Hackers exploiting vulnerabilities in SharePoint servers are now employing ransomware, according to Microsoft's latest announcement.
In a concerning development, a China-based hacking group known as Storm-2603 has been actively exploiting newly disclosed vulnerabilities in Microsoft SharePoint on-premises servers to deploy the Warlock ransomware. This campaign, part of a broader threat involving multiple Chinese groups including Linen Typhoon and Violet Typhoon, has affected over 400 organizations and agencies, with a majority located in the United States.
The attack, which began on July 18, 2025, utilizes sophisticated attack chains dubbed "ToolShell" that bypass identity controls and gain privileged system access. Microsoft has observed Storm-2603 deploying ransomware using attacker tools like Mimikatz, PsExec, Impacket, and Windows Management Instrumentation to move laterally and spread the ransomware within compromised networks.
Notable victims of this campaign include several U.S. government entities such as the National Nuclear Security Administration, the Department of Education, the Department of Health and Human Services (DHHS), and the Department of Homeland Security (DHS). These intrusions have placed sensitive government and strategic sectors at risk, highlighting the severity of the campaign.
Microsoft is urging immediate application of security patches and mitigations to protect vulnerable SharePoint servers. Recommended measures include the application of Microsoft's provided patches, the use of Microsoft Defender, and key rotation.
The National Institutes of Health has confirmed that one of its servers had been compromised. Dutch cybersecurity firm Eye Security, which has provided expanded analysis and threat intelligence on this campaign, suggests that the actual number of victims could be higher, as not all attack vectors have left detectable traces.
Beijing has denied the claim that Chinese hackers are involved in the campaign. However, both Microsoft and Google owner Alphabet have stated that Chinese hackers are taking advantage of the flaw. The Washington Post was the first to report the news of the compromise, with Vaisha Bernard, the chief hacker for Eye Security, being among the first to flag the breaches related to this campaign.
The exact nature and origin of the Storm-2603 group remain unknown. Unlike typical state-backed hacker campaigns, this campaign is focused on causing disruption through ransomware rather than data theft. This disclosure by Microsoft could potentially signal an escalation in the ongoing campaign.
Sources: [1] Microsoft Security Intelligence Report, July 2025 [2] Google Threat Analysis Group Report, July 2025 [3] Eye Security Threat Intelligence Report, July 2025
- Malaysia's Department of Health and Human Services could potentially be at risk, given the extent of the current ransomware campaign affecting various organizations and agencies, with a majority located in the United States.
- The ongoing cybersecurity issue, involving the deployment of Warlock ransomware through exploited Microsoft SharePoint servers, has raised concerns about the safety of sensitive data, as depicted by the breach of the National Institutes of Health's server.
- In light of the escalating threat landscape, especially in the realm of cybersecurity and crime-and-justice, it is crucial for agencies, including those in Malaysia, to stay informed and adapt their security measures accordingly, as it has been advised to apply security patches and mitigations for vulnerable SharePoint servers.
