Microsoft Identifies Ransomware Attacks Targeting SharePoint Servers with Legitimate Tools
Microsoft's recent investigation reveals two ransomware groups targeting SharePoint servers using known vulnerabilities and legitimate tools. Federal agencies and contractors must enhance their cybersecurity strategies, focusing on solutions that address multi-vector ransomware threats.
Key Signals
- Microsoft identifies two ransomware groups targeting SharePoint servers
- Attackers utilize legitimate administrative tools for ransomware operations
- Urgent need for advanced EDR solutions to combat evolving ransomware tactics
"Storm-2603 didn't need custom malware for persistence; Velociraptor, Cloudflare Tunnel, Zoho Assist, VS Code Remote SSH are all legitimate tools. That's the real takeaway for blue teams: living-off-the-land isn't just for stealth anymore, it's becoming the default toolkit even for ransomware crews, not just APTs."
In a troubling development, Microsoft has reported that two distinct ransomware groups executed simultaneous attacks on on-premises SharePoint servers, utilizing known vulnerabilities that have long been on security teams' radar. This isn't just a new chapter in ransomware attacks; it indicates a significant evolution in attack methodology. These attackers have embraced the concept of "living-off-the-land", utilizing legitimate administrative tools such as Velociraptor, Cloudflare Tunnel, Zoho Assist, and VS Code Remote SSH, which complicates detection and raises the stakes for cybersecurity defense.
The implications for federal agencies and contractors managing SharePoint environments are substantial. Traditional methods of defense may not be sufficient to combat this advanced threat landscape, as adversaries take advantage of tools familiar to system administrators rather than deploying bespoke malware. The shift towards using legitimate tools rather than developing specific malware raises the foundational question of how organizations can effectively safeguard against threats that look indistinguishable from authorized user actions. As a result, entities must recalibrate their cybersecurity strategies, placing greater emphasis on robust intrusion detection and response solutions that cater specifically to multi-vector attacks leveraging legitimate toolsets.
This latest trend is likely to reshape procurement strategies across the federal landscape. Procurement officers are now under pressure to source sophisticated endpoint detection and response (EDR) solutions and advanced threat hunting technologies that can identify abnormal behavior associated with the misuse of legitimate software. Such procurement shifts will likely influence contract requirements, favoring vendors who can deliver innovative cybersecurity products capable of identifying and mitigating these stealthy attacks.
The growing sophistication of ransomware attacks—especially those employing legitimate tools—highlights an urgent need for organizations to consider integrating threat intelligence and incident response capabilities specifically designed to counteract the unique challenges presented by this tactic. As this trend emerges, it will become increasingly important for cybersecurity practitioners to adapt their defensive postures and ensure their teams are equipped to investigate anomalies that may arise from legitimate administrative activities.
In summary, this report from Microsoft underscores the evolving risk landscape surrounding ransomware attacks. Companies and federal contractors must actively reassess their current cybersecurity frameworks to integrate solutions that account for these developments and ensure they are operating under a proactive rather than reactive defense posture against increasingly sophisticated cyber adversaries.
Vendors
- Microsoft
Sources
- Microsoft: 2 ransomware groups hit SharePoint in parallel attacksreddit-cybersecurity · Jun 25