Unpatched on-premises SharePoint servers have emerged as a significant target for advanced cyber actors exploiting known vulnerabilities to install ransomware and establish covert access points.
Prolonged Network Breaches
These cyber intrusions are not mere opportunistic attacks. They involve strategic, multi-phase operations designed to maintain a presence within a network without detection. The primary group orchestrating these attacks, identified as Storm-2603, has been focusing on vulnerable SharePoint servers since mid-2025.
Storm-2603 leverages publicly disclosed vulnerabilities, notably CVE-2025-49706 and CVE-2025-49704, to gain initial access. Additionally, evidence of attempts to exploit CVE-2025-11371, a flaw allowing unauthorized local file access, has been uncovered.
Complexity of the Attacks
Microsoft’s Detection and Response Team (DART) conducted a thorough investigation, revealing the intricacy of these attacks, which surpassed typical ransomware activities. Surprisingly, two different threat actors operated simultaneously within the same network, obscuring each other’s activities.
Investigators were able to trace the full attack sequence only by correlating data across various identities, endpoints, and cloud activities. This incident, part of Microsoft’s Cyberattack Series No. 9, underlined how ransomware is often just a visible part of a more complex breach.
Defensive Measures and Response
The attackers, once inside, swiftly set up for a prolonged stay. They utilized Velociraptor, a legitimate forensic tool, to map the environment and establish remote access channels via Cloudflare tunnels, Zoho Assist, and Visual Studio Code.
To maintain network control, they created new administrative accounts and deployed a vulnerable driver, NSecKrnl.sys, for deep kernel-level access. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), enables disabling security tools without detection.
A second unknown actor, using different methods, extracted Active Directory credentials by crafting an NTDS.zip archive and moving laterally using WinRM, a Windows remote management tool.
Microsoft’s Response and Recommendations
Microsoft’s DART swiftly initiated daily updates with the affected entity, highlighting risks and coordinating containment strategies. By integrating data from diverse security platforms, they identified both intrusion streams to prevent further damage.
Organizations are urged to prioritize patching, especially for SharePoint servers, and to strengthen defenses by securing high-privilege accounts, enforcing identity controls, and monitoring for abnormal sign-in activities. Comprehensive endpoint protection and regular audits of remote access tools are essential, alongside developing and testing incident response plans proactively.
Follow us on Google News, LinkedIn, and X for more updates, and consider setting CSN as a preferred source in Google.
