{"id":10435,"date":"2025-07-25T12:32:22","date_gmt":"2025-07-25T05:32:22","guid":{"rendered":"https:\/\/infosec.new88088.net\/?p=10435"},"modified":"2026-02-05T12:32:29","modified_gmt":"2026-02-05T05:32:29","slug":"storm-2603-khai-thac-lo-hong-sharepoint-phat-tan-ma-doc-warlock-quy-mo-lon","status":"publish","type":"post","link":"https:\/\/infosec.new88088.net\/2025\/07\/25\/storm-2603-khai-thac-lo-hong-sharepoint-phat-tan-ma-doc-warlock-quy-mo-lon\/","title":{"rendered":"Storm-2603 khai th\u00e1c l\u1ed7 h\u1ed5ng SharePoint, ph\u00e1t t\u00e1n m\u00e3 \u0111\u1ed9c Warlock quy m\u00f4 l\u1edbn"},"content":{"rendered":"<p><b>Microsoft v\u1eeba ph\u00e1t \u0111i c\u1ea3nh b\u00e1o kh\u1ea9n, m\u1ed9t nh\u00f3m tin t\u1eb7c \u0111\u01b0\u1ee3c cho l\u00e0 c\u00f3 li\u00ean h\u1ec7 v\u1edbi Trung Qu\u1ed1c \u0111ang khai th\u00e1c c\u00e1c l\u1ed7 h\u1ed5ng ch\u01b0a v\u00e1 trong ph\u1ea7n m\u1ec1m SharePoint Server \u0111\u1ec3 c\u00e0i m\u00e3 \u0111\u1ed9c Warlock ransomware &#8211; m\u1ed9t lo\u1ea1i m\u00e3 \u0111\u1ed9c t\u1ed1ng ti\u1ec1n c\u00f3 kh\u1ea3 n\u0103ng m\u00e3 h\u00f3a to\u00e0n b\u1ed9 h\u1ec7 th\u1ed1ng.<\/b><\/p>\n<div style=\"text-align: center\"><a class=\"js-lbImage\" style=\"cursor: pointer\" href=\"https:\/\/whitehat.vn\/attachments\/1753426375187-png.17367\/\" target=\"_blank\" rel=\"noopener\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-fancybox=\"lb-thread-18601\" data-caption=\"&lt;h4&gt;1753426375187.png&lt;\/h4&gt;&lt;p&gt;&lt;a href=&quot;https:&amp;#x2F;&amp;#x2F;whitehat.vn&amp;#x2F;threads&amp;#x2F;storm-2603-khai-thac-lo-hong-sharepoint-phat-tan-ma-doc-warlock-quy-mo-lon.18601&amp;#x2F;#post-44110&quot; class=&quot;js-lightboxCloser&quot;&gt;WhiteHat Team \u00b7 25&amp;#x2F;07&amp;#x2F;2025 l\u00fac 2:18 PM&lt;\/a&gt;&lt;\/p&gt;\"><img fetchpriority=\"high\" decoding=\"async\" class=\"bbImage \" title=\"1753426375187.png\" src=\"https:\/\/whitehat.vn\/data\/attachments\/17\/17702-95148e6ae10ec3caf6e347404d51a541.jpg\" alt=\"1753426375187.png\" width=\"711\" height=\"400\" \/><\/a>\u200b<\/div>\n<p>Theo d\u1eef li\u1ec7u t\u1eeb nh\u00f3m nghi\u00ean c\u1ee9u b\u1ea3o m\u1eadt c\u1ee7a Microsoft, cu\u1ed9c t\u1ea5n c\u00f4ng n\u00e0y n\u1eb1m trong chi\u1ebfn d\u1ecbch c\u1ee7a nh\u00f3m Storm-2603, m\u1ed9t nh\u00f3m t\u1ea5n c\u00f4ng c\u00f3 \u0111\u1ed9ng c\u01a1 t\u00e0i ch\u00ednh, t\u1eebng b\u1ecb ph\u00e1t hi\u1ec7n ph\u00e1t t\u00e1n c\u1ea3 Warlock l\u1eabn LockBit ransomware trong qu\u00e1 kh\u1ee9.<\/p>\n<p>Chi\u1ebfn d\u1ecbch l\u1ea7n n\u00e0y b\u1eaft \u0111\u1ea7u t\u1eeb vi\u1ec7c khai th\u00e1c 2 l\u1ed7 h\u1ed5ng nguy hi\u1ec3m trong SharePoint Server:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">CVE-2025-49706: L\u1ed7 h\u1ed5ng gi\u1ea3 m\u1ea1o danh t\u00ednh (spoofing)<\/li>\n<li data-xf-list-type=\"ul\">CVE-2025-49704: L\u1ed7 h\u1ed5ng th\u1ef1c thi m\u00e3 t\u1eeb xa (RCE &#8211; Remote Code Execution)<\/li>\n<\/ul>\n<p>Khi khai th\u00e1c th\u00e0nh c\u00f4ng, tin t\u1eb7c s\u1ebd:<\/p>\n<ol>\n<li data-xf-list-type=\"ol\">C\u00e0i \u0111\u1eb7t web shell \u0111\u1ed9c h\u1ea1i (spinstall0.aspx) tr\u00ean m\u00e1y ch\u1ee7.