Warlock ransomware exploits SharePoint flaws, warns Microsoft
▼ Summary
– A China-based hacking group (Storm-2603) is exploiting vulnerabilities in Microsoft SharePoint servers to deploy Warlock ransomware, targeting systems vulnerable to the ToolShell zero-day exploit chain.
– Over 420 SharePoint servers remain exposed to these attacks, with at least 400 servers infected and 148 organizations breached globally.
– The attackers use Mimikatz to steal credentials, move laterally with PsExec and Impacket, and modify GPOs to spread ransomware across compromised networks.
– Microsoft and CISA urge immediate patching, as the attacks have breached US federal agencies, including the National Nuclear Security Administration and Department of Education.
– The attacks are linked to Chinese state-backed groups (Linen Typhoon and Violet Typhoon), with European and Middle Eastern governments also affected.
A sophisticated ransomware campaign is actively exploiting vulnerabilities in Microsoft SharePoint servers, with a Chinese hacking group deploying Warlock ransomware to target unpatched systems. Security researchers warn that over 420 exposed SharePoint instances remain vulnerable to these attacks, which leverage a chain of zero-day exploits known as ToolShell.
Microsoft has confirmed that the threat actor, tracked as Storm-2603, has been actively compromising networks since mid-July. Once inside, attackers use Mimikatz to steal credentials, then move laterally using PsExec and Impacket, ultimately deploying ransomware via manipulated Group Policy Objects (GPOs). While Microsoft has linked this group to previous Lockbit and Warlock ransomware operations, their exact motives remain unclear.
Shadowserver, a non-profit cybersecurity watchdog, reports that hundreds of SharePoint servers remain exposed, with Eye Security estimating at least 400 infected systems and 148 breached organizations worldwide. The attacks exploit CVE-2025-49706 and CVE-2025-49704, two critical flaws in SharePoint that allow remote code execution. The Cybersecurity and Infrastructure Security Agency (CISA) has since added another related vulnerability, CVE-2025-53770, to its known exploits catalog, mandating federal agencies to patch within 24 hours.
The impact extends beyond private entities, with U.S. government agencies among the confirmed victims. The National Nuclear Security Administration, responsible for nuclear weapons security, disclosed a breach, though no classified data was confirmed stolen. Additional targets include the Department of Education, Rhode Island’s government, and Florida’s Department of Revenue, along with European and Middle Eastern government networks.
Microsoft urges organizations to immediately apply SharePoint security updates and follow mitigation steps outlined in their advisory. Meanwhile, researchers suspect Chinese state-backed groups Linen Typhoon and Violet Typhoon may be involved, though attribution remains under investigation.
With ransomware attacks escalating, experts emphasize the urgency of patching vulnerable systems before more organizations fall victim. The widespread exploitation of SharePoint flaws highlights the growing risks of unpatched enterprise software in an increasingly aggressive cyber threat landscape.
(Source: BLEEPING COMPUTER)
