Microsoft has warned that hackers are making use of the zero-day SharePoint flaw to distribute ransomware, adding an extra risk to the serious vulnerability.
The SharePoint flaw, known as “ToolShell”, was spotted over the weekend, sparking an immediate patch from Microsoft — though initially only for some versions of the server software, all supported versions are now protected — amid concerns hackers were already taking advantage of the vulnerability.
According to Eye Security, the security company that first spotted the flaw, at least 400 SharePoint servers were compromised of the 23,000 scanned as of yesterday. US government agencies were among known victims, though the National Cyber Security Centre said it had so far seen limited hacks in the UK.
Now, Microsoft has warned via an update to its running blog on the incident that it was seeing hackers known as Storm-2603 that are believed to be based in China use the SharePoint flaw to infect servers with ransomware.
“Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware,” Microsoft said in the post.
Microsoft added that further attacks are expected until users are fully patched. “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the post added.
SharePoint targeted by Chinese hackers
Microsoft admitted that as early as 7 July it had seen hackers trying to exploit the SharePoint flaws in order to target organisations.
That included Storm-2603 as well as Chinese state actors Linen Typhoon and Violet Typhoon, the company said, noting those latter hacking groups have focused on government targets by making use of known exploits.
When it comes to Storm-2603, Microsoft said it wasn’t clear if it was actually based in China, but said it appeared to focus on stealing MachineKeys using on-premise SharePoint vulnerabilities.
“Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives,” the company said. “Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities.”
China denied any involvement in a statement reported by Reuters.
Microsoft said attacks were happening beyond these hacking groups: “Investigations into other actors also using these exploits are still ongoing.”
Kevin Robertson, CTO at Acumen Cyber, said in a statement sent to ITPro that ransomware could be used by criminals targeting a ransom but also by state actors with other motives.
“This highlights that it’s not just state sponsored threat actors benefiting from this dangerous vulnerability,” he said. “Money-motivated attackers are also jumping on the bandwagon.”
He added: “However, some state sponsored attackers will also be using ransomware. They could be conducting reconnaissance on networks and then when they have what they need, dropping ransomware to cause further chaos for victims.”
Patch failure
The original “ToolShell” flaw impacting SharePoint was first spotted in May at a Trend Micro ethical hacking competition called Pwn2Own, for which a researcher at Viettel earned $100,000.
Trend Micro’s Zero-Day Initiative posted on 16 May: “Dinh Ho Anh Khoa combined an auth bypass and an insecure deserialization bug to exploit Microsoft SharePoint. He earns $100,000 and 10 Master of Pwn points.”
Microsoft subsequently rolled out a patch for the flaw via a July 8 security update. However, ten days later, the patch appeared to have been bypassed by hackers.
Acumen’s Robertson said that Microsoft’s “negligence with the initial patch left organizations completely exposed.” He added that this set of flaws could haunt SharePoint users for a long time. “Let’s hope Microsoft does a better job next time and upholds its responsibility to protect its expansive customer base,” he added.
After the second wave of attacks suggested a patch failure, Microsoft pushed out another update. At first, it only applied to SharePoint 2019, but is now available for SharePoint 2016 as well.
Microsoft said: “Customers should apply these updates immediately to ensure they are protected.” The company added that customers should address the authentication side of the attacks with Antimalware Scan Interface and Microsoft Defender Antivirus or equivalent solutions for all on-premises SharePoint instances, with full details of necessary mitigations in its blog post.
MORE FROM ITPRO
TOPICS
