The vulnerabilities affect on-premises SharePoint Server 2016, 2019, and Subscription Edition, with exploitation attempts observed as early as July 7, 2025.
Key Takeaways
1. SharePoint zero-days CVE-2025-53770/53771 have been used to deploy web shells since July
2. Storm-2603, Linen/Violet Typhoon spreading Warlock ransomware.
3. Apply updates, enable AMSI, rotate keys, and restart IIS.
The attack chain begins with the exploitation of CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, a remote code execution flaw affecting internet-facing SharePoint servers.
Threat actors conduct reconnaissance through POST requests to the ToolPane endpoint, followed by deployment of malicious web shells named spinstall0.aspx and variants such as spinstall1.aspx and spinstall2.aspx.
The web shell contains commands to retrieve ASP.NET MachineKey data, enabling attackers to steal cryptographic keys essential for session management and authentication.
Microsoft has identified the SHA-256 hash [92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514] associated with the primary spinstall0.aspx payload.
Post-exploitation activities involve abuse of the w3wp.exe process that supports SharePoint, with attackers using cmd.exe and services.exe to disable Microsoft Defender protections through direct registry modifications.
Three primary threat actors have been identified exploiting these vulnerabilities: Linen Typhoon and Violet Typhoon, both established Chinese state-sponsored groups, and Storm-2603, which has escalated attacks to include ransomware deployment.
Storm-2603 establishes persistence through multiple mechanisms, including scheduled tasks and manipulation of Internet Information Services (IIS) components to load suspicious .NET assemblies.
The group performs credential access using Mimikatz to target Local Security Authority Subsystem Service (LSASS) memory, extracting plaintext credentials for lateral movement via PsExec and the Impacket toolkit.
Command and control infrastructure includes domains such as update.updatemicfosoft.com and IP addresses 65.38.121.198 and 131.226.2.6.
The attack culminates with the modification of Group Policy Objects (GPOs) to distribute Warlock ransomware across compromised networks.
Microsoft has released comprehensive security updates and strongly recommends immediate patching, enabling Antimalware Scan Interface (AMSI) in Full Mode, and rotating SharePoint server ASP.NET machine keys, followed by an IIS restart using iisreset.exe.
Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now
The post Hackers Exploiting Sharepoint 0-day Vulnerability to Deploy Warlock Ransomware appeared first on Cyber Security News.
Mojang Studios has officially announced that Minecraft Dungeons 2 is in development with plans to…
Mojang Studios has unveiled more information about updates coming to Minecraft in 2026, including the…
Minecraft World, a theme park based on the video game from Mojang Studios, will officially…
Concord police arrested a man they say was exposing himself in a private apartment complex.…
Mojang Studios has returned for a March 2026 edition of Minecraft Live, and we're here…
Crimson Desert developer Pearl Abyss has issued a message to players addressing complaints around the…
This website uses cookies.