← Back to Daily Briefing

Parallel intrusions were identified in on-premises Microsoft SharePoint environments via the exploitation of CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770. Two distinct threat actors operated concurrently: Storm-2603, a ransomware group utilizing BYOVD and legitimate remote tools, and an unattributed actor focused on Active Directory (AD) credential theft via DLL sideloading and custom backdoors. This overlapping activity created significant "signal noise," complicating forensic detection and containment. The intrusions highlight a critical failure in patching internet-facing legacy infrastructure, enabling both immediate financial extortion and long-term espionage within the same network perimeter.

  • Incident Overview: Parallel Compromise

    • Simultaneous operations by two unrelated threat actors within a single compromised environment.
    • Initial access achieved through unpatched, internet-facing on-premises Microsoft SharePoint servers.
    • Discovery occurred during a ransomware engagement by the Microsoft Detection and Response Team (DART).
  • Storm-2603: Ransomware Mechanics

    • Utilized legitimate tools including Cloudflare Tunnel, Zoho Assist, and Visual Studio Code Remote SSH for C2 and persistence.
    • Employed Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint security controls.
    • Focused on unauthorized administrator account creation followed by rapid ransomware deployment.
  • Unattributed Actor: Stealth & Espionage

    • Implemented DLL sideloading and deployed custom backdoors to maintain a low-profile presence.
    • Leveraged Virtual Private Server (VPS) infrastructure for VPN access to mask origin and lateral movement.
    • Targeted Active Directory credential databases, indicating a primary objective of long-term espionage.
  • Operational Risks & Containment Challenges

    • "Signal Noise" Phenomenon: The loud activity of Storm-2603 effectively masked the stealthy TTPs of the second actor.
    • High Containment Risk: Evicting one actor may inadvertently alert the second, potentially triggering immediate data destruction or accelerated exfiltration.
    • Systemic Spread: Investigation confirmed lateral movement across multiple organizations, proving the scalability of the attack chain.
  • Defensive Recommendations & Root Cause

    • Primary Root Cause: Failure to patch critical, internet-facing legacy infrastructure and inadequate monitoring of privileged identities.
    • Urgent Remediation: Immediate patching of SharePoint vulnerabilities CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770.
    • Strategic Shift: Implementation of strict identity monitoring and behavioral analysis to detect concurrent, overlapping intrusions.

Related posts

  1. gbhackers.com — Microsoft Confirms Windows 11 26H2 Upgrade via Enablement Package for Faster Deployment
  2. microsoft.com — One intrusion, two cyberattackers: Uncovering parallel threat activity
  3. bleepingcomputer.com — Microsoft says Windows 11 26H2 is coming soon, details upgrade process
  4. techjacksolutions.com — Parallel Threat Actor Intrusion: Storm-2603 and Unattributed Actor Simultaneously Compromise Shared Environment
  5. Radar
  6. Protoslabs
  7. Blog
  8. Attack
  9. Unit42
  10. Malpedia
  11. Levelblue
  12. SecurityWeek — CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability
  13. csoonline.com — Unpatched SharePoint servers opened the door to multiple attackers, Microsoft finds
  14. Cybersecurity News — Hackers Exploit Unpatched SharePoint Servers to Deploy Ransomware and Custom Backdoors
  15. Redmondmag
  16. Cypro
  17. Cybersecurity-insiders
  18. Trendmicro
  19. Youtube
  20. Learn
  21. Gbhackers
  22. Rescana
  23. CISA Cybersecurity Advisories — CISA Adds One Known Exploited Vulnerability to Catalog
  24. bleepingcomputer.com — CISA: Microsoft SharePoint RCE flaw now actively exploited
  25. computerweekly.com — US cyber agency warns over forgotten SharePoint flaw
  26. Scworld
  27. Threat-modeling
  28. Reddit
  29. Mallory
  30. Finra
  31. Securityonline
  32. Youtube
  33. Us-cert
  34. Nvd

LINK COPIED TO CLIPBOARD