Microsoft SharePoint Hackers Switch Gears to Spread Ransomware

Threat actors exploit SharePoint flaws to access internal systems, steal sensitive data, and carry out surveillance, impersonation, and extortion.

Recent attacks targeting Microsoft SharePoint have escalated, with threat actors now deploying ransomware on vulnerable systems, according to Microsoft. This surge in malicious activity follows the release of multiple SharePoint security patches in July.

An update published to Microsoft’s blog reads, in part: “Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware.”

Detailing the attack

At least three threat groups believed to be affiliated with China have been exploiting publicly known vulnerabilities in Microsoft SharePoint, according to Microsoft. These include the Linen Typhoon, Violet Typhoon, and Storm-2603.

The attackers exploited multiple weaknesses in on-premises SharePoint servers — including remote code execution (RCE), credential spoofing, and improper authentication — to gain unauthorized access. Once inside, they were ...