CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Warlock Ransomware Exploits Vulnerable SharePoint Servers

First reported
Last updated
4 unique sources, 4 articles

Summary

Hide ▲

Warlock ransomware, potentially linked to Black Basta, targets unpatched on-premises Microsoft SharePoint servers. The ransomware leverages multiple vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771) to gain initial access, escalate privileges, and deploy ransomware. The campaign includes extensive reconnaissance and evasion techniques, targeting security software to avoid detection. The threat actor Storm-2603, associated with China-backed groups, has been observed using Warlock ransomware in these attacks. The ransomware gang recently auctioned files stolen from Colt Technology Services, confirming customer data was compromised. Organizations are urged to apply available patches and implement comprehensive security measures to mitigate the risk. The ToolShell exploit chain, involving CVE-2025-53770 and CVE-2025-53771, was first publicly disclosed in mid-July 2025. Chinese-based threat groups Linen Typhoon and Violet Typhoon have been actively targeting SharePoint vulnerabilities since July 2025. Active exploitation of ToolShell vulnerabilities was first observed on July 18, 2025, a day before Microsoft's emergency advisory. Cisco Talos reported that nearly all their incident response engagements related to ToolShell activity began within 10 days of the vulnerabilities being disclosed. Network segmentation is crucial to prevent lateral movement within an organization following a ToolShell exploit. Recently, SmarterTools fell victim to a ransomware attack through an unpatched instance of its SmarterMail email server. The incident occurred on January 29 and impacted the company’s office network and a data center hosting quality control testing systems, SmarterTools’ portal, and its Hosted SmarterTrack network. The attack was perpetrated by the Warlock ransomware group, which is believed to be operating out of China. The hackers likely exploited CVE-2026-24423, an unauthenticated remote code execution (RCE) vulnerability that was patched on January 15. Customers are advised to update to the latest version of SmarterMail as soon as possible.

Timeline

  1. 09.02.2026 14:02 1 articles · 10h ago

    Warlock Ransomware Exploits SmarterMail Vulnerability in SmarterTools Attack

    SmarterTools fell victim to a ransomware attack through an unpatched instance of its SmarterMail email server. The incident occurred on January 29 and impacted the company’s office network and a data center hosting quality control testing systems, SmarterTools’ portal, and its Hosted SmarterTrack network. The point of entrance was a VM running an unpatched instance of the company’s SmarterMail product. Hackers compromised the mail server and moved laterally to the Windows servers they could find on the data center, compromising 12 of them. The attack was perpetrated by a ransomware group known as Warlock, which emerged in June 2025 and is believed to be operating out of China. The hackers likely exploited CVE-2026-24423 (CVSS score of 9.3), an unauthenticated remote code execution (RCE) vulnerability that was patched on January 15 along with two other exploited flaws, namely CVE-2026-23760 and CVE-2025-52691. Last week, the US cybersecurity agency CISA warned that CVE-2026-24423 had been exploited in ransomware attacks, without detailing the observed exploitation. With SmarterTools saying that the Warlock gang has compromised some of its customers as well, it is likely that these were the ransomware attacks CISA was referring to. Customers are advised to update to the latest version of SmarterMail as soon as possible.

    Show sources
    Open in new tab
  2. 21.08.2025 23:41 3 articles · 5mo ago

    Warlock Ransomware Gang Auctions Stolen Data from Colt Technology Services

    Ransomware incidents accounted for 20% of Cisco Talos's engagements in Q3 2025, down from 50% in the previous quarter. Cisco Talos responded to Warlock, Babuk, and Kraken ransomware variants for the first time in Q3 2025. A ransomware engagement in Q3 2025 was assessed with moderate confidence to be attributable to the Storm-2603 threat group based on overlapping TTPs, including the deployment of both LockBit and Warlock ransomware. The Qilin ransomware group was particularly active in Q3 2025 and is expected to remain a top threat through the remainder of the year. Recently, SmarterTools fell victim to a ransomware attack through an unpatched instance of its SmarterMail email server. The incident occurred on January 29 and impacted the company’s office network and a data center hosting quality control testing systems, SmarterTools’ portal, and its Hosted SmarterTrack network. The attack was perpetrated by the Warlock ransomware group, which is believed to be operating out of China. The hackers likely exploited CVE-2026-24423, an unauthenticated remote code execution (RCE) vulnerability that was patched on January 15. Customers are advised to update to the latest version of SmarterMail as soon as possible.

    Show sources
    Open in new tab
  3. 21.08.2025 00:04 3 articles · 5mo ago

    Warlock Ransomware Exploits SharePoint Vulnerabilities

    The ToolShell exploit chain, involving CVE-2025-53770 and CVE-2025-53771, was first publicly disclosed in mid-July 2025. Chinese-based threat groups Linen Typhoon and Violet Typhoon have been actively targeting SharePoint vulnerabilities since July 2025. Active exploitation of ToolShell vulnerabilities was first observed on July 18, 2025, a day before Microsoft's emergency advisory. Cisco Talos reported that nearly all their incident response engagements related to ToolShell activity began within 10 days of the vulnerabilities being disclosed. Network segmentation is crucial to prevent lateral movement within an organization following a ToolShell exploit. A ransomware attack occurred a few weeks after a SharePoint server was exploited using ToolShell, indicating a potential link between the two incidents. Credential-stealing malware was transferred from a public-facing SharePoint server to an internal SharePoint database server, leveraging a trusted relationship between the two servers.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SmarterMail Authentication Bypass Exploited Post-Patch

