Microsoft warns of ransomware surge in SharePoint server attacks linked to Chinese hackers
Microsoft has issued a warring to organisations that are using on-premises SharePoint servers. The tech giant has confirmed that the hackers are exploiting vulnerabilities in its on on-premises SharePoint servers to deploy ransomware. The Microsoft Threat Intelligence team has identified a specific actor, designated
Storm-2603
, as being responsible for these new ransomware campaigns. Earlier, the exploration of SharePoint vulnerabilities led of
data exfiltration
, but the latest observations suggest motivated financial attacks leveraging the Warlock ransomware. Hackers are using the
Warlock ransomware
to paralyze networks and demand cryptocurrency payments.
How the attack works
In an updated blog post Microsoft explains that the attack starts with the exploitation of an internet-facing on-premises SharePoint server. This initial breach grants Storm-2603 access to the environment, often facilitated by a payload named spinstall0.aspx. Once the hacker gains access they then move ahead and deploy ransomware.
Microsoft has confirmed that SharePoint Online is not affected, but on-premises versions—including SharePoint 2016, 2019, and Subscription Edition—remain vulnerable if not patched.
Three Chinese state-sponsored groups behind global attack
Microsoft identified three China-linked groups—Linen Typhoon, Violet Typhoon, and Storm-2603—as exploiting critical vulnerabilities in SharePoint servers that rendered customers running the software on their own networks vulnerable to attack. The breaches affected organizations across multiple sectors, including government agencies, energy companies, consulting firms, and universities spanning from the US to Europe and the Middle East.
No sensitive or classified information was reportedly compromised in the National Nuclear Security Administration breach, according to sources familiar with the matter. The semiautonomous Energy Department arm responsible for producing and dismantling nuclear weapons was targeted alongside other federal agencies including the US Education Department.
What organisation should do
Microsoft has also shared some guidelines for users to protect their on-premises SharePoint Server environment. The company has asked the users to:
- Enable Antimalware Scan Interface (AMSI) integration and deploy Defender AV on all SharePoint servers
- If AMSI cannot be enabled, Microsoft recommends disconnecting servers from the internet
- Use Defender for Endpoint to detect post-exploit activity and monitor for suspicious file creation like spinstall0.aspx
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Indian Express
26 minutes ago
- Indian Express
Microsoft enters $4 trillion market cap, joins Nvidia in exclusive club
Microsoft became the second company to reach a $4 trillion market valuation on Thursday, after its blockbuster earnings boosted shares by nearly 4.5 per cent, lifting its intraday valuation to $4.01 trillion. The company's stock has climbed about 28 per cent since January and rebounded nearly 50 per cent from April lows triggered by Trump's tariff offensive. The surge follows a strong quarterly report on Wednesday. Microsoft forecast a record '$30 billion in capital spending' for the current fiscal first quarter to power its AI growth and reported robust sales in its Azure cloud business. Analysts noted that Microsoft's Copilot AI is driving 'meaningful growth' in the Microsoft 365 enterprise suite. The milestone comes just 18 months after it hit the $3 trillion mark, and a few weeks after Nvidia became the first company to top $4 trillion. Apple was last valued at $3.12 trillion. Recent breakthroughs in US trade talks ahead of Trump's August 1 tariff deadline have also buoyed stocks, pushing the S&P 500 and Nasdaq to record highs.
Indian Express
an hour ago
- Indian Express
Russia's FSB targets foreign embassies in Moscow in cyber espionage campaign, Microsoft says
One of the Russian government's premier cyber espionage units is deploying malware against embassies and diplomatic organizations in Moscow by leveraging local internet service providers, Microsoft said on Thursday. The analysis confirms for the first time that Russia's Federal Security Service, also known as the FSB, is conducting cyber espionage at the ISP level, according to findings from Microsoft Threat Intelligence. 'Microsoft is now certain that this activity is happening within Russian borders,' Microsoft's director of Threat Intelligence Strategy, Sherrod DeGrippo, told Reuters. Microsoft's findings come amid increasing pressure from Washington for Moscow to agree to a ceasefire in its war in Ukraine and pledges from NATO countries to increase defense spending surrounding their own concerns about Russia. The analysis tracks an FSB cyber espionage campaign that in February targeted unnamed foreign embassies in Moscow. The FSB activity facilitates the installation of custom backdoors on targeted computers, which can be used to install additional malware as well as steal data. Reuters could not determine which embassies were targeted. The U.S. State Department did not respond to a request for comment. Russian diplomats did not immediately respond to a request for comment. Moscow routinely denies carrying out cyber espionage operations. The hacking unit linked to the activity, which Microsoft tracks as 'Secret Blizzard' and others categorize as 'Turla,' has been hacking governments, journalists and others for nearly 20 years, the U.S. government said in May 2023 after the FBI disrupted one of its long-running operations.
Economic Times
an hour ago
- Economic Times
AI news today: Reason behind rising techie layoffs, AI-altered version of 'Raanjhanaa' causes uproar and more
AI news today: Filmmaker Aanand L Rai has publicly criticised an AI-altered version of his 2013 film Raanjhanaa, calling it 'deeply upsetting.' His remarks come amid growing backlash over AI-generated re-releases in Bollywood. The altered version, reportedly featuring AI-modified visuals and voices of lead actors Dhanush and Sonam Kapoor, has triggered concerns among creators about consent and artistic AI continues to reshape global tech and business landscapes. OpenAI has reportedly hit $12 billion in annualised revenue, doubled from earlier this year, and is set to open its first European data centre in Norway in 2026. Microsoft's market valuation also surged past $4 trillion, powered by investor confidence in AI's future. However, a report by Indeed reveals that AI's rise is also being used to justify tech layoffs, even as job postings fall—down 36% from 2020 levels—highlighting the complex relationship between AI adoption and workforce disruption. Top news on AI are: "Deeply upsetting": Aanand L Rai calls out AI-altered version of 'Raanjhanaa'Amid the growing tensions over the AI-altered re-release of Dhanush and Sonam Kapoor starrer 'Raanjhanaa,' filmmaker Aanand L Rai has strongly voiced his opposition on social media. OpenAI Hits $12 b in Annual Revenue ChatGPT-maker OpenAI roughly doubled its revenue in the first seven months of the year, reaching $12 billion in annualised revenue, the Information reported on Wednesday citing a source. Microsoft valuation surges above $4 trillion as AI lifts stocks Microsoft surged above $4 trillion in market value early Thursday following strong earnings, as investor bullishness for artificial intelligence lifted major indices further into record territory. OpenAI to build its first European data centre in Norway, with partners OpenAI is launching its first Stargate data centre project in Europe, partnering with developer Nscale Global Holdings and investment group Aker ASA to open a $1-billion facility in Norway next year, the companies said on Thursday. Is AI causing tech worker layoffs? If you read the typical 2025 mass layoff notice from a tech industry CEO, you might think that artificial intelligence cost workers their jobs. The reality is more complicated, with companies trying to signal to Wall Street that they're making themselves more efficient as they prepare for broader changes wrought by AI. A new report Wednesday from career website Indeed says tech job postings in July were down 36% from their early 2020 levels, with AI one but not the most obvious factor in stalling a rebound.
