Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws, Storm-2603, is deploying Warlock ransomware on targeted systems.
As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware. Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems. This blog shares details of observed exploitation of CVE-2025-49706 and CVE-2025-49704 and the follow-on tactics, techniques, and procedures (TTPs) by threat actors. We will update this blog with more information as our investigation continues.
Ensar Seker, CISO at SOCRadar had this comment:
“The exploitation of unpatched SharePoint servers by Storm-2603 represents a serious escalation in threat actor behavior. What began as an espionage campaign has now evolved into a destructive ransomware operation using Warlock malware. This is significant not only because of the rapid weaponization of recent vulnerabilities, but because the group has adopted enterprise-level tactics; stealing credentials, disabling defenses, and deploying ransomware across entire networks using Active Directory tools.”
“Warlock ransomware in this context is particularly dangerous. Once Storm-2603 gains access to a vulnerable SharePoint server, they quickly move laterally, extract domain credentials, and push ransomware across systems often encrypting data en masse before defenders can respond. This is not a hit-and-run campaign. It reflects a strategic shift where attackers burrow deep, create persistence mechanisms, and time their ransomware deployment for maximum disruption.”
“The takeaway for enterprises is clear: if you run on-premises SharePoint, you must patch immediately. Beyond that, organizations should rotate keys and credentials, hunt for web shells or suspicious DLLs, and harden against lateral movement. Defenses like EDR in block mode, AMSI integration, and proper backup strategies are critical now, not optional. This campaign isn’t just a wake-up call for patch management, but for a broader rethink of how we defend internal collaboration platforms.”
James McQuiggan, Security Awareness Advocate at KnowBe4 adds this:
“Cybercriminals don’t need to be sophisticated, they just need organizations to be slow. Attackers don’t target the most vulnerable point, they go for what’s exposed, unpatched, and easiest to monetize. Essentially, a front door left wide open.”
“Enterprise environments are especially vulnerable because change takes time. There are processes, reviews, testing, and approvals that are needed to roll out mitigations and patches. However, if an organization’s SharePoint server is exposed on the internet with a known zero-day vulnerability and no compensating controls, it’s making their job easier.”
“If it’s internet-facing, treat it like a crown jewel. Anything exposed should be hardened, monitored, and patched rapidly, or segmented entirely. Limit attack surfaces by design. Many of these exposures exist simply because someone left default configurations or expanded access for convenience.”
“Cybersecurity isn’t about being perfect, it’s about not being predictable. The more visible and unpatched your environment, the easier it is for an organization to find and exploit. Organizations don’t need to outsmart every attacker, they just need to stop making it easy for them.”
If you have an on premise SharePoint server, now would be a really good time to update it. As in drop everything you are doing and apply updates right now. Because if it wasn’t clear that this was a today problem, it should be now.
Related
This entry was posted on July 24, 2025 at 11:51 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Storm-2603 Exploits SharePoint Flaws to Deploy Warlock Ransomware on Unpatched Systems
Microsoft has revealed that one of the threat actors behind the active exploitation of SharePoint flaws, Storm-2603, is deploying Warlock ransomware on targeted systems.
As of this writing, Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware. Investigations into other actors also using these exploits are still ongoing. With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems. This blog shares details of observed exploitation of CVE-2025-49706 and CVE-2025-49704 and the follow-on tactics, techniques, and procedures (TTPs) by threat actors. We will update this blog with more information as our investigation continues.
Ensar Seker, CISO at SOCRadar had this comment:
“The exploitation of unpatched SharePoint servers by Storm-2603 represents a serious escalation in threat actor behavior. What began as an espionage campaign has now evolved into a destructive ransomware operation using Warlock malware. This is significant not only because of the rapid weaponization of recent vulnerabilities, but because the group has adopted enterprise-level tactics; stealing credentials, disabling defenses, and deploying ransomware across entire networks using Active Directory tools.”
“Warlock ransomware in this context is particularly dangerous. Once Storm-2603 gains access to a vulnerable SharePoint server, they quickly move laterally, extract domain credentials, and push ransomware across systems often encrypting data en masse before defenders can respond. This is not a hit-and-run campaign. It reflects a strategic shift where attackers burrow deep, create persistence mechanisms, and time their ransomware deployment for maximum disruption.”
“The takeaway for enterprises is clear: if you run on-premises SharePoint, you must patch immediately. Beyond that, organizations should rotate keys and credentials, hunt for web shells or suspicious DLLs, and harden against lateral movement. Defenses like EDR in block mode, AMSI integration, and proper backup strategies are critical now, not optional. This campaign isn’t just a wake-up call for patch management, but for a broader rethink of how we defend internal collaboration platforms.”
James McQuiggan, Security Awareness Advocate at KnowBe4 adds this:
“Cybercriminals don’t need to be sophisticated, they just need organizations to be slow. Attackers don’t target the most vulnerable point, they go for what’s exposed, unpatched, and easiest to monetize. Essentially, a front door left wide open.”
“Enterprise environments are especially vulnerable because change takes time. There are processes, reviews, testing, and approvals that are needed to roll out mitigations and patches. However, if an organization’s SharePoint server is exposed on the internet with a known zero-day vulnerability and no compensating controls, it’s making their job easier.”
“If it’s internet-facing, treat it like a crown jewel. Anything exposed should be hardened, monitored, and patched rapidly, or segmented entirely. Limit attack surfaces by design. Many of these exposures exist simply because someone left default configurations or expanded access for convenience.”
“Cybersecurity isn’t about being perfect, it’s about not being predictable. The more visible and unpatched your environment, the easier it is for an organization to find and exploit. Organizations don’t need to outsmart every attacker, they just need to stop making it easy for them.”
If you have an on premise SharePoint server, now would be a really good time to update it. As in drop everything you are doing and apply updates right now. Because if it wasn’t clear that this was a today problem, it should be now.
Share this:
Like this:
Related
This entry was posted on July 24, 2025 at 11:51 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.