"The threat actor's use of the security utility was documented by Sophos last month. It's assessed that the attackers weaponized the on-premises SharePoint vulnerabilities known as ToolShell to obtain initial access and deliver an outdated version of Velociraptor (version 0.73.4.0) that's susceptible to a privilege escalation vulnerability ( CVE-2025-6264) to enable arbitrary command execution and endpoint takeover, per Cisco Talos."
"In the attack in mid-August 2025, the threat actors are said to have made attempts to escalate privileges by creating domain admin accounts and moving laterally within the compromised environment, as well as leveraging the access to run tools like Smbexec to remotely launch programs using the SMB protocol. Prior to data exfiltration and dropping Warlock, LockBit, and Babuk, the adversary has been found to modify Active Directory (AD) Group Policy Objects (GPOs), turn off real-time protection to tamper with system defenses, and evade detection."
Storm-2603-linked threat actors abused Velociraptor to support ransomware operations deploying Warlock, LockBit, and Babuk. Attackers exploited on-premises SharePoint ToolShell vulnerabilities for initial access and installed an outdated Velociraptor v0.73.4.0 vulnerable to privilege escalation (CVE-2025-6264), enabling arbitrary command execution and endpoint takeover. In mid-August 2025, operators attempted privilege escalation by creating domain admin accounts, conducting lateral movement, and using Smbexec to run programs via SMB. Prior to data theft and ransomware deployment, adversaries modified AD GPOs, disabled real-time protection, and implemented detection-evasion measures. Rapid7 acknowledged tool misuse, and analysts link Storm-2603 to Chinese state-associated actors.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]