Unpatched SharePoint servers opened the door to multiple attackers, Microsoft finds
Summary
Microsoft DART discovered two unrelated threat actors operating simultaneously within the same victim network, complicating incident response. One actor, Storm-2603, exploited unpatched SharePoint servers for ransomware deployment, while a second, unidentified actor used different tools and techniques, with their activities initially obscuring each other. Correlating various telemetry data was crucial in uncovering the full scope of the compromise.
IFF Assessment
The article details a complex attack scenario involving multiple threat actors exploiting unpatched vulnerabilities, which represents a significant challenge and risk for defenders.
Defender Context
This incident highlights the increasing complexity of modern cyberattacks, where multiple threat actors can operate in the same environment concurrently. Defenders must be prepared for overlapping campaigns and the potential for one attack to mask another, necessitating comprehensive telemetry correlation and advanced threat hunting capabilities.