A sophisticated cyber threat actor known as Storm-2603 has been identified exploiting critical vulnerabilities in Microsoft SharePoint to deploy Warlock ransomware on unpatched enterprise systems. According to Microsoft’s recent security advisory, this group, believed to be China-based, is leveraging unpatched flaws in on-premises SharePoint servers to gain unauthorized access, establish persistence, and spread ransomware across targeted networks.
Vulnerabilities Exploited
Storm-2603 takes advantage of two significant SharePoint vulnerabilities:
- CVE-2025-49706: A spoofing vulnerability that enables attackers to craft malicious requests.
- CVE-2025-49704: A remote code execution (RCE) vulnerability enabling execution of arbitrary code on vulnerable systems.
Both vulnerabilities primarily affect unpatched versions of SharePoint Server deployed on-premises, allowing attackers to upload and execute malicious web shells and run arbitrary commands remotely.
Attack Methodology
The attack sequence initiated by Storm-2603 involves several stages:
- Initial Compromise: Attackers exploit the SharePoint flaws to upload a malicious web shell,
spinstall0.aspx, granting remote control over the affected server. - Command and Control: Leveraging the IIS worker process (
w3wp.exe), the attackers execute commands to map the environment and escalate privileges (e.g., runningwhoamiviacmd.exe). - Persistence: The threat actors employ multiple persistence techniques, including creating scheduled tasks, modifying IIS configurations to load suspicious .NET assemblies, and maintaining access through the web shell.
- Defense Evasion: Techniques to disable Microsoft Defender and other protective mechanisms are employed, including Windows Registry modifications via
services.exe. - Credential Harvesting and Lateral Movement: Tools such as Mimikatz are used to extract credentials directly from the LSASS memory, enabling lateral movement through the network with utilities like PsExec and the Impacket toolkit.
- Ransomware Deployment: Finally, attackers modify Group Policy Objects (GPO) to distribute and execute Warlock ransomware broadly within the compromised environment, encrypting valuable data and demanding ransom payments.
Impact and Attribution
At least 400 organizations worldwide have reportedly been affected by this campaign. Intelligence assessments indicate potential connections to other Chinese threat groups, including Linen Typhoon (APT27) and Violet Typhoon (APT31), although these assertions are denied by China’s official representatives. The Foreign Ministry of China has condemned such claims, advocating international collaboration to address cybersecurity threats while rejecting “politically motivated” accusations.
