Storm-1175: Zero-Day Exploits Fuel Medusa Ransomware Surge

April 7, 2026 Faeem BLOGS 0

Microsoft Threat Intelligence has linked China-based threat actor Storm-1175 to a wave of high-velocity ransomware attacks that weaponize both zero-day and N-day vulnerabilities. The group is known for deploying Medusa ransomware and has rapidly compromised internet-facing systems across healthcare, education, finance, and professional services in the U.S., U.K., and Australia.

Attack Characteristics

  • Zero-day exploitation: Leveraged vulnerabilities before public disclosure.
  • Exploit chaining: Combined flaws (e.g., OWASSRF) for deeper compromise.
  • Speed: Data exfiltration and ransomware deployment within 24–72 hours of initial access.
  • Persistence tactics:
    • Creating new user accounts.
    • Deploying web shells and legitimate RMM tools (AnyDesk, Atera, MeshAgent, ConnectWise ScreenConnect, SimpleHelp).
    • Credential theft and disabling security solutions.

Vulnerabilities Exploited (2023–2026)

Storm-1175 has been linked to 16+ CVEs, including:

  • Microsoft Exchange Server (CVE-2023-21529)
  • Papercut (CVE-2023-27350/27351)
  • Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887)
  • ConnectWise ScreenConnect (CVE-2024-1708/1709)
  • JetBrains TeamCity (CVE-2024-27198/27199)
  • SimpleHelp (CVE-2024-57726/57727/57728)
  • CrushFTP (CVE-2025-31161)
  • GoAnywhere MFT (CVE-2025-10035, exploited as a zero-day)
  • SmarterMail (CVE-2025-52691, CVE-2026-23760, exploited as a zero-day)
  • BeyondTrust (CVE-2026-1731)

Tactics & Tools

  • LOLBins: PowerShell, PsExec.
  • Impacket & Mimikatz: Credential dumping and lateral movement.
  • PDQ Deployer: Payload delivery across networks.
  • Firewall manipulation: Enabling RDP for remote access.
  • Data exfiltration: Bandizip for collection, Rclone for transfer.
  • Defender evasion: Configuring exclusions to bypass detection.

Implications

Storm-1175 exemplifies the dual-use risk of RMM tools, blending malicious traffic into trusted encrypted channels. Their ability to rotate exploits quickly between disclosure and patch adoption leaves organizations exposed during the critical window before updates are applied.

Final Thought

Storm-1175’s operations highlight the evolving sophistication of ransomware crews: chaining exploits, abusing legitimate tools, and striking with speed. For defenders, the lesson is clear — patch velocity, exploit monitoring, and RMM visibility are now frontline priorities in mitigating ransomware risk.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.