Further attack stages involve using cmd.exe and batch scripts for deeper infiltration, disabling Microsoft Defender protections by modifying Windows Registry via services.exe, and maintaining persistence through scheduled tasks and Internet Information Services (IIS) modifications to launch suspicious .NET assemblies. Additionally, Storm-2603 deploys Mimikatz to extract credentials from LSASS memory and uses PsExec and the Impacket toolkit for lateral movement within networks.

The group modifies Group Policy Objects (GPOs) to distribute Warlock ransomware across compromised environments. LockBit ransomware has also been deployed by the group in previous campaigns.

Microsoft urges users to upgrade to supported SharePoint versions, apply all security updates, enable and configure the Antimalware Scan Interface (AMSI), deploy Microsoft Defender for Endpoint or equivalent, rotate ASP.NET machine keys, and restart IIS services after patching. An incident response plan should also be implemented to address ongoing threats.

This campaign has already compromised at least 400 victims. Other Chinese state-linked groups, Linen Typhoon (APT27) and Violet Typhoon (APT31), have been associated with similar SharePoint attacks, although China has denied any involvement, stating it opposes hacking activities and supports cybersecurity cooperation through dialogue.

Impact

• Remote Code Execution
• Privilege Escalation
• Credential Theft
• Lateral Movement

Indicators of Compromise

Domain Name

• msupdate.updatemicfosoft.com

IP

• 131.226.2.6
• 134.199.202.205
• 104.238.159.149
• 188.130.206.168
• 65.38.121.198

MD5

• 02b4571470d83163d103112f07f1c434

• 2bae4487ccb7cb14ea48947725c452ac

• 491511f1d58fd014577fbf101eb48d8c

• d4f45058a02c38f4600b9b25782b6ab3

• f5fe9cf86127fb771739a74c78a886c8

• 58cd3166310730ae0bb5114d04c9d96b

• 6edce6c34434fbf2a3491e60534fda0a

SHA-256

• 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514
• 24480dbe306597da1ba393b6e30d542673066f98826cc07ac4b9033137f37dbf
• b5a78616f709859a0d9f830d28ff2f9dbbb2387df1753739407917e96dadf6b0
• c27b725ff66fdfb11dd6487a3815d1d1eba89d61b0e919e4d06ed3ac6a74fe94
• 1eb914c09c873f0a7bcf81475ab0f6bdfaccc6b63bf7e5f2dbf19295106af192
• 6f6db63ece791c6dc1054f1e1231b5bbcf6c051a49bad0784569271753e24619
• d6da885c90a5d1fb88d0a3f0b5d9817a82d5772d5510a0773c80ca581ce2486d

SHA1

• f5b60a8ead96703080e73a1f79c3e70ff44df271
• ffe18db834403070a7e5ab8c0a19637c64f32a4d
• 645149d51489f8f852442804c33f30bb7f7ebd0c
• bc9a0b465b861a5f51cb9073e9efd6d67bfe8785
• 61fdeec0592c777619f170a4914d22774c28bb7e
• bfb7523b1ad31f931127b529948251211d2ecf89
• 7c0fe1cd06e64ea4e41823d2810c80aad5ed2c19

Remediation

• Upgrade to supported versions of on-premises Microsoft SharePoint Server to eliminate vulnerabilities
• Apply the latest security updates to patch known flaws exploited by attackers
• Ensure the Antimalware Scan Interface is turned on and configured correctly to detect malicious activities
• Deploy Microsoft Defender for Endpoint or equivalent solutions for advanced threat detection and response
• Rotate SharePoint Server ASP.NET machine keys to invalidate potential attacker persistence mechanisms
• Restart IIS on all SharePoint servers using iisreset.exe to apply security changes effectively
• Rotate keys and restart IIS after installing security updates if AMSI cannot be enabled to secure configurations
• Implement an incident response plan to contain and recover from ransomware attacks
• Monitor systems for unauthorized scheduled tasks and suspicious .NET assemblies to detect persistence
• Restrict use of administrative tools like PsExec and Impacket to limit lateral movement opportunities