Storm-2603, a threat group, is abusing vulnerabilities in on-premises SharePoint servers to deploy ransomware, specifically Warlock and Lockbit. Microsoft has identified three groups involved in these attacks, with Storm-2603 being likely China-based. Attacks started on July 18, utilizing vulnerabilities CVE-2025-49704 and CVE-2025-49706. Discovery commands, including 'whoami' and 'cmd.exe', are used for user context enumeration, while services.exe is manipulated to disable Microsoft Defender. Persistence on compromised machines involves the spinstall0.aspx web shell and the creation of scheduled tasks.
Microsoft has observed the threat actor Storm-2603 deploying Warlock and Lockbit ransomware, taking advantage of vulnerabilities in on-premises SharePoint servers since July 18.
Storm-2603 exploits patched vulnerabilities CVE-2025-49704 and CVE-2025-49706, initiating discovery commands like 'whoami' to enumerate user context.
The ransomware campaign involves the abuse of services.exe to disable Microsoft Defender protections and the use of spinstall0.aspx web shell for persistence.
Collection
[
|
...
]