Ransomware incursions through SharePoint systems are now officially acknowledged by Microsoft

Ransomware incursions through SharePoint systems are now officially acknowledged by Microsoft

Microsoft SharePoint servers have been under attack since mid-July 2025, with a China-based threat actor known as Storm-2603 exploiting critical vulnerabilities to deploy ransomware.

Threat Actor Details

Storm-2603, also known as Zirconium, Judgment Panda, and APT31, has a history of deploying ransomware families such as Warlock and LockBit. This group is believed to be based in China, but it is not necessarily a nation-state gang.

Targeted Vulnerabilities

The attacks have focused on exploiting the following SharePoint vulnerabilities: CVE-2025-53770 and CVE-2025-53771, which allow unauthenticated remote code execution and uploading of malicious files to on-premises SharePoint servers.

Impact and Spread of Attacks

The attacks have been widespread, affecting SharePoint customers across various industries globally. After exploiting these vulnerabilities, Storm-2603 initiates several discovery commands and has been confirmed to be abusing the security holes to infect victims with ransomware.

Other Chinese Nation-State Groups Involved

Other Chinese nation-state groups like Linen Typhoon (aka Emissary Panda, APT27) and Violet Typhoon (aka Zirconium, Judgment Panda, APT31) have also been exploiting these vulnerabilities for different purposes, while investigations into other exploiting actors continue.

Mitigation and Current Status

Microsoft has released security updates addressing these vulnerabilities for supported SharePoint versions (2016, 2019, and SharePoint Server Subscription Edition). For SharePoint 2016, some patches arrived slightly later but are now available.

Security recommendations include patch installation, enabling and configuring the Antimalware Scan Interface (AMSI) integration, rotating SharePoint ASP.NET Machine Keys, restarting Internet Information Services (IIS), and deploying endpoint protection solutions like Microsoft Defender for Endpoint.

Researchers have released tools, including an exploit module on GitHub for CVE-2025-53770 and CVE-2025-53771, to help security teams verify their defenses.

Despite mitigations, the situation remains serious because the vulnerabilities provide deep access into Microsoft’s ecosystem through SharePoint's integration with Office, Teams, OneDrive, and Outlook, risking lateral network compromise. Experts anticipate that more threat actors will exploit these SharePoint flaws in the near future, increasing the urgency for organizations to patch and harden their SharePoint servers.

Previous Activity by Storm-2603

Microsoft and security researchers have observed that Storm-2603 leveraged other vulnerabilities in the past, such as CVE-2025-49704 and CVE-2025-49706, to exploit internet-facing servers. The ransomware attacks initiated by Storm-2603 began on July 18.

In summary, as of late July 2025, Storm-2603 is actively conducting ransomware attacks against Microsoft SharePoint servers through recently disclosed vulnerabilities, posing a significant threat that requires immediate patching and security hardening by affected organizations.

1. To mitigate the ongoing attacks on Microsoft SharePoint servers, organizations should prioritize installing patches for the identified vulnerabilities, such as CVE-2025-53770 and CVE-2025-53771, particularly for supported versions like SharePoint 2016, 2019, and SharePoint Server Subscription Edition.
2. The cybersecurity industry is closely monitoring the activities of threat actors like Storm-2603, also known as Zirconium, Judgment Panda, and APT31, who have been exploiting data-and-cloud-computing platforms for various purposes, including deploying ransomware.
3. Given the widespread ransomware attacks on Microsoft SharePoint servers, it is crucial for AI and cybersecurity teams to enable and configure Antimalware Scan Interface (AMSI) integration, rotate SharePoint ASP.NET Machine Keys, restart Internet Information Services (IIS), and deploy endpoint protection solutions like Microsoft Defender for Endpoint.
4. In the general news and crime-and-justice sections, it has been reported that Chinese nation-state groups, including Storm-2603, Linen Typhoon (aka Emissary Panda, APT27), and Violet Typhoon (aka Zirconium, Judgment Panda, APT31), have been using software vulnerabilities to infiltrate enterprise systems for malicious purposes.
5. As a result of these attacks, it is important for technology companies to strengthen their security measures and be vigilant about potential threats, as the exploitation of critical vulnerabilities in popular applications like Microsoft SharePoint can lead to network compromise and significant data loss.

Read also: