Chinese hackers exploiting critical SharePoint vulnerabilities to deploy Warlock ransomware, according to Microsoft; three China-linked threat groups identified as taking advantage

Chinese hackers exploiting critical SharePoint vulnerabilities to deploy Warlock ransomware, according to Microsoft; three China-linked threat groups identified as taking advantage

In a recent development, Microsoft's threat intelligence team has reported that two Chinese nation-state actors, Linen Typhoon and Violet Typhoon, have been exploiting vulnerabilities in the SharePoint platform to deploy ransomware. Additionally, the investigation into the Storm-2603 hacking group and affected organizations is ongoing.

Starting on July 18, 2025, Microsoft has observed Storm-2603, a China-based threat actor, deploying ransomware using these vulnerabilities. The exploitation of these vulnerabilities, including CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771, has been reported.

To mitigate the risk of such attacks, Microsoft recommends organizations take the following key measures:

1. Apply the latest security updates released by Microsoft to patch CVE-2025-53770 and CVE-2025-53771 vulnerabilities on SharePoint 2016, 2019, and SharePoint Subscription Edition.
2. Enable and properly configure the Antimalware Scan Interface (AMSI) integration in SharePoint in Full Mode, and deploy Microsoft Defender Antivirus on all SharePoint servers to block malware and unauthenticated exploitation attempts.
3. Rotate SharePoint Server ASP.NET Machine Keys (ValidationKey, DecryptionKey) after patching and restart the Internet Information Services (IIS) on all SharePoint servers to invalidate any stolen keys and complete security updates' effect.
4. If AMSI cannot be enabled immediately, disconnect SharePoint servers from the internet or restrict access through authenticated VPNs/proxies to reduce exposure until patches and AMSI are in place.
5. Use Microsoft Defender for Endpoint or equivalent endpoint protection tools for monitoring, detection, and response to intrusions.
6. Conduct incident response activities including auditing identities, monitoring logs for anomalies (e.g., unexpected .aspx files or HTTP activity), and hunting for potential post-exploitation indicators using Defender Vulnerability Management, Microsoft Sentinel, or hunting queries.

These steps form a comprehensive defense strategy recommended by Microsoft and cybersecurity agencies to counter SharePoint ransomware threats specifically linked to Storm-2603 attacks. In addition, organizations are advised to implement robust backup and recovery practices to recover SharePoint data quickly if compromised.

SharePoint is a secure, enterprise-grade content management and collaboration platform, used by organizations for building sites accessed via their intranets. To prevent unauthenticated attacks, Microsoft recommends integrating and enabling Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus (or equivalent solutions) for all on-premises SharePoint deployments. Microsoft suggests configuring AMSI to enable Full Mode for SharePoint security.

It's important to note that Microsoft has not identified links between Storm-2603 and other known Chinese threat actors, but bypasses to some of the fixes for the vulnerabilities have already been found, indicating ongoing threats. Microsoft advises organizations using SharePoint to ensure they are on the latest platform version.

For updates on the Storm-2603 situation and related news, users can follow Tom's Hardware on Google News.

1. The ongoing cybersecurity issue involving Storm-2603, a China-based threat actor, is associated with the deployment of ransomware on SharePoint platforms.
2. In the realm of general-news and crime-and-justice, it has been reported that Microsoft has provided a series of recommendations to mitigate SharePoint ransomware threats linked to Storm-2603 attacks.

Read also: