Storm-2603 Exploits SharePoint Flaws Using Custom AK47 C2 Framework in Ransomware Attacks

The cybercriminal group Storm-2603 has been exploiting recently discovered vulnerabilities in Microsoft SharePoint Server using a custom command and control (C2) framework called AK47 C2. This framework includes two types of clients: AK47HTTP, which operates over HTTP, and AK47DNS, which leverages the Domain Name System (DNS) for communication. These tools are being deployed in ransomware attacks involving Warlock and LockBit, highlighting the group's sophisticated approach to maintaining control over compromised systems.

Technical Context and Implications: Microsoft SharePoint Server is a widely used collaboration platform, and vulnerabilities in it can provide attackers with access to sensitive data and internal networks. The AK47 C2 framework's dual communication channels—HTTP and DNS—allow attackers to maintain persistence and evade detection. HTTP-based C2 is common, but DNS-based C2 is less common and can be more stealthy, as DNS traffic is often allowed through firewalls without scrutiny.

Impact on Cybersecurity Landscape: The exploitation of SharePoint vulnerabilities by Storm-2603 underscores the importance of patching and securing collaboration platforms. The use of a custom C2 framework with multiple communication channels highlights the need for organizations to monitor network traffic, including DNS queries, for signs of malicious activity. The involvement of ransomware families like Warlock and LockBit indicates that these attacks can lead to significant data loss, financial damage, and reputational harm.

Expert Insights: The use of custom C2 frameworks is a trend among advanced threat actors. It allows them to evade detection and maintain persistence in compromised networks. The combination of HTTP and DNS-based C2 channels makes it harder for defenders to detect and block malicious communications. Organizations should be aware of these tactics and implement robust detection and response mechanisms.

Actionable Intelligence:

1. Patch SharePoint servers to address known vulnerabilities.
2. Monitor network traffic, including DNS queries, for signs of malicious activity.
3. Implement robust endpoint detection and response (EDR) solutions to detect and respond to ransomware attacks.
4. Regularly back up critical data and test restoration procedures to mitigate the impact of ransomware attacks.