<\/li>\n<li data-xf-list-type=\"ol\">D\u00f9ng c\u00e1c l\u1ec7nh qua ti\u1ebfn tr\u00ecnh w3wp.exe (\u0111\u1eb7c tr\u01b0ng c\u1ee7a SharePoint) \u0111\u1ec3 ki\u1ec3m tra quy\u1ec1n truy c\u1eadp (whoami) v\u00e0 m\u1edf r\u1ed9ng ph\u1ea1m vi x\u00e2m nh\u1eadp.<\/li>\n<li data-xf-list-type=\"ol\">T\u1eaft Microsoft Defender b\u1eb1ng c\u00e1ch ch\u1ec9nh s\u1eeda Registry th\u00f4ng qua &#8220;services.exe&#8221;.<\/li>\n<li data-xf-list-type=\"ol\">T\u1ea1o t\u00e1c v\u1ee5 \u0111\u1ecbnh k\u1ef3 (Scheduled Task), s\u1eeda \u0111\u1ed5i c\u00e1c th\u00e0nh ph\u1ea7n c\u1ee7a IIS \u0111\u1ec3 c\u1ea5y m\u00e3 \u0111\u1ed9c .NET, duy tr\u00ec quy\u1ec1n truy c\u1eadp l\u00e2u d\u00e0i.<\/li>\n<li data-xf-list-type=\"ol\">S\u1eed d\u1ee5ng Mimikatz \u0111\u1ec3 l\u1ea5y c\u1eafp m\u1eadt kh\u1ea9u t\u1eeb b\u1ed9 nh\u1edb h\u1ec7 th\u1ed1ng (LSASS).<\/li>\n<li data-xf-list-type=\"ol\">Di chuy\u1ec3n sang c\u00e1c m\u00e1y kh\u00e1c trong m\u1ea1ng (lateral movement) th\u00f4ng qua PsExec v\u00e0 c\u00f4ng c\u1ee5 Impacket.<\/li>\n<li data-xf-list-type=\"ol\">Cu\u1ed1i c\u00f9ng, ch\u00fang s\u1eeda \u0111\u1ed5i Group Policy \u0111\u1ec3 ph\u00e1t t\u00e1n Warlock ransomware to\u00e0n h\u1ec7 th\u1ed1ng.<\/li>\n<\/ol>\n<p>T\u1ea5t c\u1ea3 c\u00e1c t\u1ed5 ch\u1ee9c s\u1eed d\u1ee5ng Microsoft SharePoint Server on-premises (m\u00e1y ch\u1ee7 c\u00e0i \u0111\u1eb7t n\u1ed9i b\u1ed9, kh\u00f4ng ph\u1ea3i b\u1ea3n \u0111\u00e1m m\u00e2y) c\u00f3 nguy c\u01a1 cao. Nguy c\u01a1 lan r\u1ed9ng ra to\u00e0n m\u1ea1ng n\u1ed9i b\u1ed9 c\u1ee7a doanh nghi\u1ec7p n\u1ebfu tin t\u1eb7c chi\u1ebfm \u0111\u01b0\u1ee3c quy\u1ec1n truy c\u1eadp h\u1ec7 th\u1ed1ng ch\u00ednh.<\/p>\n<p>Ch\u1ec9 c\u1ea7n h\u1ec7 th\u1ed1ng SharePoint ch\u01b0a \u0111\u01b0\u1ee3c v\u00e1, tin t\u1eb7c c\u00f3 th\u1ec3 chi\u1ebfm to\u00e0n quy\u1ec1n ki\u1ec3m so\u00e1t h\u1ec7 th\u1ed1ng v\u00e0 m\u00e3 h\u00f3a d\u1eef li\u1ec7u. \u0110\u00e3 c\u00f3 \u00edt nh\u1ea5t 400 n\u1ea1n nh\u00e2n \u0111\u01b0\u1ee3c x\u00e1c nh\u1eadn, trong \u0111\u00f3 c\u00f3 c\u1ea3 c\u01a1 quan ch\u00ednh ph\u1ee7 v\u00e0 doanh nghi\u1ec7p. Kh\u00f4ng ch\u1ec9 Storm-2603, c\u00e1c nh\u00f3m hacker kh\u00e1c c\u1ee7a Trung Qu\u1ed1c nh\u01b0 Linen Typhoon (APT27) v\u00e0 Violet Typhoon (APT31) c\u0169ng b\u1ecb nghi ng\u1edd tham gia t\u1ea5n c\u00f4ng t\u01b0\u01a1ng t\u1ef1.<\/p>\n<p>Microsoft khuy\u1ebfn ngh\u1ecb m\u1ea1nh m\u1ebd ng\u01b0\u1eddi d\u00f9ng:<\/p>\n<ul>\n<li data-xf-list-type=\"ul\">C\u1eadp nh\u1eadt ngay SharePoint Server l\u00ean b\u1ea3n m\u1edbi nh\u1ea5t c\u00f3 v\u00e1 l\u1ed7i.<\/li>\n<li data-xf-list-type=\"ul\">B\u1eadt Antimalware Scan Interface (AMSI) v\u00e0 ki\u1ec3m tra c\u1ea5u h\u00ecnh \u0111\u00fang.