Skip to content

Multiple Attackers Exploited Unpatched SharePoint Server Simultaneously

The Point: Two independent attack groups exploited the same unpatched SharePoint server simultaneously within the same victim network, causing their traces to overlap and complicating the investigation.

Microsoft’s Detection and Response Team (DART) discovered that two independent attackers were active in a network at the same time — each concealing the traces of the other. The reason: both exploited vulnerabilities in the same unpatched SharePoint servers.

A routine investigation into ransomware activity led DART to discover two independent attackers in the same victim environment. Initially, investigators suspected they were tracking a single intrusion — only later did they identify a second attack chain with different tools, infrastructure, and objectives.

The first attack chain was attributed to Storm-2603, a threat group deploying ransomware. This group exploited vulnerabilities in on-premises SharePoint servers to establish persistence. They used Cloudflare Tunnel, Zoho Assist, Visual Studio Code Remote SSH, and Velociraptor, created unauthorized Administrator accounts, and deployed a vulnerable driver to disable security controls before deploying ransomware. The second attack chain exhibited different characteristics: DLL sideloading techniques, custom backdoors, VPN access via virtual private server infrastructure, and attempts to access Active Directory credential databases.

For CISOs, this constellation is critical: each of the two attacker groups concealed the traces of the other, making it difficult to reconstruct the actual scope of the attack. Only the correlation of identity, endpoint, and cloud telemetry revealed the full extent of the compromise. A security researcher pointed out that such overlaps occur more frequently than vendors acknowledge — and that incident responders often spend too long trying to construct a coherent attack chain from separate intrusion artifacts.

The situation becomes particularly insidious during the containment phase: evicting one attacker group and rotating credentials can alert the second, not yet fully identified group and cause it to become active. DART relied on threat intelligence to separate artifact clusters before taking operational steps. The investigation also revealed that the ransomware activity from Storm-2603 extended beyond the first victim organization — DART identified a second compromised organization.


Source: www.csoonline.com · Published June 23, 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: