Microsoft has issued a warring to organisations that are using on-premises SharePoint servers. The tech giant has confirmed that the hackers are exploiting vulnerabilities in its on on-premises SharePoint servers to deploy ransomware. The Microsoft Threat Intelligence team has identified a specific actor, designated Storm-2603, as being responsible for these new ransomware campaigns. Earlier, the exploration of SharePoint vulnerabilities led of data exfiltration, but the latest observations suggest motivated financial attacks leveraging the Warlock ransomware. Hackers are using the Warlock ransomware to paralyze networks and demand cryptocurrency payments.

How the attack works

In an updated blog post Microsoft explains that the attack starts with the exploitation of an internet-facing on-premises SharePoint server. This initial breach grants Storm-2603 access to the environment, often facilitated by a payload named spinstall0.aspx. Once the hacker gains access they then move ahead and deploy ransomware.

Microsoft has confirmed that SharePoint Online is not affected, but on-premises versions—including SharePoint 2016, 2019, and Subscription Edition—remain vulnerable if not patched.

Three Chinese state-sponsored groups behind global attack

Microsoft identified three China-linked groups—Linen Typhoon, Violet Typhoon, and Storm-2603—as exploiting critical vulnerabilities in SharePoint servers that rendered customers running the software on their own networks vulnerable to attack. The breaches affected organizations across multiple sectors, including government agencies, energy companies, consulting firms, and universities spanning from the US to Europe and the Middle East.No sensitive or classified information was reportedly compromised in the National Nuclear Security Administration breach, according to sources familiar with the matter. The semiautonomous Energy Department arm responsible for producing and dismantling nuclear weapons was targeted alongside other federal agencies including the US Education Department.

What organisation should do

Microsoft has also shared some guidelines for users to protect their on-premises SharePoint Server environment. The company has asked the users to:

– Enable Antimalware Scan Interface (AMSI) integration and deploy Defender AV on all SharePoint servers
– If AMSI cannot be enabled, Microsoft recommends disconnecting servers from the internet
– Use Defender for Endpoint to detect post-exploit activity and monitor for suspicious file creation like spinstall0.aspx

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!