Listen to this Post
🔐 Introduction: A New Cyber Threat Strikes SharePoint
In a chilling development shaking the cybersecurity landscape, Microsoft has sounded the alarm over a sophisticated ransomware campaign targeting SharePoint servers globally. A Chinese-linked threat group, dubbed Storm-2603, is exploiting critical flaws in on-premises SharePoint infrastructure to deploy the notorious Warlock ransomware. As organizations scramble to protect their systems, over 400 victims have already fallen prey. This report breaks down the latest tactics, techniques, and procedures used by the attackers—and what it means for your organization’s digital security.
🧨 the Ongoing SharePoint Exploits
Microsoft has officially confirmed that one of the threat actors actively exploiting SharePoint vulnerabilities is deploying Warlock ransomware on compromised systems. The group behind this assault, Storm-2603, is a suspected China-based actor previously linked to ransomware campaigns involving LockBit.
This wave of attacks leverages two key vulnerabilities:
CVE-2025-49706 (a spoofing vulnerability)
CVE-2025-49704 (a remote code execution vulnerability)
These flaws affect unpatched on-premises SharePoint servers and are used to deliver a malicious payload called spinstall0.aspx. Once the attackers gain access, they execute commands via the w3wp.exe process to determine system privileges using tools like whoami.
The intrusion deepens as the attackers use cmd.exe, batch scripts, and modify Windows registry entries via services.exe to disable Microsoft Defender. Storm-2603 also sets up persistent access by tweaking Internet Information Services (IIS) and installing suspicious .NET assemblies.
In addition to evading defenses, the attackers employ credential-dumping tools like Mimikatz to extract login data from LSASS memory. From there, lateral movement across the network is achieved using PsExec and Impacket, spreading their reach across multiple endpoints.
A particularly alarming tactic involves the modification of Group Policy Objects (GPOs) to distribute the Warlock ransomware across compromised environments. According to Microsoft, this strategy ensures widespread disruption while making recovery more difficult.
The attackers’ operational discipline suggests a high level of coordination. Other Chinese APT groups—Linen Typhoon (APT27) and Violet Typhoon (APT31)—have also been linked to similar campaigns. Though China denies involvement, the scale and precision of the attack hint at state-level capabilities.
Microsoft has urged all organizations using SharePoint to:
Upgrade to supported versions
Apply security patches
Enable Antimalware Scan Interface (AMSI)
Rotate ASP.NET machine keys
Restart IIS
Deploy Defender for Endpoint or similar EDR solutions
Implement an incident response plan immediately
This ransomware surge reflects a growing trend in targeting enterprise-level collaboration platforms with devastating impact.
🔍 What Undercode Say:
The Alarming Precision of the Storm-2603 Attacks
Storm-2603’s campaign isn’t just opportunistic—it’s a calculated and professional-grade assault. By weaponizing zero-day or recently patched vulnerabilities in SharePoint, the attackers ensure access to highly sensitive enterprise environments with minimal effort. Their use of the spinstall0.aspx web shell shows a clear understanding of SharePoint’s internal processes.
Credential Theft and Defense Evasion Techniques
The attackers prioritize persistence and stealth. Dumping credentials from LSASS memory using Mimikatz is an advanced move that points to high-value target acquisition. Modifying Windows registry settings and abusing services.exe to disable real-time protection means that traditional antivirus solutions are largely ineffective.
Storm-2603’s reliance on tools like PsExec and Impacket for lateral movement demonstrates that their intent goes beyond initial access—they aim for total domain compromise. Once they’ve spread laterally, they use GPO changes to unleash Warlock ransomware in a synchronized manner across multiple endpoints, increasing the chaos and ransom value.
China’s Denial and the Geopolitical Shadow
While the Chinese government denies involvement, the consistency and scale of these operations echo the tactics of known APT groups like APT27 and APT31. These nation-state groups often operate with financial and strategic motivations, sometimes blurring the line between cybercrime and cyberespionage.
Why SharePoint Is a Prime Target
SharePoint is a cornerstone for many enterprise-level operations, storing sensitive data and internal communications. Its widespread usage makes it an ideal target for ransomware actors. Organizations often delay patching, making them vulnerable to known exploits. In the wrong hands, SharePoint becomes a weapon against the very institutions it supports.
Undercode’s Advice to Organizations
Organizations must treat SharePoint as a Tier-1 asset, not just a productivity tool. Delayed patching and poor configuration can result in catastrophic breaches. This campaign is a warning shot to IT departments: patch, monitor, and harden your systems—before it’s too late.
✅ Fact Checker Results:
✅ Microsoft confirmed Storm-2603 is using real SharePoint vulnerabilities (CVE-2025-49704 & 49706)
✅ Over 400 organizations are verified victims of the exploit
❌ China’s official denial contradicts strong forensic evidence of origin
🔮 Prediction 🔥
This is just the beginning. As enterprise systems continue to lag behind in patching and security hygiene, groups like Storm-2603 will likely escalate attacks using automation and AI-enhanced reconnaissance. Expect a surge in ransomware-as-a-service (RaaS) campaigns leveraging legitimate IT tools like SharePoint, Exchange, and Office 365. The next frontier won’t just be files—it will be reputation, regulation, and operational continuity.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.quora.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
