CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Warlock Ransomware Exploits Vulnerable SharePoint Servers

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Warlock ransomware, potentially linked to Black Basta, targets unpatched on-premises Microsoft SharePoint servers. The ransomware leverages multiple vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771) to gain initial access, escalate privileges, and deploy ransomware. The campaign includes extensive reconnaissance and evasion techniques, targeting security software to avoid detection. The threat actor Storm-2603, associated with China-backed groups, has been observed using Warlock ransomware in these attacks. The ransomware gang recently auctioned files stolen from Colt Technology Services, confirming customer data was compromised. Organizations are urged to apply available patches and implement comprehensive security measures to mitigate the risk. The ToolShell exploit chain, involving CVE-2025-53770 and CVE-2025-53771, was first publicly disclosed in mid-July 2025. Chinese-based threat groups Linen Typhoon and Violet Typhoon have been actively targeting SharePoint vulnerabilities since July 2025. Active exploitation of ToolShell vulnerabilities was first observed on July 18, 2025, a day before Microsoft's emergency advisory. Cisco Talos reported that nearly all their incident response engagements related to ToolShell activity began within 10 days of the vulnerabilities being disclosed. Network segmentation is crucial to prevent lateral movement within an organization following a ToolShell exploit.

Timeline

  1. 21.08.2025 23:41 2 articles · 2mo ago

    Warlock Ransomware Gang Auctions Stolen Data from Colt Technology Services

    Ransomware incidents accounted for 20% of Cisco Talos's engagements in Q3 2025, down from 50% in the previous quarter. Cisco Talos responded to Warlock, Babuk, and Kraken ransomware variants for the first time in Q3 2025. A ransomware engagement in Q3 2025 was assessed with moderate confidence to be attributable to the Storm-2603 threat group based on overlapping TTPs, including the deployment of both LockBit and Warlock ransomware. The Qilin ransomware group was particularly active in Q3 2025 and is expected to remain a top threat through the remainder of the year.

    Show sources
    Open in new tab
  2. 21.08.2025 00:04 3 articles · 2mo ago

    Warlock Ransomware Exploits SharePoint Vulnerabilities

    The ToolShell exploit chain, involving CVE-2025-53770 and CVE-2025-53771, was first publicly disclosed in mid-July 2025. Chinese-based threat groups Linen Typhoon and Violet Typhoon have been actively targeting SharePoint vulnerabilities since July 2025. Active exploitation of ToolShell vulnerabilities was first observed on July 18, 2025, a day before Microsoft's emergency advisory. Cisco Talos reported that nearly all their incident response engagements related to ToolShell activity began within 10 days of the vulnerabilities being disclosed. Network segmentation is crucial to prevent lateral movement within an organization following a ToolShell exploit. A ransomware attack occurred a few weeks after a SharePoint server was exploited using ToolShell, indicating a potential link between the two incidents. Credential-stealing malware was transferred from a public-facing SharePoint server to an internal SharePoint database server, leveraging a trusted relationship between the two servers.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks.

Open in new tab

RondoDox botnet exploits 56 n-day vulnerabilities in global attacks

The RondoDox botnet has been actively exploiting over 50 vulnerabilities across more than 30 vendors since May 2025. The botnet uses an 'exploit shotgun' strategy to maximize infections, targeting both older and more recent vulnerabilities. The list of exploited vulnerabilities includes CVE-2023-1389, a flaw in the TP-Link Archer AX21 Wi-Fi router, and others demonstrated at Pwn2Own events. The botnet's activity poses significant risks, especially for devices that have reached end-of-life and are more likely to remain unpatched. Many users also tend to ignore firmware updates for supported hardware, increasing the risk of exploitation. The botnet targets 35 to 40 vulnerabilities found in consumer-oriented devices, which are often unmanaged and rarely updated. In late September, a 230% surge in the botnet's attacks was reported, fueled by the exploitation of weak credentials, unsanitized input, and old CVEs. The infected devices are abused for cryptocurrency mining, distributed denial-of-service (DDoS) attacks, and for hacking into enterprise networks. The botnet's impact scale is potentially quite large, though not yet fully known. To mitigate the threat, users are advised to apply the latest firmware updates, replace end-of-life equipment, segment their networks, and use strong, unique passwords.

