Ransomware has officially entered the Microsoft SharePoint exploitation ring.
Late Wednesday, in an update to its earlier warning, Redmond confirmed that a threat group it tracks as Storm-2603 is abusing vulnerable on-premises SharePoint servers to deploy ransomware.
The software giant had already pinned blame on three crews for the SharePoint attacks. Two of the crews are Chinese government-backed: Linen Typhoon (aka Emissary Panda, APT27) and Violet Typhoon (aka Zirconium, Judgment Panda, APT31).
The third, Storm-2603, is likely China-based but not necessarily a nation-state gang.
“Although Microsoft has observed this threat actor [Storm-2603] deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” Microsoft said on Tuesday, noting that it’s still investigating other gangs exploiting these vulnerabilities.
As of Wednesday, it confirmed that Storm-2603 is, in fact, abusing the security holes to infect victims with ransomware.
“Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware,” according to Redmond, adding that these ransomware attacks began on July 18.
After exploiting the now-patched vulnerabilities in internet-facing servers — CVE-2025-49704, which allows unauthenticated remote code execution, and CVE-2025-49706, a spoofing bug — Storm-2603 initiates several discovery commands, Microsoft said.
These include “whoami,” to enumerate user context and validate privilege levels, plus “cmd.exe,” the default command-line interpreter for Windows operating systems, and batch scripts.
“Notably, services.exe is abused to disable Microsoft Defender protections through direct registry modifications,” Redmond wrote.
The criminals then establish persistence on infected machines using the spinstall0.aspx web shell, and create scheduled tasks and manipulate Internet Information Services (IIS) components to load .NET assemblies, thus ensuring access to the servers even if the flaws are fixed.
Storm-2603 then steals users’ credentials, using Mimikatz to target the Local Security Authority Subsystem Service (LSASS) memory and extract this sensitive info in plaintext, and moves laterally through the network using PsExec and the Impacket toolkit, executing commands via Windows Management Instrumentation (WMI).
“Storm-2603 is then observed modifying Group Policy Objects (GPO) to distribute Warlock ransomware in compromised environments,” Microsoft said. It also warned that “Additional actors will continue to use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately.”
Plus, there are multiple proof-of-concept exploits for CVE-2025-49704 and CVE-2025-49706, along with the newer RCE CVE-2025-53770 (related to the earlier CVE-2025-49704) and CVE-2025-53771 (a security bypass vulnerability for the previously disclosed CVE-2025-49706) in the public domain, so would-be attackers have blueprints on how to break into these servers.
The security holes affect SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Redmond had issued fixes for all three by late Monday. More than 400 organizations have been compromised thus far, according to Eye Security, and yesterday the US Energy Department confirmed to The Register that it, and its National Nuclear Security Administration (NNSA), which maintains America’s nuclear weapons, was among the victims. ®
Click Here For The Original Source.
