Summary Points
-
Threat Actor Profile: Storm-2603, a suspected China-based group, exploits Microsoft SharePoint Server vulnerabilities CVE-2025-49706 and CVE-2025-49704, utilizing a custom command-and-control framework called AK47 C2 with HTTP and DNS clients.
-
Ransomware Deployment: The group has been active since at least March 2025, deploying multiple ransomware families, including Warlock and LockBit Black, targeting organizations in Latin America and APAC.
-
Technical Approach: Storm-2603 employs both legitimate open-source tools and custom backdoors to facilitate ransomware deployment, including utilizing BYOVD techniques to disable endpoint defenses and sideload malicious payloads.
- Motivation Ambiguity: The group’s motivations remain unclear, with speculation on whether their actions are driven by espionage or profit, indicating a complex blend of state and criminal cyber operations.
Problem Explained
On August 1, 2025, Check Point Research reported on a sophisticated cyberattack orchestrated by a threat actor identified as Storm-2603, believed to be based in China. This entity has exploited significant security vulnerabilities in Microsoft SharePoint Server, specifically the flaws designated CVE-2025-49706 and CVE-2025-49704, to facilitate the deployment of Warlock ransomware, also known as X2anylock. The assault is characterized by the use of a custom command-and-control framework called AK47 C2, which employs both HTTP and DNS-based clients for operational communication, marking a notable escalation in complexity and sophistication. Active since at least March 2025, Storm-2603 has targeted various organizations across Latin America and the Asia-Pacific region, employing a range of tools—including legitimate open-source utilities and custom malware—to effectively sidestep conventional defense mechanisms.
Noteworthy is the group’s unusual operational model, as they have concurrently deployed multiple ransomware variants like Warlock and LockBit Black, presenting a hybrid approach that blurs the lines between advanced persistent threats (APTs) and conventional cybercrime. The exact motivations driving Storm-2603 remain ambiguous; while they may be financially motivated, the operation could also serve espionage purposes, particularly given the geopolitical context in which the attackers operate. Check Point’s findings underscore a troubling trend where nation-state actors resort to ransomware tactics typically aligned with criminal enterprises, utilizing techniques such as “bring your own vulnerable driver” (BYOVD) to undermine system defenses and enhance their cyber capabilities.
Risks Involved
The recent activities attributed to the Storm-2603 threat actor significantly heighten the risk landscape for businesses and organizations reliant on Microsoft SharePoint Server, as the exploitation of its security vulnerabilities could catalyze a cascade of cyberattacks. Should other entities fall victim to this targeted ransomware campaign—exemplified by the deployment of Warlock and LockBit Black—the ramifications could extend beyond immediate financial loss, potentially destabilizing supply chains and eroding consumer trust across various sectors. The bespoke command-and-control framework, AK47 C2, enhances the actor’s operational efficacy, allowing for stealthy infiltration and systemic disruption. Consequently, a ripple effect could ensue, where downstream partners and clients suffer operational setbacks due to compromised data integrity, operational unavailability, and the ensuing costly recovery efforts. Furthermore, the blurred lines between state-sponsored and criminal motives exacerbate the uncertainty surrounding attribution and response strategies, compelling organizations to reassess their cybersecurity posture to mitigate the existential threats posed by such sophisticated attackers.
Fix & Mitigation
The recent emergence of Storm-2603, which deploys DNS-controlled backdoors in high-profile ransomware attacks like Warlock and LockBit, underscores the critical significance of timely remediation efforts to thwart devastating cyber incursions.
Mitigation Strategies
-
Network Segmentation
Isolate critical systems to minimize lateral movement. -
Intrusion Detection Systems
Implement robust IDS to detect unusual DNS traffic. -
Threat Intelligence Sharing
Engage in collaborative sharing of threat intelligence with industry peers. -
Endpoint Protection
Deploy advanced endpoint protection solutions that include behavioral analysis. -
Regular Backups
Maintain up-to-date and secure backups to decrease recovery time. - User Training
Conduct training sessions focusing on phishing awareness and security best practices.
NIST CSF Guidance
NIST CSF emphasizes proactive risk management through identification, protection, detection, response, and recovery capabilities tailored to organizational needs. For detailed remediation measures, refer to NIST SP 800-53, which offers comprehensive guidance on security controls and best practices in response to cyber threats.
Stay Ahead in Cybersecurity
Explore career growth and education via Careers & Learning, or dive into Compliance essentials.
Access world-class cyber research and guidance from IEEE.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1
