Ransomware spree looms after SharePoint breach

State of play: As of Wednesday, more than 400 systems had been actively compromised via the SharePoint zero-day vulnerability, according to researchers at Eye Security.

• Several federal government agencies — including at the departments of Energy, Homeland Security, and Health and Human Services — have been hacked, likely by groups linked to the Chinese government.
• Malicious hackers have attempted to break into more than 90 state and local government offices, according to Randy Rose, vice president of security operations and intelligence at the Center for Internet Security, which runs the Multi-State Information Sharing and Analysis Center.
• Last week, researchers warned that the attackers were also stealing machine keys once they broke in — which would allow them to return even after a vulnerable SharePoint server was patched.

Threat level: The new Warlock ransomware gang is actively targeting vulnerable SharePoint servers, Microsoft warned last week.

• Since emerging in June, the Warlock gang has claimed responsibility for attacking 19 victims across the government, finance, manufacturing, technology and consumer goods sectors, according to security firm Halcyon.
• The group is believed to be a descendent of the Black Basta gang, which was known for hacking more than 500 organizations globally, per U.S. authorities.

Zoom out: Ransomware is the most pressing long-tail cyber threat for organizations to be concerned about, Rafe Pilling, director of threat intelligence at Sophos' Counter Threat Unit, told Axios.

• So far, Sophos hasn't seen any active ransomware attacks tied to the SharePoint vulnerability, but Pilling said it's only a matter of time.
• "No doubt, there will be people that don't patch, and we will continue to see this pop up as an entry point down the line," Pilling said.

The big picture: Ransomware gangs routinely adopt newly discovered zero-day vulnerabilities to gain access to corporate networks.

• In 2021, ProxyShell — a trio of critical vulnerabilities in Microsoft Exchange Server — was discovered by security researchers and patched by Microsoft.
• But before many organizations updated their systems, the flaws were exploited first by espionage-focused hackers and then by opportunistic ransomware gangs.

• Within weeks, several groups had used the vulnerabilities to breach at least a thousand organizations. The incident demonstrated how quickly ransomware operators can weaponize publicly disclosed vulnerabilities.
• While the initial wave subsided after widespread patching, there have still been attacks reported years later.

Reality check: Pilling said that the SharePoint attacks will likely be less detrimental than ProxyShell and similar incidents but that companies are still at risk if they haven't patched.

Between the lines: These types of complex, multistage hacks are becoming the norm, Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told Axios.

• The SharePoint hacks are the result of attackers stringing together two vulnerabilities that, on their own, "weren't that big of a deal, " Steinhauer said.
• "Attackers know that they're not as prioritized and that we're all already trying to patch so many vulnerabilities that we have to prioritize," he said. "They're gaming the system."

What to watch: Ransomware gangs are likely to try targeting vulnerable, unpatched SharePoint servers for months to come.

• "It's really going to take a village on this one to help each other figure out what needs to be done and that they applied the updates correctly," Steinhauer said.

Go deeper: How a ransomware attack works