Go Back   Carder.life > [en] International Forum > Carding News
Reload this Page Microsoft: SharePoint servers also targeted in ransomware attacks

CARDER.MARKET - CARDING FORUM FOR PROFESSIONAL CARDERS


 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 07-27-2025, 02:15 PM
Artifact's Avatar

Artifact Artifact is offline
Administrator
Join Date: Jan 2024
Posts: 0
Default


A China-based hacking group is deploying Warlock ransomware on Microsoft SharePoint servers vulnerable to widespread attacks targeting the recently patched ToolShell zero-day exploit chain.



"Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives," the company said in a Wednesday report.



"Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities.



After breaching the victims' networks, Storm-2603 operators use the Mimikatz hacking tool to extract plaintext credentials from LSASS memory.



They then move laterally with PsExec and the Impacket toolkit, executing commands via Windows Management Instrumentation (WMI), and modifying Group Policy Objects (GPOs) to deliver Warlock ransomware across compromised systems.



"Customers should apply the on-premises SharePoint Server security updates immediately and follow the detailed mitigation guidance in our blog," Microsoft also warned.













Storm-2603 ransomware attack flow (Microsoft)

Microsoft Threat Intelligence researchers have also linked the Linen Typhoon and Violet Typhoon Chinese state-backed hacking groups with these attacks on Tuesday, days after Dutch cybersecurity firm Eye Security first detected zero-day attacks exploiting the CVE-2025-49706 and CVE-2025-49704 vulnerabilities.



Since then, Eye Security CTO Piet Kerkhofs told BleepingComputer that the number of breached entities is much larger, with "most of them already compromised for some time already." According to the cybersecurity company's statistics, the attackers have so far infected at least 400 servers with malware and breached 148 organizations worldwide.



CISA also added the CVE-2025-53770 remote code execution flaw, part of the same ToolShell exploit chain, to its catalog of vulnerabilities exploited in the wild, ordering US federal agencies to secure their systems within a day.



However, earlier this week, the Department of Energy confirmed that the National Nuclear Security Administration's networks were breached in the ongoing Microsoft SharePoint attacks, although the agency has yet to find evidence that sensitive or classified information was compromised in the incident.



According to a Bloomberg report, the attackers have also hacked into systems at the US Department of Education, the Rhode Island General Assembly, and Florida's Department of Revenue, as well as networks of national governments in Europe and the Middle East.



@ BleepingComputer
 

Tags
NULL

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump




All times are GMT. The time now is 07:07 AM.

Contact Us - Carder.life - Archive - Top