Ransomware Attacks Target Vulnerable SharePoint Servers
▼ Summary
– Microsoft warns organizations to protect against ransomware as China-based group Storm-2603 exploits SharePoint vulnerabilities to deploy Warlock ransomware.
– Three groups, including Storm-2603, Linen Typhoon, and Violet Typhoon, are exploiting SharePoint flaws (CVE-2025-53770 and CVE-2025-53771) in a sophisticated attack chain dubbed ‘ToolShell’.
– Attackers bypass identity controls to gain privileged access, with ransomware potentially used for financial gain or to cause chaos, despite Chinese groups typically focusing on data collection.
– Over 400 SharePoint systems have been compromised, including US government agencies like the National Nuclear Security Administration and Department of Education.
– Microsoft advises affected organizations to assume compromise, rotate cryptographic material, and consider disconnecting SharePoint from the internet.
Microsoft SharePoint servers are facing relentless ransomware attacks, with Chinese-linked threat actors exploiting critical vulnerabilities to deploy malicious payloads. Security teams are scrambling to mitigate the damage as over 400 organizations, including US federal agencies, have already fallen victim to these coordinated assaults.
Recent intelligence confirms that Storm-2603, a suspected China-based hacking group, is actively weaponizing flaws in on-premises SharePoint servers (CVE-2025-53770 and CVE-2025-53771) to spread Warlock ransomware. Microsoft warns that even fully patched systems may still be at risk, urging administrators to implement additional defensive measures immediately.
Two other notorious Chinese state-sponsored groups, Linen Typhoon and Violet Typhoon, are also exploiting these vulnerabilities. While these actors typically focus on espionage, their shift toward ransomware deployment suggests a dual-purpose strategy: stealing sensitive data while simultaneously disrupting operations for financial or geopolitical gain.
Security researchers have dubbed the attack method “ToolShell”, noting its sophistication in bypassing authentication controls and escalating privileges within compromised networks. Kevin Robertson, CTO of Acumen Cyber, emphasized that attackers are leveraging initial access to maximize damage, encrypting critical files before demanding ransoms.
The situation escalated after a proof-of-concept exploit script was publicly released on GitHub, triggering multiple attack waves between July 17 and 21. High-profile victims include the National Nuclear Security Administration, Department of Education, and Department of Health and Human Services, with the Department of Homeland Security also reportedly impacted.
Microsoft advises affected organizations to rotate cryptographic keys, disconnect vulnerable SharePoint instances from the internet, and engage incident response teams. Meanwhile, cybersecurity firm Eye Security confirms that the attacks show no signs of slowing, with compromised systems continuing to rise.
This incident underscores the growing trend of nation-state actors blending cyberespionage with ransomware tactics, creating unprecedented challenges for defenders. Businesses relying on SharePoint must prioritize patch management and assume their systems could already be compromised.
(Source: InfoSecurity)