Organizations around the world have been targeted by the nascent Warlock ransomware operation in attacks exploiting the Microsoft SharePoint zero-day flaws dubbed "ToolShell", Infosecurity Magazine reports.
Infiltration of vulnerable Microsoft SharePoint instances has enabled threat actors to establish a new Group Policy Object within the domain for privilege escalation, as well as a covert command-and-control channel for increased stealth before gathering sensitive system data and leveraging remote services for lateral movement, according to an analysis from Trend Micro. Subsequent activation of remote desktop protocol access then allows the injection of Warlock ransomware, which conducts file encryption and process termination for optimal disruption. "In a short period of time, the threat actor behind Warlock evolved from a bold forum announcement into a rapidly growing global ransomware threat, setting the stage for even more sophisticated campaigns including those leveraging the SharePoint ToolShell vulnerability that would bring the group into the spotlight," said Trend Micro researchers.
Infiltration of vulnerable Microsoft SharePoint instances has enabled threat actors to establish a new Group Policy Object within the domain for privilege escalation, as well as a covert command-and-control channel for increased stealth before gathering sensitive system data and leveraging remote services for lateral movement, according to an analysis from Trend Micro. Subsequent activation of remote desktop protocol access then allows the injection of Warlock ransomware, which conducts file encryption and process termination for optimal disruption. "In a short period of time, the threat actor behind Warlock evolved from a bold forum announcement into a rapidly growing global ransomware threat, setting the stage for even more sophisticated campaigns including those leveraging the SharePoint ToolShell vulnerability that would bring the group into the spotlight," said Trend Micro researchers.
