CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Warlock Ransomware Exploits Vulnerable SharePoint Servers

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

Warlock ransomware exploits vulnerabilities in on-premises Microsoft SharePoint servers to gain access to and encrypt data in targeted environments. The ransomware, believed to be a derivative of LockBit 3.0, leverages flaws in SharePoint to escalate privileges and deploy ransomware across networks. The campaign targets multiple sectors, including government agencies and private organizations, and has been linked to the threat actor Storm-2603. The vulnerabilities exploited by Warlock include CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771. These flaws allow for spoofing and remote code execution, enabling the ransomware to infiltrate and compromise systems. Microsoft has released patches for these vulnerabilities, but many organizations remain unpatched. Warlock's tactics include privilege escalation, network reconnaissance, and the use of tools like Mimikatz for credential dumping. The ransomware also employs Cloudflare's tunneling service for command-and-control communication and targets security software to evade detection.

Timeline

  1. 21.08.2025 00:04 πŸ“° 1 articles Β· ⏱ 26d ago

    Warlock Ransomware Exploits SharePoint Vulnerabilities

    Warlock ransomware, a derivative of LockBit 3.0, targets on-premises Microsoft SharePoint servers using vulnerabilities CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, and CVE-2025-53771. The ransomware campaign, linked to the threat actor Storm-2603, involves privilege escalation, network reconnaissance, and the use of tools like Mimikatz for credential dumping. Warlock employs Cloudflare's tunneling service for command-and-control communication and targets security software to evade detection. Microsoft has released patches for the vulnerabilities, but many organizations remain unpatched. The ransomware has targeted multiple sectors, including government agencies and private organizations, and has been observed conducting extensive reconnaissance within compromised environments.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

Open in new tab

New HybridPetya Ransomware Exploits UEFI Secure Boot Bypass Vulnerability

A new ransomware variant, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware but includes the ability to bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and can compromise modern UEFI-based systems. The ransomware operates through a bootkit and an installer, with the bootkit managing encryption and decryption processes. The ransomware has been observed in samples uploaded to VirusTotal in February 2025, with no evidence of active use in the wild. The vulnerability exploited by HybridPetya was patched in January 2025. The ransomware encrypts the MFT and displays a fake CHKDSK message to deceive victims. It demands a $1,000 ransom in Bitcoin, with a total of $183.32 received between February and May 2025. The ransom note provides an option for victims to enter a decryption key after payment, which triggers the decryption process. The bootkit also recovers legitimate bootloaders from backups created during installation. The ransomware triggers a system crash during bootloader changes, ensuring the bootkit binary is executed upon reboot. HybridPetya may be a research project, proof-of-concept, or early version of a cybercrime tool under limited testing. HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect. The emergence of HybridPetya highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level.

Open in new tab

Active exploitation of CVE-2025-5086 in DELMIA Apriso

CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.

Open in new tab

Microsoft's RC4 Encryption Vulnerability Exploited in Black Basta Ransomware Attack on Ascension

U.S. Senator Ron Wyden has called for an FTC investigation into Microsoft's cybersecurity practices, citing the company's support for RC4 encryption and insecure default settings that facilitated a ransomware attack on the Ascension healthcare network. The attack, attributed to the Black Basta ransomware group, compromised nearly 5.6 million individuals' personal and medical information. The breach occurred when a contractor's system was infected via a malicious link on Microsoft's Bing search engine. Attackers exploited insecure default settings and Kerberoasting techniques to gain elevated access to Ascension's network. Microsoft has acknowledged the vulnerabilities and plans to deprecate RC4 support in future updates. Wyden has criticized Microsoft for not clearly warning customers about the risks associated with RC4 encryption and for not taking decisive action to mitigate security risks.

Open in new tab

Akira Ransomware Group Exploits SonicWall SSL VPN Flaws

The Akira ransomware group has been actively exploiting SonicWall SSL VPN flaws and misconfigurations to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting SonicWall devices to facilitate ransomware operations. The group leverages a combination of security vulnerabilities, including a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings, to bypass access controls and infiltrate networks. Organizations are advised to rotate passwords, remove unused accounts, enable multi-factor authentication, and restrict access to the Virtual Office Portal to mitigate risks. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of SonicWall SSL VPNs and issued alerts about the increased exploitation of CVE-2024-40766.

Open in new tab