Unpatched SharePoint servers: A gateway for cyber threats
Unpatched SharePoint servers have become a major cybersecurity risk, offering attackers a foothold to infiltrate corporate networks and deploy ransomware. Microsoft recently reported a case where two unrelated threat actors operated in the same environment after exploiting vulnerabilities in on-premises SharePoint. This highlights the urgent need for robust patching and security monitoring.
What happened: Overlapping intrusions via SharePoint vulnerabilities
Microsoft’s Detection and Response Team (DART) began a routine ransomware investigation and quickly uncovered a surprising scenario. They found two separate threat groups inside the same victim’s network, each obscuring the other’s activity. The first actor, known as Storm-2603, gained access through unpatched SharePoint servers, using tools such as Cloudflare Tunnel, Zoho Assist, Visual Studio Code Remote SSH, and Velociraptor. The group created unauthorised administrator accounts, disabled security controls with a vulnerable driver, and eventually deployed ransomware.
During their analysis, investigators identified activity that did not match Storm-2603’s tactics. A second attacker had infiltrated the environment, using DLL sideloading, custom backdoors, and VPN access through a virtual private server. This group attempted to compromise Active Directory credential databases, indicating a different attack chain.
- Storm-2603 exploited SharePoint vulnerabilities for initial access
- Multiple tools and techniques used to maintain persistence
- Second attacker employed custom malware and VPNs
- Both groups operated independently, masking each other’s activity
Forensic evidence revealed the breach had spread beyond the original environment. DART contacted a second organisation affected by the same ransomware activity, indicating the attackers’ ability to pivot between networks.
Why it matters: Increased risk from unpatched SharePoint servers
This incident demonstrates that unpatched SharePoint servers are a high-value target for cybercriminals. Vulnerabilities in these systems grant attackers access to sensitive corporate environments, where they can deploy ransomware or steal data. The fact that two unrelated groups exploited the same weaknesses simultaneously underscores the urgency of patch management.
Modern cyber attacks are not always isolated events. Overlapping campaigns complicate incident response, making it difficult for security teams to reconstruct attack timelines and attribute tactics to specific actors. According to Microsoft, only by correlating identity, endpoint, and cloud telemetry can the full scope of such attacks be understood.
Patching and hardening SharePoint environments
Timely patching is essential to close known vulnerabilities. SharePoint servers, whether on-premises or cloud-hosted, must be updated according to vendor guidance. Failure to patch can expose organisations to multiple threat actors, as illustrated by this case.
Challenges in incident response
Overlapping intrusions are more common than many realise. Incident responders often struggle to distinguish between unrelated attackers, especially when evidence is masked or fragmented. This can lead to delays in remediation and difficulty establishing a coherent response strategy.
- Complexity increases with multiple attackers using similar exploits
- Evidence may be obscured, hindering investigation
- Attack timelines become harder to reconstruct
What organisations should do: Actionable steps to mitigate SharePoint risks
Organisations must take proactive measures to secure SharePoint servers and reduce the risk of overlapping cyber intrusions. The following steps are recommended:
- Regular patching: Apply all available security updates to SharePoint and supporting infrastructure.
- Configuration hardening: Review and tighten SharePoint settings to minimise attack surfaces.
- Identity and access management: Monitor for unauthorised administrator accounts and enforce strong authentication.
- Security monitoring: Correlate logs from identity, endpoint, and cloud sources for comprehensive visibility.
- Incident response planning: Prepare for the possibility of multiple, overlapping attacks and adapt response strategies accordingly.
Correlating telemetry for threat detection
Microsoft emphasises the importance of correlating different types of telemetry to detect complex threats. By analysing identity, endpoint, and cloud logs together, security teams can uncover hidden activity and identify multiple attackers operating within the same environment.
Training and awareness
Staff should be trained to recognise signs of compromise and understand the risks associated with unpatched systems. Awareness programmes can reinforce the importance of patching and encourage reporting of suspicious activity.
Conclusion: SharePoint patching is critical for cyber resilience
This case serves as a stark reminder that unpatched SharePoint servers are attractive targets for cybercriminals. Overlapping attacks are difficult to detect and respond to, especially when attackers use similar vulnerabilities and obscure each other’s traces. Regular patching, configuration hardening, and advanced monitoring are essential to protect organisational environments.
By taking these steps, organisations can reduce the risk of ransomware and other threats associated with unpatched SharePoint servers. Security teams must remain vigilant, adapt response plans for complex incidents, and ensure their systems are resilient against evolving attack tactics.
Originally reported by csoonline.com.