Open in new tab

Clop extortion campaign targets Oracle E-Business Suite

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. Envoy Air stated that no sensitive or customer data was affected, but a limited amount of business information and commercial contact details may have been compromised. The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. Oracle has confirmed that known vulnerabilities in its E-Business Suite, patched in July 2025, may have been exploited in these attacks. The July 2025 Critical Patch Update addressed 309 vulnerabilities across Oracle's product range, including nine for E-Business Suite. Three of these vulnerabilities are critical and three others are exploitable remotely without authentication. The extortion emails are part of a broader campaign, with the attackers sending messages from compromised accounts, some previously associated with the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. Mandiant and GTIG are investigating the claims and recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle E-Business Suite platforms. The UK’s National Cyber Security Centre (NCSC) has advised Oracle EBS customers to patch the critical vulnerability CVE-2025-61882, which is being exploited by the Clop ransomware group. The NCSC has urged customers to apply an emergency security update from Oracle, published over the weekend, to address the zero-day vulnerability CVE-2025-61882. The vulnerability impacts Oracle EBS versions 12.2.3-12.2.14 and allows unauthenticated attackers to send specially crafted HTTP requests to the affected component, resulting in full system compromise. The NCSC has warned that the Scattered Lapsus$ Hunters group has leaked the exploit used by the Clop gang, increasing the risk of opportunistic attacks on Oracle customers. Rapid7 has advised customers of affected Oracle EBS instances to conduct threat hunting to detect any potential malicious activity, given that exploitation in-the-wild may have occurred since August 2025. CISA has added CVE-2025-61882 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by October 27, 2025. WatchTowr Labs warns of potential mass, indiscriminate exploitation from multiple groups within days.

Open in new tab

Asahi Group Holdings Suffers Cyberattack Disrupting Japanese Operations

Asahi Group Holdings, Ltd., Japan's largest brewer, has confirmed a ransomware attack that began on September 29, 2025, and has disrupted operations in Japan. The incident has affected ordering, shipping, customer service activities, and production at some of its 30 domestic factories. The company has confirmed data theft from compromised devices and is working to restore impacted operations. The attack has not affected operations outside of Japan, and no ransomware group has claimed responsibility. Asahi has established an Emergency Response Headquarters and is collaborating with external cybersecurity experts to restore the system. The company has begun partial manual order processing and shipment and aims to gradually resume call center operations. The potential impact on Asahi’s financial results for fiscal year 2025 is under review. Asahi Group Holdings is investigating the source of the disruption and working to restore impacted operations. The company operates four regional branches and holds significant market share in Japan and internationally. The nature of the cyberattack is confirmed as ransomware, which has led to system failures affecting orders, shipments, and call center operations at all subsidiaries in Japan.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat. Nearly 50,000 Cisco ASA and FTD appliances are vulnerable to actively exploited flaws. The vulnerabilities CVE-2025-20333 and CVE-2025-20362 enable arbitrary code execution and access to restricted URL endpoints. The Shadowserver Foundation discovered over 48,800 internet-exposed ASA and FTD instances still vulnerable to the flaws. The majority of vulnerable devices are located in the United States, followed by the United Kingdom, Japan, Germany, Russia, Canada, and Denmark. The Shadowserver Foundation's data is as of September 29, indicating a lack of response to the ongoing exploitation activity. Greynoise had warned on September 4 about suspicious scans targeting Cisco ASA devices, indicating upcoming undocumented flaws. CISA's emergency directive gave 24 hours to FCEB agencies to identify and upgrade vulnerable Cisco ASA and FTD instances. CISA advised that ASA devices reaching their end of support should be disconnected from federal networks by the end of September. The U.K. NCSC reported that the hackers deployed Line Viper shellcode loader malware and RayInitiator GRUB bootkit.

Open in new tab