Update: Storm-2603 Exploits SharePoint Flaws to Deploy Warlock Ransomware on Unpatched Systems
Summary:
Microsoft has disclosed that the financially motivated threat actor Storm-2603, suspected to be China-based, is actively exploiting vulnerabilities in Microsoft SharePoint to deploy Warlock ransomware. The group is leveraging two key flaws, CVE-2025-49706 and CVE-2025-49704, to gain initial access to unpatched on-premises SharePoint servers. Once inside, the attackers drop the spinstall0[.]aspx web shell and execute commands through the w3wp[.]exe process, which supports SharePoint operations. After establishing access, Storm-2603 uses discovery techniques such as the whoami command to assess privileges and begins deeper infiltration using cmd[.]exe and batch scripts. They disable Microsoft Defender protections by modifying the Windows Registry through services[.]exe, and they maintain persistence through scheduled tasks and modifications to Internet Information Services, including launching suspicious .NET assemblies.
Security Officer Comments:
Some noteworthy aspects of the groups attack chain is for credential theft, the group deploys Mimikatz to extract passwords from LSASS memory and then moves laterally across the network using tools like PsExec and Impacket. The final stage involves modifying Group Policy Objects to spread the Warlock ransomware payload throughout the compromised environment. Microsoft’s continued threat monitoring confirms that these campaigns are ongoing and pose a significant threat to enterprises running vulnerable SharePoint infrastructure.
Suggested Corrections:
Link(s):
https://thehackernews.com/2025/07/storm-2603-exploits-sharepoint-flaws-to.html
Microsoft has disclosed that the financially motivated threat actor Storm-2603, suspected to be China-based, is actively exploiting vulnerabilities in Microsoft SharePoint to deploy Warlock ransomware. The group is leveraging two key flaws, CVE-2025-49706 and CVE-2025-49704, to gain initial access to unpatched on-premises SharePoint servers. Once inside, the attackers drop the spinstall0[.]aspx web shell and execute commands through the w3wp[.]exe process, which supports SharePoint operations. After establishing access, Storm-2603 uses discovery techniques such as the whoami command to assess privileges and begins deeper infiltration using cmd[.]exe and batch scripts. They disable Microsoft Defender protections by modifying the Windows Registry through services[.]exe, and they maintain persistence through scheduled tasks and modifications to Internet Information Services, including launching suspicious .NET assemblies.
Security Officer Comments:
Some noteworthy aspects of the groups attack chain is for credential theft, the group deploys Mimikatz to extract passwords from LSASS memory and then moves laterally across the network using tools like PsExec and Impacket. The final stage involves modifying Group Policy Objects to spread the Warlock ransomware payload throughout the compromised environment. Microsoft’s continued threat monitoring confirms that these campaigns are ongoing and pose a significant threat to enterprises running vulnerable SharePoint infrastructure.
Suggested Corrections:
- Upgrade to supported versions of on-premises Microsoft SharePoint Server
- Apply the latest security updates
- Ensure the Antimalware Scan Interface is turned on and configured correctly
- Deploy Microsoft Defender for Endpoint, or equivalent solutions
- Rotate SharePoint Server ASP.NET machine keys
- Restart IIS on all SharePoint servers using iisreset.exe (If AMSI cannot be enabled, it's advised to rotate the keys and restart IIS after installing the new security update)
- Implement an incident response plan
Link(s):
https://thehackernews.com/2025/07/storm-2603-exploits-sharepoint-flaws-to.html