Storm-1175 Exploits Flaws in High-Velocity Medusa Attacks
High severity โ significant development or major threat actor activity
Basically, a cyber group is using weaknesses in software to launch fast ransomware attacks.
Storm-1175 is exploiting vulnerabilities in Medusa ransomware attacks, targeting healthcare and other sectors. Organizations need to enhance their defenses to combat this threat.
What Happened
Microsoft has reported that the cybercrime group Storm-1175 has been actively exploiting both n-day and zero-day vulnerabilities in high-velocity Medusa ransomware attacks for the past three years. This group is financially motivated and adept at taking advantage of the time gap between when vulnerabilities are disclosed and when patches are applied.
Who's Behind It
Storm-1175 has demonstrated a high operational tempo, successfully targeting various sectors, particularly healthcare, education, professional services, and finance in regions including Australia, the UK, and the US. The group has exploited at least 16 vulnerabilities since 2023, including three zero-day flaws like CVE-2025-10035, which was targeted just one week before its public disclosure.
Tactics & Techniques
The group employs a variety of tactics to infiltrate systems and deploy ransomware:
- They often create a web shell or drop a remote access payload to establish an initial foothold, moving quickly from access to ransomware deployment within one to six days.
- Persistence is achieved by creating new user accounts and adding them to the administrator group.
- For reconnaissance and lateral movement, they utilize living-off-the-land binaries (LOLBins) such as PowerShell and PsExec, often employing Cloudflare tunnels to navigate through Remote Desktop Protocol (RDP).
- During post-compromise activities, they leverage various remote monitoring and management (RMM) tools, including PDQ Deployer for silent application installations.
- They may also modify Microsoft Defender Antivirus settings to prevent detection of ransomware payloads.
Defensive Measures
To mitigate the risks posed by Storm-1175, organizations should take proactive steps:
- Conduct perimeter scanning to identify exposed assets.
- Isolate web-facing systems from the public internet, using a VPN for access.
- Implement a web application firewall (WAF) or a perimeter network (DMZ) for additional security.
- Follow Microsoftโs guidance on credential hygiene and limit lateral movement.
- Activate Credential Guard to protect stored credentials and enable tamper protection to safeguard security services.
- Remove unapproved RMM installations and enforce multi-factor authentication (MFA) on approved ones.
- Configure XDR tools to counter common ransomware attack techniques.
By taking these measures, organizations can better defend against the evolving tactics of Storm-1175 and similar cyber threats.
๐ How to Check If You're Affected
- 1.Use perimeter scanning tools to identify exposed vulnerabilities.
- 2.Check for unauthorized user accounts created in your systems.
- 3.Review logs for suspicious activities related to RDP access.
- 4.Ensure all systems have the latest security patches applied.
๐บ๏ธ MITRE ATT&CK Techniques
๐ Pro insight: Storm-1175's rapid exploitation of vulnerabilities highlights the urgent need for organizations to adopt proactive patch management strategies.