Chinese hackers using SharePoint vulnerabilities to deploy Warlock ransomware, according to Microsoft; three China-linked threat groups reportedly capitalizing on this exploit
Headline: Microsoft Warns of SharePoint Ransomware Attacks by Hacking Group Storm-2603
Microsoft's threat intelligence team has recently uncovered a series of attacks targeting on-premises SharePoint Server customers, with the hacking group Storm-2603 being identified as the perpetrator. This group, assessed with moderate confidence to be China-based, has been deploying the Warlock ransomware using vulnerabilities in SharePoint.
Sub-headline: Steps to Protect Your Organization
To mitigate the risk of being targeted by Storm-2603 and the Warlock ransomware, organizations should take the following steps based on the most recent threat intelligence and Microsoft guidance:
- Apply the latest security updates immediately. Microsoft has released patches addressing critical SharePoint vulnerabilities (CVE-2025-53770 and CVE-2025-53771) exploited by Storm-2603. These updates fully protect supported SharePoint versions from unauthorized access and remote command execution.
- Use supported SharePoint Server versions only. Supported versions include SharePoint Server 2016, 2019, and the SharePoint Subscription Edition. Upgrading ensures compatibility with security patches and features such as AMSI integration.
- Enable and correctly configure Antimalware Scan Interface (AMSI). AMSI integration helps detect and block malicious scripts exploited by attackers. Ensure AMSI is enabled in Full Mode and Microsoft Defender Antivirus is deployed on all SharePoint servers.
- Rotate ASP.NET Machine Keys on SharePoint servers and restart IIS. Attackers can reuse stolen cryptographic keys, so simply patching is not sufficient to revoke existing access. Rotating these keys and restarting IIS prevents attackers from leveraging previously valid malicious payloads.
- Deploy Endpoint Detection and Response (EDR) solutions such as Microsoft Defender for Endpoint. These tools improve detection of lateral movement and ransomware activities after initial compromise.
- Implement an incident response plan. Given the observed use of credential harvesting tools, lateral movement via PsExec, WMI, and Impacket, and ransomware deployment through Group Policy Object (GPO) modifications, organizations should prepare for rapid incident detection and containment.
- Limit unauthenticated traffic and external exposure of SharePoint servers. If it is impossible to restrict internet access, use strong authentication gateways to reduce the risk of exploitation by remote unauthenticated attackers.
Following these steps addresses both prevention of initial SharePoint exploitation and mitigation of attacker persistence within the environment. It is important to note that patching alone does not remove attacker access already obtained; combined operational and security measures are necessary for comprehensive protection against Storm-2603 and Warlock ransomware threats.
Additional Information
- Microsoft recommends restarting Internet Information Services (IIS) for SharePoint servers after rotating ASP.NET machine keys.
- The investigation into the organizations affected by these vulnerabilities is ongoing.
- Users can follow Tom's Hardware on Google News for up-to-date news, analysis, and reviews.
In the realm of technology and general-news, the ongoing cybersecurity concerns surrounding SharePoint servers have been heightened due to the attacks by the hacking group Storm-2603, known for deploying the Warlock ransomware. To safeguard your organization from such threats, consider the recommended precautions: applying security updates, using supported SharePoint versions, enabling Antimalware Scan Interface (AMSI), rotating ASP.NET Machine Keys, deploying Endpoint Detection and Response (EDR) solutions, implementing an incident response plan, limiting unauthenticated traffic, and following up-to-date news on credible sources like Tom's Hardware for further insights on crime-and-justice matters.