<\/li>\n<li data-xf-list-type=\"ul\">Tri\u1ec3n khai c\u00e1c gi\u1ea3i ph\u00e1p b\u1ea3o v\u1ec7 \u0111\u1ea7u cu\u1ed1i nh\u01b0 Microsoft Defender for Endpoint ho\u1eb7c c\u00e1c ph\u1ea7n m\u1ec1m t\u01b0\u01a1ng \u0111\u01b0\u01a1ng.<\/li>\n<li data-xf-list-type=\"ul\">Xoay l\u1ea1i kh\u00f3a m\u00e1y &#8220;ASP.NET&#8221; tr\u00ean m\u00e1y ch\u1ee7 SharePoint.<\/li>\n<li data-xf-list-type=\"ul\">Kh\u1edfi \u0111\u1ed9ng l\u1ea1i d\u1ecbch v\u1ee5 IIS b\u1eb1ng l\u1ec7nh &#8220;iisreset.exe&#8221; sau khi v\u00e1 l\u1ed7i.<\/li>\n<li data-xf-list-type=\"ul\">K\u00edch ho\u1ea1t k\u1ebf ho\u1ea1ch \u1ee9ng ph\u00f3 s\u1ef1 c\u1ed1 b\u1ea3o m\u1eadt (IR plan) trong t\u1ed5 ch\u1ee9c.<\/li>\n<\/ul>\n<p>L\u1ed7 h\u1ed5ng b\u1ea3o m\u1eadt trong SharePoint kh\u00f4ng c\u00f2n l\u00e0 v\u1ea5n \u0111\u1ec1 l\u00fd thuy\u1ebft. V\u1edbi h\u01a1n 400 n\u1ea1n nh\u00e2n v\u00e0 chu\u1ed7i t\u1ea5n c\u00f4ng ng\u00e0y c\u00e0ng tinh vi, c\u00e1c t\u1ed5 ch\u1ee9c, \u0111\u1eb7c bi\u1ec7t l\u00e0 doanh nghi\u1ec7p v\u1eeba v\u00e0 l\u1edbn, c\u1ea7n h\u00e0nh \u0111\u1ed9ng ngay l\u1eadp t\u1ee9c \u0111\u1ec3 ng\u0103n ch\u1eb7n nguy c\u01a1 b\u1ecb t\u1ed1ng ti\u1ec1n v\u00e0 r\u00f2 r\u1ec9 d\u1eef li\u1ec7u.<\/p>\n<div style=\"text-align: right\"><b><i>Theo The Hacker News<\/i><\/b>\u200b<\/div>\n<div style=\"text-align: right;margin-top: 16px\"><i>Theo: <a href=\"https:\/\/whitehat.vn\/threads\/storm-2603-khai-thac-lo-hong-sharepoint-phat-tan-ma-doc-warlock-quy-mo-lon.18601\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/whitehat.vn\/threads\/storm-2603-khai-thac-lo-hong-sharepoint-phat-tan-ma-doc-warlock-quy-mo-lon.18601\/<\/a><\/i><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft v\u1eeba ph\u00e1t \u0111i c\u1ea3nh b\u00e1o kh\u1ea9n, m\u1ed9t nh\u00f3m tin t\u1eb7c \u0111\u01b0\u1ee3c cho l\u00e0 c\u00f3 li\u00ean h\u1ec7 v\u1edbi Trung Qu\u1ed1c \u0111ang khai th\u00e1c c\u00e1c l\u1ed7 h\u1ed5ng ch\u01b0a v\u00e1 trong ph\u1ea7n m\u1ec1m SharePoint Server \u0111\u1ec3 c\u00e0i m\u00e3 \u0111\u1ed9c Warlock ransomware &#8211; m\u1ed9t lo\u1ea1i m\u00e3 \u0111\u1ed9c t\u1ed1ng ti\u1ec1n c\u00f3 kh\u1ea3 n\u0103ng m\u00e3 h\u00f3a to\u00e0n b\u1ed9 h\u1ec7 th\u1ed1ng. [&hellip;]<\/p>\n","protected":false},"author":46,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[33],"tags":[],"class_list":["post-10435","post","type-post","status-publish","format-standard","hentry","category-tin-tuc-cua-vien"],"_links":{"self":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10435","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/comments?post=10435"}],"version-history":[{"count":0,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/posts\/10435\/revisions"}],"wp:attachment":[{"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/media?parent=10435"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/categories?post=10435"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.new88088.net\/wp-json\/wp\/v2\/tags?post=10435"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}