Microsoft warns that China-based hackers, Storm-2603, are exploiting unpatched on-premise SharePoint servers to deploy Warlock ransomware after initial attempts to steal MachineKeys. The threat actors use Web shells, credential theft tools, and GPO modifications for persistence and ransomware distribution, posing significant risks to vulnerable systems worldwide. #Storm-2603 #WarlockRansomware
Keypoints
- Storm-2603 has shifted from credential theft to deploying ransomware on SharePoint servers.
- The hackers exploited specific CVEs (CVE-2025-53770 and CVE-2025-53771) to gain initial access.
- Persistent access was maintained through web shells, scheduled tasks, and IIS modifications.
- Tools like Mimikatz, PsExec, and Impacket were used for credential harvesting and lateral movement.
- Over 420 unpatched SharePoint servers remain vulnerable worldwide, mainly in the U.S., Russia, Iran, Germany, and India.
Read More: https://thecyberexpress.com/chinese-hack-sharepoint-bug-warlock-ransomware/