Storm-2603 Strikes: SharePoint Vulnerabilities Leave Over 400 Victims in Chaotic Cyberstorm

Hot Take:

Apparently, SharePoint is now the hottest club in town for China-based cybercriminals. Everyone’s getting in, even if they didn’t RSVP! With Storm-2603, Linen Typhoon, and Violet Typhoon crashing the party, it’s more chaotic than a toddler’s birthday bash—except this one comes with ransomware balloons.

Key Points:

• Storm-2603, a suspected China-based group, exploits SharePoint vulnerabilities, along with Linen Typhoon and Violet Typhoon.
• The group uses sophisticated methods dubbed ‘ToolShell’ to bypass identity controls.
• Microsoft can’t fully assess the threat actor’s objectives but notes ransomware deployment.
• Over 400 SharePoint systems have been compromised, including high-profile US government agencies.
• Organizations are urged to take immediate security measures, like disconnecting SharePoint from the internet.

SharePoint: A Cybercriminal’s Buffet

Storm-2603 and its cronies, Linen Typhoon and Violet Typhoon, are having a grand old time exploiting the vulnerabilities CVE-2025-53770 and CVE-2025-53771 in SharePoint. Dubbed ‘ToolShell,’ this attack chain is not just your run-of-the-mill cyber strike. These cybercriminals are bypassing identity controls as easily as bypassing broccoli at a buffet, gaining privileged access to compromised systems. The uninvited guests aren’t just looking to crash the party; they’re here to redecorate with ransomware.

Ransomware: The Unwanted Party Favor

Kevin Robertson, the cyber party planner, notes that the attackers are making the most of their unauthorized entry. Once inside, they encrypt sensitive information and deploy ransomware, hoping for a payday fatter than a wedding cake. What’s interesting is that these China-based actors, usually not in it for the money, might be moonlighting with ransomware just to cause more chaos. Imagine that—using ransomware as a side gig while conducting reconnaissance. It’s like a spy thriller, but with a lot more code and a lot less car chases.

Microsoft’s SharePoint SOS

With more than 400 SharePoint systems compromised, Microsoft is basically waving a giant red flag and telling its on-prem SharePoint customers to assume they’ve already been compromised. It’s like finding out you’ve been wearing a ‘Kick Me’ sign all day. Companies are urged to rotate their cryptographic material, call in the cyber cavalry, and maybe even cut SharePoint’s internet cord. After all, nothing says “we mean business” like disconnecting a crucial service from the web, right?

US Government Agencies: Who Invited Them?

Even high-profile US government agencies couldn’t dodge the storm. The National Nuclear Security Administration, the Department of Education, and even the Department of Health and Human Services were reportedly hit in this SharePoint skirmish. It’s like the who’s who of government agencies decided to join the hacked list. NextGov reported that the Department of Homeland Security was also among the victims, making this a very public affair. Just when you thought government agencies were the cool kids in the cybersecurity playground, they got caught in a Typhoon—or three.

Final Thoughts: Batten Down the Hatches

In summary, the cyber world is proving to be as unpredictable as your favorite reality TV show, with China-based threat actors like Storm-2603 making surprise appearances. The moral of the story? Keep your SharePoint systems more secure than a cookie jar at a Weight Watchers meeting. Rotate those cryptographic keys, call in the cybersecurity specialists, and maybe consider giving SharePoint a bit of a digital detox from the internet. Because when it rains Typhoons, you better have your cybersecurity umbrella ready!