Microsoft Reports Ransomware Used in SharePoint Hackers' Attack

Microsoft has reported that some hackers involved in a cyberespionage campaign against its SharePoint servers have now started using ransomware. This marks a potential escalation in the campaign, which has been targeting US tech companies. The hackers initially used the SolarWinds Orion platform to access SharePoint servers. Microsoft has taken steps to mitigate the issue and has provided guidance to users on how to protect their systems.

Title: Microsoft SharePoint Hackers Now Using Ransomware in Cyberespionage Campaign

Microsoft has reported that hackers involved in a cyberespionage campaign against its SharePoint servers have now started using ransomware. This marks a potential escalation in the campaign, which has been targeting US tech companies. The hackers initially used the SolarWinds Orion platform to access SharePoint servers. Microsoft has taken steps to mitigate the issue and has provided guidance to users on how to protect their systems.

The hackers are exploiting a critical zero-day vulnerability, CVE-2025-53770, in Microsoft SharePoint. This flaw allows attackers to execute remote code without authentication, potentially leading to data exfiltration and malware deployment. Microsoft has released patches for the vulnerabilities, but many organizations remain vulnerable due to delayed patching or incomplete mitigation [1].

The vulnerability has been actively exploited in a global cyber espionage campaign, impacting over 100 organizations. Upon successful exploitation, attackers can steal cryptographic keys, gain persistent access, and bypass traditional security controls. The US Nuclear Weapons Agency, the National Nuclear Security Administration, was among those breached by the hack of Microsoft SharePoint document management software [3].

Microsoft has warned that even organizations that don't use SharePoint directly are at risk, as compromised SharePoint servers can act as launchpads for supply chain attacks. The company has recommended applying emergency updates for SharePoint, rotating machine keys, and monitoring server activity for unusual behavior [1].

The use of ransomware in this campaign indicates a shift in tactics by the hackers. Ransomware can encrypt critical business data and demand payment for its release, potentially causing significant financial and operational disruption. This escalation underscores the need for organizations to prioritize cybersecurity and follow best practices for patch management and secure configurations.

References
[1] https://es.blog.barracuda.com/2025/07/22/cybersecurity-threat-advisory-microsoft-sharepoin-zero-day-vulnerability
[2] https://www.benzinga.com/markets/tech/25/07/46512850/microsoft-sounds-alarm-on-active-cyberattacks-targeting-sharepoint-thousands-of-us-government-servers-may-be-at-risk
[3] https://www.bloomberg.com/news/articles/2025-07-23/us-nuclear-weapons-agency-breached-in-microsoft-sharepoint-hack