Overview
Storm-2603 is a China-based advanced threat actor actively exploiting a series of critical vulnerabilities in on-premises Microsoft SharePoint servers since mid-2025. Their attacks focus on gaining unauthorized access, stealing credentials, disabling security controls, and ultimately deploying the destructive Warlock ransomware across victim networks. These exploits leverage complex chains of vulnerabilities in SharePoint server versions 2016, 2019, and Subscription Edition, affecting only on-premises deployments, not SharePoint Online.
Key Vulnerabilities Exploited
CVE-2025-49704 Remote Code Execution (RCE) Allows unauthenticated upload of .aspx files (web shells) enabling remote command execution.
CVE-2025-49706 Network Spoofing / Authentication Bypass Enables attackers to spoof requests and bypass authentication controls.
CVE-2025-53770 Patch Bypass for RCE Negates previous security patches, allowing persistence and re-exploitation.
CVE-2025-53771 Patch Bypass for Spoofing Bypasses earlier security mitigations for spoofing attacks.
Note: These affect only on-premises SharePoint servers.
Detailed Exploitation Steps & Notes
1. Reconnaissance and Targeting
- Storm-2603 scans broadly across the internet for internet-facing SharePoint servers that appear unpatched or misconfigured.
- Priority targets include SharePoint versions 2016, 2019, and Subscription Edition, especially those with external access.
2. Initial Compromise via Vulnerability Chaining
- CVE-2025-49704 (RCE):
- Attackers upload a malicious ASPX file (commonly named
spinstall0.aspxor similar variants) exploiting an unauthenticated file upload flaw. - This uploaded file acts as a web shell, granting an interactive interface for remote attackers to execute arbitrary code and Windows commands on the SharePoint server.
- CVE-2025-49706 (Spoofing):
- Exploited through crafted XAML payloads sent in POST requests, usually targeting SharePoint’s ToolPane or related endpoints.
- This vulnerability allows attackers to bypass authentication and execute code remotely.
- The exploit often facilitates the execution of obfuscated PowerShell or batch commands to further attack the system.
3. Post-Exploitation Actions
- Web Shell Command & Control:
- The
spinstall0.aspxweb shell enables executing commands directly on the server under the context of SharePoint services likew3wp.exe. - Attackers use this foothold to gather information about the system, enumerate users and privileges, and prepare for privilege escalation.
- Privilege Escalation & Defense Evasion:
- Exploits such as CVE-2025-53770 and CVE-2025-53771 bypass patched defenses and authorization controls.
- Attackers modify Windows Registry settings and disable Microsoft Defender Antivirus and other endpoint protections. This often involves editing keys that affect Defender services or scheduled scans.
- Cryptographic Key Theft:
- Extract cryptographic ASP.NET MachineKeys and other sensitive tokens from server memory to maintain backdoor access and evade revocation.
- In recent variants, ToolShell — an in-memory payload — is deployed, avoiding disk writes and making traditional file-based detection ineffective.
4. Persistence Mechanisms
- Scheduled Tasks:
- Establish tasks that periodically execute malicious scripts or reload web shells.
- IIS Configuration Manipulation:
- Modify or replace .NET assemblies in IIS to automatically load attacker code after server restarts.
- Multiple Web Shells:
- Deploy additional web shells to various file paths, ensuring redundant control channels.
5. Credential Theft & Lateral Movement
- Use of credential dumping tools such as Mimikatz to harvest admin and domain credentials from LSASS memory.
- Utilize lateral movement tools like PsExec and the Impacket suite to execute remote commands on other systems within the compromised network.
- Manipulate Group Policy Objects (GPOs) to propagate ransomware payloads and apply malicious configurations broadly.
6. Ransomware Deployment
- After establishing comprehensive access and disabling security controls, Storm-2603 pushes Warlock ransomware across the network.
- The ransomware deployment is often automated by modifying GPOs to distribute the payload and enforce execution, crippling defenses and encrypting critical data at scale.
- Backups and recovery options may be disabled or corrupted as part of the attack to maximize ransom impact.
Detection Indicators and Suggested Monitoring
- Files with suspicious names like
spinstall0.aspxor variants in SharePoint directories. - Unexpected IIS .NET assemblies or sudden changes to IIS configuration files.
- Scheduled tasks that invoke scripts or commands unfamiliar to administrators.
- Registry keys altered to disable Defender or similar security solutions.
- Signs of credential dumping tools and lateral movement with PsExec/Impacket in logs.
- Unusual GPO modifications connected to ransomware deployment.
Defensive Recommendations
- Immediate Patching:
Apply Microsoft’s official security updates for all on-premises SharePoint server versions without delay. - Rotate Machine Keys:
After remediation, rotate ASP.NET machine keys to invalidate any stolen cryptographic keys. - Enable Robust Endpoint Security:
Ensure Microsoft Defender Antivirus and AMSI (Antimalware Scan Interface) are active and configured in Full Mode. - Web Shell Hunting & Incident Response:
Conduct thorough scans for web shells and remove suspicious ASPX files; monitor for in-memory threats and unusual scheduled tasks. - Audit Network & GPO Changes:
Review all recent Group Policy modifications and audit lateral movement activity. - Segmentation & Hardening:
Limit internet exposure of critical SharePoint servers; apply network segmentation to hinder lateral movement.
Conclusion
Storm-2603 exemplifies a sophisticated, evolving threat leveraging chained SharePoint vulnerabilities combined with stealthy in-memory payloads to maintain deep network access and inflict severe ransomware damage. Organizations should prioritize patching, continuous monitoring, and proactive incident response to counter these attacks.
