A prolific cybercrime group has been weaponizing n-day and zero-day exploits in high-tempo Medusa ransomware attacks over the past three years, Microsoft has revealed.<\/p>\n
Storm-1175 is a financially motivated actor that usually exploits the window between vulnerability disclosure and patch adoption, Microsoft said in a blog post on April 6.<\/p>\n
\u201cThe threat actor\u2019s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the UK and US,\u201d it said.<\/p>\n
The group has exploited at least 16 vulnerabilities in this way since 2023, including three zero-day flaws such as CVE-2025-10035. That vulnerability in GoAnywhere Managed File Transfer, was exploited one week before public disclosure last year.<\/p>\n
Read more on Storm-1175: Microsoft: Critical GoAnywhere Bug Exploited in Medusa Ransomware Campaign<\/a><\/p>\n Microsoft pointed to several typical TTPs used by Storm-1175:<\/p>\n \tThe group creates a web shell or drops a remote access payload to establish an initial foothold\u00a0\u2013 moving from initial access to ransomware deployment in one to six\u00a0days How to Tackle Storm-1175<\/p>\n Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail\u00a0and BeyondTrust.<\/p>\n To mitigate the threat of attack, organizations should first use perimeter scanning tools to understand the extent of their attack surface, Microsoft recommended. Web-facing systems should be isolated from the public internet with a secure network boundary and accessed only via a virtual private network (VPN).\u00a0<\/p>\n If they must be connected, organizations should place these systems behind a web application firewall (WAF), reverse proxy, or perimeter network (aka DMZ), the report continued.<\/p>\n Microsoft also recommended<\/a>:<\/p>\n
\n\tIt establishes persistence by creating a new user and adding that user to the administrator\u2019s group
\n\tIt rotates various tools for reconnaissance and lateral movement, including living-off-the-land binaries (LOLBins), such as PowerShell and PsExec, followed by Cloudflare tunnels to move laterally over Remote Desktop Protocol (RDP) and deliver payloads to new devices
\n\tIt uses multiple remote monitoring and management (RMM) tools during post-compromise activity such as creating new user accounts, enabling alternative command-and-control (C2) methods, delivering additional payloads, or using as interactive remote desktop sessions
\n\tLegitimate software deployment tool PDQ Deployer is sometimes used to silently install applications for lateral movement and payload delivery
\n\tPython-based tool Impacket is sometimes used for lateral movement and credential dumping
\n\tThe group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads<\/p>\n