Multiple Attackers Exploit Unpatched SharePoint Servers, Microsoft Reports

Microsoft's DART team discovered two distinct threat actors operating simultaneously within the same victim network, complicating incident response efforts. The investigation began with ransomware activity linked to Storm-2603, which exploited vulnerabilities in on-premises SharePoint servers. The attackers created unauthorized administrator accounts and disabled security controls using a vulnerable driver. Concurrently, a second unidentified actor employed DLL sideloading techniques and attempted to access Active Directory credential databases. This overlapping activity obscured the full scope of the intrusion, complicating the reconstruction of the attack timeline. Microsoft emphasized that such simultaneous intrusions are becoming more common, as they can mask each other's activities. The investigation revealed that both actors used different tools and objectives, highlighting the complexity of modern cyberattacks. The incident underscores the need for improved detection and response strategies to handle overlapping threats.

Key Points: • Two distinct threat actors operated simultaneously within the same environment. • Storm-2603 exploited vulnerabilities in SharePoint servers to deploy ransomware. • A second unidentified actor used DLL sideloading and targeted Active Directory databases.