Parallel intrusions were identified in on-premises Microsoft SharePoint environments via the exploitation of CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770. Two distinct threat actors operated concurrently: Storm-2603, a ransomware group utilizing BYOVD and legitimate remote tools, and an unattributed actor focused on Active Directory (AD) credential theft via DLL sideloading and custom backdoors. This overlapping activity created significant "signal noise," complicating forensic detection and containment. The intrusions highlight a critical failure in patching internet-facing legacy infrastructure, enabling both immediate financial extortion and long-term espionage within the same network perimeter.
-
Incident Overview: Parallel Compromise
- Simultaneous operations by two unrelated threat actors within a single compromised environment.
- Initial access achieved through unpatched, internet-facing on-premises Microsoft SharePoint servers.
- Discovery occurred during a ransomware engagement by the Microsoft Detection and Response Team (DART).
-
Storm-2603: Ransomware Mechanics
- Utilized legitimate tools including Cloudflare Tunnel, Zoho Assist, and Visual Studio Code Remote SSH for C2 and persistence.
- Employed Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint security controls.
- Focused on unauthorized administrator account creation followed by rapid ransomware deployment.
-
Unattributed Actor: Stealth & Espionage
- Implemented DLL sideloading and deployed custom backdoors to maintain a low-profile presence.
- Leveraged Virtual Private Server (VPS) infrastructure for VPN access to mask origin and lateral movement.
- Targeted Active Directory credential databases, indicating a primary objective of long-term espionage.
-
Operational Risks & Containment Challenges
- "Signal Noise" Phenomenon: The loud activity of Storm-2603 effectively masked the stealthy TTPs of the second actor.
- High Containment Risk: Evicting one actor may inadvertently alert the second, potentially triggering immediate data destruction or accelerated exfiltration.
- Systemic Spread: Investigation confirmed lateral movement across multiple organizations, proving the scalability of the attack chain.
-
Defensive Recommendations & Root Cause
- Primary Root Cause: Failure to patch critical, internet-facing legacy infrastructure and inadequate monitoring of privileged identities.
- Urgent Remediation: Immediate patching of SharePoint vulnerabilities CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770.
- Strategic Shift: Implementation of strict identity monitoring and behavioral analysis to detect concurrent, overlapping intrusions.
Related posts
- gbhackers.com — Microsoft Confirms Windows 11 26H2 Upgrade via Enablement Package for Faster Deployment
- microsoft.com — One intrusion, two cyberattackers: Uncovering parallel threat activity
- bleepingcomputer.com — Microsoft says Windows 11 26H2 is coming soon, details upgrade process
- techjacksolutions.com — Parallel Threat Actor Intrusion: Storm-2603 and Unattributed Actor Simultaneously Compromise Shared Environment
- Radar
- Protoslabs
- Blog
- Attack
- Unit42
- Malpedia
- Levelblue
- SecurityWeek — CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability
- csoonline.com — Unpatched SharePoint servers opened the door to multiple attackers, Microsoft finds
- Cybersecurity News — Hackers Exploit Unpatched SharePoint Servers to Deploy Ransomware and Custom Backdoors
- Redmondmag
- Cypro
- Cybersecurity-insiders
- Trendmicro
- Youtube
- Learn
- Gbhackers
- Rescana
- CISA Cybersecurity Advisories — CISA Adds One Known Exploited Vulnerability to Catalog
- bleepingcomputer.com — CISA: Microsoft SharePoint RCE flaw now actively exploited
- computerweekly.com — US cyber agency warns over forgotten SharePoint flaw
- Scworld
- Threat-modeling
- Mallory
- Finra
- Securityonline
- Youtube
- Us-cert
- Nvd