The threat actor group Storm-2603 has been observed deploying a DNS-controlled backdoor as part of their attack campaigns involving Warlock and LockBit ransomware families. This technique leverages DNS queries as a command and control (C2) channel, allowing the malware to receive instructions and exfiltrate data covertly, bypassing traditional network monitoring tools. The backdoor's DNS control mechanism makes detection and disruption more challenging, as DNS traffic is typically allowed and less scrutinized in enterprise environments. Storm-2603 reportedly exploits vulnerabilities in Microsoft SharePoint to gain initial access, although specific CVEs or affected versions are not detailed in the provided information. Once inside the network, the attackers deploy the DNS-controlled backdoor to maintain persistence and facilitate the deployment of ransomware payloads such as Warlock and LockBit. These ransomware variants are known for encrypting critical data and demanding ransom payments, often accompanied by data exfiltration and leak threats. The use of DNS for C2 communication indicates a sophisticated approach aimed at evading detection and maintaining stealth within targeted networks. Although no known exploits in the wild have been confirmed at this time, the high severity rating and involvement of prominent ransomware strains suggest a significant risk to organizations if exploited successfully.

For European organizations, this threat poses a substantial risk to confidentiality, integrity, and availability of critical systems and data. The exploitation of SharePoint, a widely used collaboration platform in Europe, could lead to unauthorized access to sensitive corporate information and intellectual property. The DNS-controlled backdoor facilitates stealthy communication with attackers, increasing the likelihood of prolonged undetected presence within networks. This can result in extensive data exfiltration and the deployment of ransomware, causing operational disruption, financial losses, reputational damage, and potential regulatory penalties under GDPR for data breaches. The involvement of LockBit ransomware, which has a history of targeting European entities, heightens the threat level. Additionally, the use of DNS for C2 complicates detection efforts, potentially allowing attackers to bypass conventional security controls and persist longer within victim environments. The threat is particularly concerning for sectors heavily reliant on SharePoint and those with critical infrastructure or sensitive data, such as finance, healthcare, manufacturing, and government agencies across Europe.

European organizations should implement targeted defenses to mitigate this threat beyond generic advice. First, conduct thorough vulnerability assessments and patch management focused on Microsoft SharePoint environments, prioritizing any known or emerging vulnerabilities even if specific CVEs are not yet public. Deploy advanced DNS monitoring and anomaly detection solutions capable of identifying unusual DNS query patterns indicative of C2 activity, such as high volumes of TXT record requests or queries to suspicious domains. Implement network segmentation to isolate critical assets and limit lateral movement opportunities for attackers. Employ endpoint detection and response (EDR) tools with behavioral analytics to detect backdoor activities and ransomware behaviors early. Enforce strict access controls and multi-factor authentication (MFA) for SharePoint and related services to reduce the risk of initial compromise. Regularly back up critical data with offline or immutable storage to enable recovery in case of ransomware encryption. Finally, conduct targeted threat hunting exercises focusing on DNS traffic and SharePoint logs to identify potential indicators of compromise proactively.