Microsoft has observed this threat actor deploying Warlock and LockBit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” Microsoft said in an earlier blog post.
The observation of ransomware being detected means the campaign is accelerating beyond just espionage, with ransomware capable of disabling systems and halting operations with encryption.
Microsoft also identified two other Chinese state threat actors – Linen Typhoon and Violet Typhoon – that are exploiting the SharePoint server vulnerabilities, and it is investigating a number of other threat actors.
“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the company added.
Michael Sikorski, CTO and head of threat intelligence for Unit 42 at Palo Alto, said this is a “high-severity, high-urgency threat”.
“Attackers are bypassing identity controls, including MFA and SSO, to gain privileged access. Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys. The attackers have leveraged this vulnerability to get into systems and are already establishing their foothold. If you have SharePoint on-prem exposed to the internet, you should assume that you have been compromised at this point. Patching alone is insufficient to fully evict the threat,” he said.
“What makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform, including its services like Office, Teams, OneDrive, and Outlook, which [have] all the information valuable to an attacker. A compromise doesn’t stay contained – it opens the door to the entire network.”
Daniel Croft
Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.
