Chinese hackers exploiting critical vulnerabilities in Microsoft's SharePoint to deploy Warlock ransomware, as revealed by Microsoft; three China-linked threat actors taking advantage documented.

Chinese hackers exploiting critical vulnerabilities in Microsoft's SharePoint to deploy Warlock ransomware, as revealed by Microsoft; three China-linked threat actors taking advantage documented.

Microsoft has issued a security alert regarding ongoing ransomware attacks on its SharePoint platform, which are being carried out by a hacking group known as Storm-2603.

Storm-2603, a China-based threat actor, has been assessed with moderate confidence by Microsoft's threat intelligence team. The group is given the Storm prefix followed by a numeric sequence, indicating it is a group "in development."

The attacks are exploiting vulnerabilities in SharePoint Server versions 2016, 2019, and Subscription Edition. Specifically, the vulnerabilities CVE-2025-53770 and CVE-2025-53771 are being targeted. These vulnerabilities have been partially addressed by the July Security Update, but Microsoft is aware of active attacks that bypass these patches.

To mitigate these attacks, Microsoft recommends several key actions:

1. Apply the latest Microsoft security updates that fully patch the vulnerabilities CVE-2025-53770 and CVE-2025-53771. These updates are critical and should be applied immediately.
2. Use supported versions of SharePoint Server. Disconnect or discontinue use of end-of-life versions such as SharePoint Server 2013 or earlier, especially if they are publicly accessible.
3. Enable and properly configure the Antimalware Scan Interface (AMSI) integration in SharePoint to detect and block malicious scripts. Confirm that Microsoft Defender Antivirus is deployed and up to date on all SharePoint servers. Microsoft also suggests configuring AMSI to enable Full Mode for added security.
4. Restart IIS (Internet Information Services) web server services after applying patches and rotation of ASP.NET MachineKey values to ensure changes take effect.
5. Rotate ASP.NET MachineKey values (ValidationKey, DecryptionKey) on all SharePoint servers to invalidate attacker-held keys used in exploitation.
6. Monitor for suspicious and anomalous activity, including POST requests to , requests to , unexpected .aspx files or scripts in server directories, and IP addresses previously observed exploiting the vulnerability, such as 107.191.58.[76], 104.238.159.[149], and 96.9.125.[147] during the known attack window.
7. Update intrusion prevention system (IPS) and web-application firewall (WAF) rules to block identified exploit patterns and anomalous behavior.
8. Implement comprehensive logging and enable endpoint detection and response (EDR) tools like Microsoft Defender for Endpoint to detect exploitation attempts and lateral movement within the network.
9. Harden SharePoint configurations, including minimizing admin and layout privileges, and disabling unnecessary features such as __VIEWSTATE where not required for functionality.
10. If AMSI cannot be enabled or patches cannot be applied immediately, disconnect SharePoint servers from the internet or restrict access via VPN/authentication gateways to reduce exposure to unauthenticated exploitation attempts.
11. Follow broader ransomware hygiene best practices, including maintaining regular immutable backups, enforcing consistent patch management across systems, and deploying advanced email filtering to prevent phishing vectors that could lead to ransomware infections.

These combined mitigation and protection measures align with guidance from Microsoft, CISA, and cybersecurity experts responding to active exploitation campaigns by the Storm-2603 actor targeting SharePoint servers.

On July 23, Microsoft updated its report to say it had observed another China-based threat actor, Storm-2603, exploiting these vulnerabilities to deploy ransomware. The vulnerabilities being exploited include CVE-2025-49704, CVE-2025-49706, and bypasses for the patches released to fix them, CVE-2025-53770 and CVE-2025-53771. The investigation into Storm-2603's activities and the organizations affected by these vulnerabilities is expected to continue.

1. The ongoing ransomware attacks on Microsoft's SharePoint platform by Storm-2603, a China-based threat actor, highlight the importance of cybersecurity in the technology sector and its intersection with general-news and crime-and-justice.
2. In the wake of Storm-2603 exploiting vulnerabilities in SharePoint Server versions 2016, 2019, and Subscription Edition, it becomes crucial for organizations to adopt the recommended mitigation and protection measures to prevent such cybercrime incidents.

Read also: