SHIELD: ACTIVE // NETWORK SECURE

2026-07-04 - Dual-Occupancy Breaches: Microsoft Uncovers Simultaneous Ransomware Clusters in Joint Enterprise Network

Dual-Occupancy Breaches: Microsoft Uncovers Simultaneous Ransomware Clusters in Joint Enterprise Network

Executive Summary

In the field of incident response, a routine ransomware investigation recently uncovered a highly unusual and complex threat landscape: dual-occupancy breaches. Microsoft's Threat Intelligence team revealed that two completely independent, unrelated cybercriminal clusters had infiltrated and occupied the same corporate network at the same time.

The first group, tracked as Storm-2603, is a known ransomware operator that deployed Warlock ransomware by exploiting a critical vulnerability in local file-sharing software. Simultaneously, a second, separate attacker group was discovered leveraging unpatched Microsoft SharePoint vulnerabilities within the exact same environment. This development illustrates a chaotic trend where multiple independent threat actors colonize a single victim's network, complicating security diagnostics and response efforts.

Deep-Dive Technical Analysis

Historically, security teams assumed that a network intrusion was the work of a single operator. However, the discovery of simultaneous, parallel threat activity from separate clusters has shattered this assumption.

The technical mechanics of this dual-occupancy breach reveal distinct pathways and techniques used by each attacker:

* Initial Access and LFI Probing (Storm-2603): The threat actor Storm-2603 targeted the network perimeter by scanning for Local File Inclusion (LFI) vulnerabilities. They sent targeted HTTP requests for sensitive system files like win.ini and web.config to find entry points.

* Exploiting Gladinet Triofox (CVE-2025-11371): Evidence suggests that Storm-2603 successfully leveraged CVE-2025-11371 (CVSS 9.1), a critical file inclusion vulnerability impacting the Gladinet Triofox file-sharing platform, as their primary initial access vector. Once inside, they established persistent access and prepared to deploy the Warlock ransomware payload.

* Simultaneous SharePoint Exploitation: While Storm-2603 was active, a second, completely unrelated threat actor group was discovered operating in the same network. This group bypassed other perimeter controls and targeted on-premises Microsoft SharePoint Servers, exploiting vulnerabilities (including insecure deserialization bugs) to execute arbitrary commands, scrape local memory buffers, and pivot laterally.

* Complicating Incident Response: The presence of two separate groups adopting different obfuscation and persistence techniques severely complicated forensic efforts. Activity from one group was easily misattributed to the other, creating significant diagnostic noise and delaying the containment of both threats.

Industry Impact and Recommendations

Dual-occupancy breaches represent a major operational risk. If an enterprise network is inadequately secured or contains unpatched perimeter vulnerabilities, it is highly likely that multiple, independent threat actors will discover and exploit these gaps simultaneously. CISOs can no longer assume that resolving a single intrusion vector means the entire network has been secured.

We recommend that all enterprise IT administrators and security teams implement the following defensive measures:

1. Conduct Complete, Multi-Vector Audits: During incident response, never assume a breach is a single-operator event. Execute comprehensive, network-wide audits to identify and terminate all parallel persistence mechanisms, active sessions, and anomalous accounts.

2. Patch Perimeter File-Sharing Software: Immediately apply the necessary vendor security updates to file-sharing and integration portals, specifically addressing CVE-2025-11371 in Gladinet Triofox.

3. Isolate and Harden Collaborative Portals: Ensure on-premises Microsoft SharePoint and collaborative portals are isolated from the public internet behind multi-factor authentication (MFA) gateways and strict IP access controls.

4. Deploy Advanced Network Behavioral Analysis: Utilize network detection and response (NDR) tools to continuously monitor internal traffic for anomalous lateral movement or double-encrypted exfiltration attempts, which can flag the presence of multiple independent attackers.

References:

* The Hacker News

* DevSecOpsDadAttack Threat Intelligence Brief

Category: Cyber Security Intelligence