Unpatched SharePoint servers opened the door to multiple attackers, Microsoft finds

Microsoft discovered that two unrelated attackers were operating inside the same victim network simultaneously, each hiding the other's presence and making it harder to understand the full scope of the attack. The initial intrusion exploited vulnerabilities in on-premises SharePoint servers (software used by organizations to manage documents and content), with one attacker (Storm-2603) deploying ransomware (malicious software that locks up files and demands payment) while a second attacker used different tools and methods for data theft. Microsoft's investigation team separated the two attack chains by correlating (comparing) data from multiple sources, then identified a second organization that had also been compromised by the same attackers.