A critical authentication bypass vulnerability in SmarterMail email software (WT-2026-0001, CVE-2026-23760) has been actively exploited in the wild just two days after a patch was released. The flaw allows attackers to reset the system administrator password via a crafted HTTP request, leading to remote code execution (RCE) on the underlying operating system. The vulnerability was patched on January 15, 2026, but attackers reverse-engineered the patch to exploit it. Over 6,000 SmarterMail servers were found exposed online and likely vulnerable to attacks exploiting the flaw. Shadowserver is tracking these servers, with more than 4,200 in North America and nearly 1,000 in Asia. Macnica threat researcher Yutaka Sejiyama found over 8,550 SmarterMail instances still vulnerable. CISA added the vulnerability to its list of actively exploited vulnerabilities, ordering U.S. government agencies to secure their servers by February 16.

Open in new tab

Critical SmarterMail Arbitrary File Upload Vulnerability Disclosed

The Cyber Security Agency of Singapore (CSA) has disclosed a critical vulnerability (CVE-2025-52691) in SmarterMail email software, allowing unauthenticated remote code execution via arbitrary file upload. The flaw affects versions up to Build 9406 and has been patched in Build 9413 and later. SmarterMail is used by various web hosting providers, and users are advised to update to the latest version (Build 9483) for protection.

Open in new tab

INC Ransom Gang Disrupts OnSolve CodeRED Emergency Alert Platform

The INC Ransom gang has disrupted the OnSolve CodeRED emergency alert platform, stealing sensitive user data and forcing Crisis24 to decommission the legacy environment. The attack affected emergency notification systems used by state and local governments, police departments, and fire agencies across the United States. Data stolen includes names, addresses, email addresses, phone numbers, and passwords. The gang claims to have breached the system on November 1, 2025, and encrypted files on November 10, 2025. Crisis24 is rebuilding the service using backups from March 31, 2025, which may result in missing accounts. The incident highlights the critical impact of cyberattacks on emergency services and the importance of robust cybersecurity measures. The INC Ransom group has published screenshots of stolen data and is selling samples of the stolen data, escalating concerns among affected agencies. An operational security failure by the INC ransomware gang allowed researchers to recover data stolen from a dozen U.S. organizations. The investigation, conducted by Cyber Centaurs, revealed artifacts from the legitimate backup tool Restic, which exposed attacker infrastructure. The researchers developed a controlled enumeration process that confirmed the presence of encrypted data stolen from 12 unrelated organizations.

Open in new tab

IndonesianFoods Worm Floods npm with Over 100,000 Fake Packages

A large-scale spam campaign, dubbed IndonesianFoods, has flooded the npm registry with over 100,000 fake packages since early 2024. The campaign uses a worm-like propagation mechanism that requires manual execution via 'node auto.js' or 'publishScript.js' to propagate. The packages reference each other as dependencies, creating a self-replicating network. The goal appears to be monetization through the Tea protocol, rather than traditional malicious activities like data theft. The campaign has been ongoing for nearly two years, highlighting a significant security blind spot in automated detection systems. The malicious script executes in an infinite loop, removing 'private': true in package.json, generating random version numbers, and publishing new spam packages to npm. A single execution can publish approximately 12 packages per minute, 720 per hour, or 17,000 per day. The attackers have inflated their 'impact scores' and claimed Tea token rewards for artificial ecosystem value, with one package README boasting about these earnings. The campaign has overwhelmed multiple security data systems, demonstrating unprecedented scale, and has triggered a massive wave of vulnerability reports.

Open in new tab

Landfall Android Spyware Exploits Samsung Zero-Day via WhatsApp

The Landfall Android spyware targeted Samsung devices through a zero-day vulnerability (CVE-2025-21042) in a Samsung image processing library. The exploit was delivered via a malicious DNG image sent through WhatsApp, affecting Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 phones. The spyware enables microphone recording, location tracking, and data exfiltration. The attacks have been ongoing since at least July 2024, and the vulnerability was patched by Samsung in April. The threat actor, tracked as CL-UNK-1054, remains unidentified, with potential links to the Stealth Falcon group and other surveillance vendors. The attacks primarily targeted individuals in the Middle East and North Africa. The exploit involved a zero-click approach, and the malicious DNG files contained an embedded ZIP file with a shared object library to run the spyware. The spyware manipulated the device's SELinux policy to gain elevated permissions and facilitate persistence, and communicated with a command-and-control (C2) server over HTTPS for beaconing and receiving next-stage payloads. The spyware can fingerprint devices based on hardware and SIM IDs and targets a broad range of Samsung’s latest flagship models, excluding the latest S25 series devices. Unit 42 identified six C2 servers linked to the LandFall campaign, with some flagged by Turkey’s CERT. C2 domain registration and infrastructure patterns share similarities with those seen in Stealth Falcon operations, originating from the United Arab Emirates. CISA has added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch within three weeks.

Open in new tab