Storm-2603 Exploits SharePoint Vulnerabilities to Deploy Warlock Ransomware on Unpatched Systems

Jul 24, 2025
Vulnerability / Ransomware

Microsoft has disclosed that a threat actor, identified as Storm-2603, is actively exploiting vulnerabilities in SharePoint to deploy Warlock ransomware on targeted systems. In an update released Wednesday, the company noted that these insights stem from ongoing analysis and threat intelligence regarding Storm-2603’s exploitation activities. This financially motivated actor is suspected to be based in China and has previously been linked to the deployment of both Warlock and LockBit ransomware. The attack chain involves exploiting CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers to facilitate the deployment of the spinstall0.aspx web shell. “This initial access enables command execution via the w3wp.exe process that supports SharePoint,” Microsoft stated. “Storm-2603 subsequently initiates a series of discovery commands, including…”

Storm-2603 Exploits SharePoint Vulnerabilities to Deploy Warlock Ransomware on Unpatched Systems

On July 24, 2025, Microsoft disclosed that the cyber group known as Storm-2603 is actively exploiting vulnerabilities in SharePoint software to deploy Warlock ransomware on targeted systems. This revelation is based on an extensive analysis and threat intelligence from ongoing monitoring of exploitation activities attributed to this financially motivated threat actor. Microsoft has identified Storm-2603 as a suspected threat group based in China, previously associated with deploying both Warlock and LockBit ransomware variants.

The malicious activities primarily exploit two critical vulnerabilities: CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, which allows for remote code execution. These vulnerabilities specifically target unpatched on-premises SharePoint servers, enabling the threat actor to execute a web shell payload via the spinstall0.aspx script. According to Microsoft, this initial access paves the way for command execution through the w3wp.exe process, a service integral to SharePoint operations.

Following this initial breach, Storm-2603 executes a series of commands aimed at discovering more about the compromised environment. This method of reconnaissance aligns with several tactics outlined in the MITRE ATT&CK framework, notably initial access and discovery. The attack strategy underscores a common approach where threat actors first gain unauthorized access before systematically probing systems for valuable data or elevated privileges.

The implications of such attacks are particularly concerning for organizations that have not applied the latest security patches to their SharePoint servers. Vulnerabilities remain a stark entry point for cybercriminals looking to exploit outdated systems, especially in environments that handle sensitive information. Business owners must recognize the importance of maintaining up-to-date software and implementing robust cybersecurity practices.

As Storm-2603 continues to leverage these SharePoint vulnerabilities, the need for a proactive cybersecurity stance becomes critical. Organizations should consider structured vulnerability management programs and regular security assessments to mitigate potential risks. By understanding the tactics and techniques that adversaries employ, businesses can bolster their defenses and better protect their valuable data assets.

In the evolving landscape of cybersecurity threats, awareness and preparedness are essential for safeguarding against exploits like those utilized by Storm-2603. As the landscape shifts and new vulnerabilities emerge, maintaining vigilance and employing adaptive security measures will be paramount for organizations seeking to thwart ransomware and other cyber threats.

Source link

Related Posts

Citrix Issues Urgent Patches for Actively Exploited Vulnerability CVE-2025-6543 in NetScaler ADC

June 25, 2025
Vulnerability / Network Security

Citrix has launched critical security updates to address a significant vulnerability in NetScaler ADC, which is currently being exploited in the wild. This vulnerability, identified as CVE-2025-6543, has a CVSS score of 9.2 out of 10. It involves a memory overflow issue that could lead to unintended control flow and potential denial-of-service attacks. Successful exploitation requires the appliance to be set up as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The affected versions include:

  • NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
  • NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
  • NetScaler ADC and NetScaler Gateway 12.1 and 13.0 (vulnerable and end-of-life)
  • NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP

Citrix has indicated that vulnerabilities also impact “Secure Private Access on-prem or Secure Private Access Hybrid” deployments utilizing NetScaler instances.

9% of Microsoft Entra SaaS Apps Still Vulnerable to nOAuth Exploits Two Years Post-Discovery

June 25, 2025
SaaS Security / Vulnerability

Recent findings highlight ongoing risks associated with a known security flaw in Microsoft Entra ID, which may allow malicious actors to execute account takeovers in certain software-as-a-service (SaaS) applications. Identity security firm Semperis analyzed 104 SaaS applications and discovered that nine remain vulnerable to Entra ID cross-tenant nOAuth abuse. Initially revealed by Descope in June 2023, nOAuth pertains to a flaw in the implementation of OpenID Connect (OIDC) by SaaS applications, which is an authentication layer built on OAuth for verifying user identities. This implementation flaw allows attackers to alter the mail attribute in an Entra ID account to that of a target, leveraging the app’s “Log in with Microsoft” feature to hijack the account. The attack is straightforward, exacerbated by Entra ID’s allowance for unverified email addresses, paving the way for user impersonation.

CISA Updates KEV Catalog with 3 New Vulnerabilities Affecting AMI MegaRAC, D-Link, and Fortinet

On June 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, all of which are subject to active exploitation. These vulnerabilities affect AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. The details of the vulnerabilities are as follows:

  • CVE-2024-54085 (CVSS score: 10.0): An authentication bypass vulnerability in the Redfish Host Interface of AMI MegaRAC SPx, which could enable a remote attacker to gain control.
  • CVE-2024-0769 (CVSS score: 5.3): A path traversal vulnerability in D-Link DIR-859 routers that facilitates privilege escalation and unauthorized control (currently unpatched).
  • CVE-2019-6693 (CVSS score: 4.2): A hard-coded cryptographic key issue in FortiOS, FortiManager, and FortiAnalyzer used for encrypting password data in CLI configurations, potentially allowing an attacker with access to the CLI configuration or backup file to decrypt sensitive information.

Severe RCE Vulnerabilities in Cisco ISE and ISE-PIC Enable Unauthenticated Attackers to Obtain Root Access

Jun 26, 2025
Vulnerability, Network Security

Cisco has issued updates to resolve two critical security vulnerabilities in the Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that may allow unauthenticated attackers to execute arbitrary commands with root privileges. These vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, both carry a maximum CVSS score of 10.0. Here’s a detailed overview of the vulnerabilities:

  • CVE-2025-20281: A remote code execution flaw impacting Cisco ISE and ISE-PIC versions 3.3 and later, enabling an unauthenticated attacker to execute arbitrary code on the system as root.

  • CVE-2025-20282: A remote code execution vulnerability in Cisco ISE and ISE-PIC version 3.4 that allows an unauthenticated attacker to upload arbitrary files to the device and execute them as root.

Cisco has indicated that CVE-2025-20281 stems from inadequate…