SmarterTools confirmed that the Warlock group breached its network by exploiting an unpatched SmarterMail VM (CVE-2026-23760), allowing lateral movement via Active Directory and deployment of tools like Velociraptor and SimpleHelp. SentinelOne prevented final encryption, affected systems were isolated and restored from backups, and administrators are advised to upgrade SmarterMail to Build 9511 or later. #SmarterMail #Storm2603
Keypoints
- Attackers exploited CVE-2026-23760 in an unpatched SmarterMail VM to reset admin passwords and gain full privileges.
- Initial access led to lateral movement through Active Directory, compromising 12 Windows servers and a secondary data center.
- Threat actors deployed Velociraptor, SimpleHelp, and abused vulnerable WinRAR versions, using startup items and scheduled tasks for persistence.
- SentinelOne products stopped the final encryption payload, impacted systems were isolated, and data was restored from fresh backups.
- ReliaQuest links the activity to Storm-2603 (Warlock); administrators should upgrade SmarterMail to Build 9511 or later to mitigate these flaws.