Storm-1175 Exploits Zero-Days to Deploy Medusa Ransomware
Significant risk β action recommended within 24-48 hours
Basically, a hacking group is using hidden weaknesses in software to quickly spread ransomware.
Storm-1175, a China-linked group, is exploiting zero-day vulnerabilities to deploy Medusa ransomware rapidly. Targeting critical sectors, their tactics pose severe security risks. Organizations must enhance defenses to mitigate these threats.
What Happened
A China-based threat actor known as Storm-1175 has been linked to a series of high-velocity attacks utilizing both zero-day and N-day vulnerabilities. This group has gained notoriety for deploying Medusa ransomware and has successfully infiltrated various sectors, particularly healthcare, education, professional services, and finance in countries like Australia, the UK, and the US.
Who's Being Targeted
The attacks primarily focus on organizations with exposed internet-facing systems. Storm-1175 has demonstrated a keen ability to identify vulnerable perimeter assets, leading to successful breaches. Their operational tempo is notably high, often executing attacks within 24 hours of gaining initial access.
How It Works
Storm-1175 exploits a range of vulnerabilities, including:
- CVE-2023-21529 (Microsoft Exchange Server)
- CVE-2023-27351 and CVE-2023-27350 (Papercut)
- CVE-2024-21887 (Ivanti Connect Secure)
- CVE-2025-10035 (Fortra GoAnywhere MFT)
In some cases, they have exploited vulnerabilities before they were publicly disclosed. The group often chains multiple exploits together, such as OWASSRF, to enhance their post-compromise activities.
Signs of Infection
Indicators that organizations may be compromised include:
- Unusual user account activity or new accounts created without authorization.
- Modifications to Windows Firewall settings allowing Remote Desktop Protocol (RDP) access.
- Unexpected network traffic involving living-off-the-land binaries (LOLBins) like PowerShell.
How to Protect Yourself
To defend against Storm-1175's tactics, organizations should:
- Regularly patch systems to mitigate known vulnerabilities.
- Monitor network traffic for unusual patterns, especially involving RDP.
- Implement strict access controls and regularly audit user accounts.
- Utilize advanced threat detection tools to identify and block malicious activities.
The Bigger Picture
The implications of Storm-1175's operations are significant. Their use of Remote Monitoring and Management (RMM) tools for malicious purposes blurs the line between legitimate and malicious traffic. This trend highlights the need for organizations to scrutinize their RMM tools and ensure robust security measures are in place to prevent exploitation.
Overall, the rapid deployment of Medusa ransomware by Storm-1175 underscores the evolving threat landscape and the necessity for proactive cybersecurity measures.
π How to Check If You're Affected
- 1.Check for unusual account activity or unauthorized user accounts.
- 2.Monitor firewall logs for unexpected RDP access attempts.
- 3.Review network traffic for signs of LOLBins being used.
πΊοΈ MITRE ATT&CK Techniques
π Pro insight: Storm-1175's rapid exploitation of zero-days underscores the urgency for organizations to adopt a proactive patching strategy and enhance perimeter defenses.