data breaches

Storm-2603 Exploit Chain: Visual Breakdown of the SharePoint-to-Ransomware Attack

Published

7 months ago

on

State‑linked cyber actors leverage zero‑day vulnerabilities in on‑premises SharePoint servers to target critical infrastructure—affecting hundreds of organizations and raising alarms over national security and economic disruption.

By EL Mostafa Ouchen, International Cybersecurity Correspondent


For IT teams at dozens of hospitals, government agencies, and private firms, what began as routine SharePoint maintenance meetings in July turned into days of harrowing uncertainty—servers locked, data inaccessible, and livelihoods disrupted. This is the human face of cyber warfare: panic, paralysis, and a scramble for recovery.

🎯 Attack Overview

In early July 2025, Microsoft and third-party researchers detected exploitation of two zero-day vulnerabilities—CVE‑2025‑49704 (remote code execution) and CVE‑2025‑49706 (authentication bypass)—in on‑premises SharePoint servers. The exploit chain, dubbed ToolShell, was first demonstrated at the Pwn2Own hacking conference by researcher Dinh Ho Anh Khoa.

By July 18, Microsoft had confirmed that threat actor group Storm‑2603 was actively deploying Warlock ransomware via compromised servers. Two other China-affiliated groups, Linen Typhoon and Violet Typhoon, were observed targeting similar infrastructures for espionage and data theft.

🧬 How the Storm-2603 Attack Works: Step-by-Step Breakdown

Storm-2603’s attack on SharePoint servers uses a multi-stage exploitation chain known as ToolShell. Here’s how it unfolds:

🔓 Step 1: Initial Compromise (CVE-2025-49704 & CVE-2025-49706)

Attackers use specially crafted HTTP POST requests to the /ToolPane.aspx endpoint on vulnerable SharePoint servers.

Example Request:

http

POST /_layouts/15/ToolPane.aspx HTTP/1.1
Host: vulnerable-site.local
Content-Type: application/x-www-form-urlencoded

__VIEWSTATEGENERATOR=...&Payload=malicious_code
  • CVE-2025-49704 enables remote code execution (RCE)
  • CVE-2025-49706 bypasses authentication

⚙️ Step 2: Deploy Web Shell

Once inside, the attacker drops a web shell (e.g., spinstall0.aspx) into the SharePoint layouts directory.

Command Example:

bash

copy payload.aspx "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS"

This shell allows command execution via the browser:

bash

http://target-server/_layouts/15/spinstall0.aspx?cmd=whoami

🗝 Step 3: Extract Machine Keys

Attackers dump ASP.NET machineKey values to hijack session cookies or re-access patched systems.

PowerShell Script (Example):

powershell

Get-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -filter "system.web/machineKey" -name "validationKey"

🦠 Step 4: Lateral Movement & Persistence

Tools used:

  • Mimikatz for credential dumping
  • Impacket for remote execution
  • PsExec for remote shell access

Example:

powershell

Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::logonpasswords"'
psexec.exe \\target -u admin -p password cmd.exe

💣 Step 5: Ransomware Deployment (Warlock)

Using Group Policy or scheduled tasks, the attacker deploys the Warlock payload across the domain.

cmd

schtasks /create /tn "Updater" /tr "C:\warlock.exe" /sc onstart /ru SYSTEM

Encryption begins silently, and ransom notes are dropped in multiple languages.

🛡 How to Prevent the Storm-2603 / ToolShell Exploit

1. Immediate Patch Deployment

Apply Microsoft’s latest patches for:

  • CVE-2025-49704
  • CVE-2025-49706
  • CVE-2025-53770
  • CVE-2025-53771

🧩 Microsoft Patch Portal

2. Rotate ASP.NET Machine Keys

This ensures previous stolen keys cannot be reused.

Regenerate Machine Keys:

  • Modify web.config:
xml

<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" decryption="AES" />
  • Then restart IIS:
bash

iisreset /restart

3. Monitor and Block Suspicious HTTP Requests

Use a Web Application Firewall (WAF) to inspect:

  • Requests to /ToolPane.aspx, /spinstall0.aspx, etc.
  • High POST activity to SharePoint paths

4. Endpoint Detection and Response (EDR)

Deploy EDR solutions that can:

  • Detect memory-only payloads
  • Flag credential access
  • Alert on unusual task scheduling

Recommended tools: Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne.

5. Threat Hunting (Indicators of Compromise)

IOCs (shared by Microsoft):

  • Filenames: spinstall0.aspx, payload.aspx
  • Registry key:
reg

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater
  • Command line patterns:
cmd

cmd.exe /c whoami
powershell.exe -EncodedCommand

6. Implement Least Privilege + 2FA

  • Avoid assigning SharePoint admin rights to broad user groups
  • Enforce MFA/2FA for all internal and remote access

7. Backup and Incident Response Drills

  • Ensure immutable backups
  • Conduct tabletop exercises for ransomware response
  • Store backups offline or air-gapped

📊 Diagram: The Storm‑2603 Exploit Flow

The cyber kill chain behind the Storm‑2603 ToolShell exploit and Warlock ransomware campaign






																																					

																		

																			

																				Related Topics:
																		

																		

																			
																			
																		

																	

																

															

												

																								

								

																			

											

												Trending
											

											
    
																							

										

																	

							

																		
	
				

				
			

		

	

			

			
				Exit mobile version