One of the threat actors exploiting SharePoint flaws, identified as Storm-2603, is deploying Warlock ransomware on targeted systems. This group is believed to be based in China and has historically used Warlock and LockBit ransomware. The attacks involve exploiting two specific vulnerabilities, CVE-2025-49706 and CVE-2025-49704, targeting unpatched SharePoint servers. Techniques include the use of command execution with w3wp.exe, credential harvesting through Mimikatz, and methods to ensure persistent access, including modifying Group Policy Objects.
The tech giant, in an update shared Wednesday, said the findings are based on an expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603.
Storm-2603 then initiates a series of discovery commands, including whoami, to enumerate user context and validate privilege levels.
Some of the other noteworthy aspects of the attacks include the deployment of Mimikatz to harvest credentials by targeting the Local Security Authority Subsystem Service (LSASS) memory, and then proceeding to conduct lateral movement using PsExec and the Impacket toolkit.
The attack chains entail the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution vulnerability, targeting unpatched on-premises SharePoint servers.
Collection
[
|
...
]