Critical SharePoint Vulnerabilities Actively Exploited for Ransomware Attacks
Cybercriminals are actively targeting unpatched Microsoft SharePoint servers, chaining together critical vulnerabilities to gain initial access and deploy ransomware across corporate networks. This sophisticated attack highlights the urgent need for organizations to prioritize security updates and monitor for unusual activity.
At the heart of this threat is a two-pronged exploit targeting known security flaws in SharePoint Server. Attackers are weaponizing these vulnerabilities to achieve a full-chain attack that leads directly to a widespread ransomware incident.
Understanding the Attack: From Entry to Control
The attack begins by exploiting a privilege escalation vulnerability, tracked as CVE-2023-29357. This critical flaw, which requires no user interaction, allows an attacker to elevate their privileges on the server, effectively gaining administrator-level access. This is the crucial first step that opens the door for more destructive actions.
Once they have elevated privileges, the attackers leverage a second vulnerability, CVE-2023-24955, which is a remote code execution flaw. By combining these two exploits, threat actors can:
- Gain unauthorized, high-level access to the SharePoint server.
- Execute malicious code of their choosing on the compromised system.
This chained exploit provides attackers with a powerful foothold inside the network, turning the trusted SharePoint server into a launchpad for a broader attack.
Post-Exploitation: How Intruders Move Through Your Network
After the initial breach, the attackers do not immediately deploy ransomware. Instead, they begin a methodical post-exploitation phase to maximize their impact. Their primary goal is to move laterally from the SharePoint server to other critical systems across the network.
Security researchers have observed these actors using common but effective tools for reconnaissance, including nmap for network scanning and the Impacket framework for lateral movement. A key objective during this phase is credential theft. The attackers attempt to dump credentials from the Local Security Authority Subsystem Service (LSASS), a process that stores sensitive user and administrator passwords in memory.
With stolen credentials in hand, the attackers can move freely between systems, disable security tools, and identify high-value data targets before initiating the final stage of their attack: deploying ransomware.
How to Protect Your SharePoint Servers and Mitigate Risk
The exploitation of these vulnerabilities is not theoretical—it is happening now. Organizations using Microsoft SharePoint must take immediate action to defend their networks. Ignoring these threats can lead to significant operational disruption, data loss, and financial damage.
Follow these essential security steps to protect your environment:
- Patch Immediately: The single most important defense is to apply the security updates released by Microsoft that address CVE-2023-29357 and CVE-2023-24955. If you have not patched your SharePoint servers against these flaws, you should consider them highly vulnerable.
- Monitor for Suspicious Activity: Keep a close watch on your SharePoint server’s activity. Look for unusual PowerShell commands, outbound network connections to unfamiliar IP addresses, and any processes attempting to access LSASS.
- Implement Network Segmentation: Do not allow your SharePoint server to have unrestricted access to your entire internal network. By segmenting the network, you can contain a breach and prevent attackers from moving laterally to more sensitive systems like domain controllers or file servers.
- Enforce the Principle of Least Privilege: Ensure that service accounts and user accounts only have the permissions necessary for their roles. This can limit an attacker’s ability to escalate privileges even if they gain initial access.
- Maintain a Robust Incident Response Plan: Be prepared for a potential breach. A well-defined incident response plan ensures your team can act quickly to isolate compromised systems, eradicate the threat, and restore operations with minimal downtime.
Ultimately, this campaign serves as a stark reminder that foundational cybersecurity practices—especially timely patch management—are the most effective defense against even sophisticated threat actors.
Source: https://www.helpnetsecurity.com/2025/07/24/storm-2603-spotted-deploying-ransomware-on-exploited-sharepoint-servers/
