Project AK47: Uncovering a Link to the SharePoint Vulnerability Attacks unit42.paloaltonetworks.com/ak47-acti…

Unit 42 observed notable overlaps between Microsoft’s reporting on ToolShell activity (an exploit chain affecting SharePoint vulnerabilities) and activity that we have been separately tracking. The activity, which we track as CL-CRI-1040, caught our attention by deploying a tool set that we call Project AK47, which includes a backdoor, ransomware and loaders.

Microsoft’s report named a suspected China-based threat actor, Storm-2603. Based on our analysis of host- and network-based artifacts, we assess with high confidence that Storm-2603 is related to the activity cluster that we track as CL-CRI-1040. We initially noted this in our threat brief covering exploitation of recent SharePoint vulnerabilities, and here further expand on our observations. (See Table 1 in the body of this article for clarification of the connection.)