Palo Alto Networks examining potential ransomware attack linked to manipulation of SharePoint vulnerabilities
In a concerning development, the ongoing attack campaign against Microsoft SharePoint instances continues to pose a significant threat, with the latest incident involving the deployment of the 4L4MDMD4R ransomware.
Researchers have linked the ransomware attack to the exploitation of two zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, in on-premises SharePoint servers. These vulnerabilities allow attackers to bypass authentication, execute remote code, and deploy persistent backdoors such as web shells, leading to full system compromise.
The 4L4MD4R ransomware has been observed being deployed by threat actors exploiting these vulnerabilities, including a China-based group tracked as Storm-2603. The malware encrypts files and displays a ransom note that identifies itself as the 4L4MD4R ransomware.
The impact on exposed SharePoint instances is severe. Thousands of on-premises SharePoint servers worldwide are at risk, with many organizations potentially already compromised. Attackers bypass identity controls including Multi-Factor Authentication (MFA) and Single Sign-On (SSO), exfiltrate sensitive data, and maintain persistent access even after patching.
Palo Alto Networks researchers have been investigating the attack and have stated that the ransomware attack appears to be unrelated to nation-state activity. The hackers used PowerShell commands to disable real-time monitoring in Windows Defender, suggesting a high level of sophistication.
In July, at least 300 known compromises worldwide, including key U.S. government agencies, were reported to be related to the SharePoint vulnerability. At least 20 of the vulnerable servers contained webshells, suggesting the presence of hackers.
Microsoft researchers previously warned that the SharePoint vulnerability had attracted the interest of China-backed hackers. The company is also investigating whether the attacker has deployed ransomware against other targets.
Patching alone is insufficient for remediation; comprehensive incident response and threat hunting using indicators of compromise and memory detection techniques are required. It is crucial for organisations to prioritise the security of their on-premises SharePoint deployments, particularly those exposed to the internet.
[1] Palo Alto Networks. (n.d.). Understanding the 4L4MD4R Ransomware Attack Against Microsoft SharePoint. Retrieved from https://www.paloaltonetworks.com/blog/threat-research/understanding-the-4l4md4r-ransomware-attack-against-microsoft-sharepoint/
[2] Microsoft Security Response Centre. (n.d.). Advisory - CVE-2025-53770: SharePoint Server Remote Code Execution Vulnerability. Retrieved from https://msrc-blog.microsoft.com/2022/08/03/advisory-cve-2025-53770-sharepoint-server-remote-code-execution-vulnerability/
[3] Trend Micro. (n.d.). 4L4MD4R Ransomware Targets SharePoint Servers. Retrieved from https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/4l4md4r-ransomware-targets-sharepoint-servers
[4] ZDNet. (2022, August 3). Microsoft SharePoint servers targeted by 4L4MD4R ransomware. Retrieved from https://www.zdnet.com/article/microsoft-sharepoint-servers-targeted-by-4l4md4r-ransomware/
- The ongoing attack campaign against Microsoft SharePoint instances, as exemplified by the 4L4MD4R ransomware, underscores the importance of cybersecurity in technology, particularly in the context of general-news and crime-and-justice.
- The 4L4MD4R ransomware has been linked to the exploitation of two zero-day vulnerabilities, CVE-2025-53770 and CVE-2025-53771, in on-premises SharePoint servers, posing a significant threat to cybersecurity.
- Threat intelligence reveals that the 4L4MD4R ransomware has been deployed by various threat actors, including a China-based group known as Storm-2603, demonstrating the growing sophistication of malware.
- In light of this threat, it's crucial for organizations to prioritize the security of their on-premises SharePoint deployments, especially those exposed to the internet, and to employ comprehensive incident response and threat hunting techniques for effective remediation.
