Full Report
Netherlands-based cybersecurity firm Eye Security told Reuters and Bloomberg that hackers have successfully breached at least 400 governments and businesses around the world.
Analysis Summary
# Incident Report: Storm-2603 Exploits SharePoint Vulnerability for Warlock Ransomware Deployment
## Executive Summary
A China-based actor, identified as Storm-2603, exploited a new vulnerability (CVE-2025-49706) in Microsoft SharePoint products to deploy Warlock ransomware across numerous government and business entities globally, impacting at least 400 victims. The incident involved gaining initial access via the unpatched vulnerability, followed by disabling security protections before encrypting environments. Response efforts involve CISA coordination with affected agencies like NNSA, NIH, and DHS to assess damage and apply mitigations.
## Incident Details
- Discovery Date: Updates circulated around Wednesday night (implied July 23rd, 2025, based on reporting date)
- Incident Date: Exploitation began as early as July 17th (Germany) and July 18th (Italy, U.S. Department of Energy)
- Affected Organization: At least 400 governments and businesses worldwide, including US federal agencies (NNSA, NIH, DHS, State Department).
- Sector: Government, various businesses.
- Geography: Global (exploitation seen in Germany, Italy; US most targeted country in observed attacks).
## Timeline of Events
### Initial Access
- Date/Time: As early as July 17th (Germany site identified by ESET). July 18th confirmed for U.S. Department of Energy breach.
- Vector: Exploitation of unpatched Microsoft SharePoint vulnerability, **CVE-2025-49706**.
- Details: Threat actors gained initial access to internet-exposed SharePoint systems.
### Lateral Movement
- Details: The article focuses primarily on post-exploitation actions rather than specific lateral movement techniques, noting that after initial access, actors performed several actions, including disabling Microsoft Defender protections.
### Data Exfiltration/Impact
- Details: The primary impact was the deployment of **Warlock ransomware** to encrypt compromised environments. No sensitive or classified information exfiltration was confirmed at the NNSA or DHS at the time of reporting.
### Detection & Response
- Detection: Microsoft provided an update on Wednesday night; cybersecurity firms like Eye Security identified successful breaches; CISA became actively involved in notifying affected partners.
- Response actions taken: CISA worked with Microsoft and other federal partners to share actionable information, implement protective measures, and assess the scope. NNSA reported minimal impact due to cloud use and mitigating risk immediately.
## Attack Methodology
- Initial Access: Exploitation of **CVE-2025-49706** in Microsoft SharePoint.
- Persistence: Not explicitly detailed, though deployment of ransomware implies maintenance of access long enough to execute encryption.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: **Disabling Microsoft Defender protections** was observed post-compromise.
- Credential Access: Not detailed.
- Discovery: Not detailed, assumed local reconnaissance to identify systems for encryption.
- Lateral Movement: Not detailed.
- Collection: Not detailed, likely focused on identifying critical assets for ransomware deployment.
- Exfiltration: Not explicitly the primary goal, but ransomware deployment suggests data encryption/destruction as the main impact.
- Impact: **Ransomware encryption** using Warlock strain (previously LockBit observed).
## Impact Assessment
- Financial: Not quantified, but involves costs associated with ransomware remediation and recovery across 400+ organizations.
- Data Breach: Type of data not specified, but widespread compromise suggests potential exposure across victim environments.
- Operational: Significant operational disruption expected due to Warlock ransomware encryption (though NNSA reported minimal impact).
- Reputational: High impact on affected governments and businesses due to the severity of the vulnerability and ransomware deployment.
## Indicators of Compromise
- Network indicators: (No specific, defanged indicators provided in the text)
- File indicators: Warlock Ransomware strain utilized. LockBit strain previously used by this actor.
- Behavioral indicators: Disabling Microsoft Defender protections upon compromise.
## Response Actions
- Containment measures: CISA working to share actionable information and implement protective measures; NNSA taking action to mitigate risk and transition systems.
- Eradication steps: Ongoing assessment of scope and impact by federal partners.
- Recovery actions: Transitioning affected minor systems away from compromised infrastructure (NNSA example).
## Lessons Learned
- Key takeaways: Zero-day vulnerability exploitation (CVE-2025-49706) in widely used enterprise software (SharePoint) poses an immediate and severe risk, rapidly weaponized by threat actors for ransomware deployment.
- What could have been done better: Faster patching of internet-exposed SharePoint instances prior to exploitation.
## Recommendations
- Prevention measures for similar incidents: Prioritize patching of all external-facing applications, especially Microsoft products (like SharePoint). Implement robust, layered security monitoring that can detect security tool tampering (e.g., Defender disabling). Maintain robust backup and disaster recovery plans to minimize the impact of successful ransomware attacks.